Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2024 01:02
Behavioral task
behavioral1
Sample
2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe
Resource
win7-20240729-en
General
-
Target
2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe
-
Size
1.4MB
-
MD5
53f9ebac4ea17afdf3753774a1427795
-
SHA1
c83b5fe68db8b583569085304c274357e530bfb1
-
SHA256
cc5533a5c8e6305e52431676f148f292fe276ed951d39ade86c143c9e47a9682
-
SHA512
58af5d5d6a3e69d2a24701e579c48e75e24dcdc255427106cea8a01cc389f24228932be18d7b731e034f1c7563b4d721a8ff484686c293d04574ec2b7f4d59bd
-
SSDEEP
24576:uTpE4t7hXTv1Rpgt1E7y2NfXG7E3VQ+gvLJegPeR1nMFAwic:ApdF1w+lBq4gPeRdMmvc
Malware Config
Signatures
-
Socelars family
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 29 iplogger.org 28 iplogger.org -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\background.html 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\content.js 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\jquery-3.3.1.min.js 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\pad-nopadding.js 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe File opened for modification C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\icon.png 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\aes.js 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\background.js 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\js\mode-ecb.js 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe File created C:\Program Files\aieoplapobidheellikiicjfpamacpfd\manifest.json 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3012 3800 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Kills process with taskkill 1 IoCs
pid Process 2784 taskkill.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133796485795862254" chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1380 chrome.exe 1380 chrome.exe 3540 chrome.exe 3540 chrome.exe 3540 chrome.exe 3540 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
pid Process 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeCreateTokenPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeAssignPrimaryTokenPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeLockMemoryPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeIncreaseQuotaPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeMachineAccountPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeTcbPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeSecurityPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeTakeOwnershipPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeLoadDriverPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeSystemProfilePrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeSystemtimePrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeProfSingleProcessPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeIncBasePriorityPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeCreatePagefilePrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeCreatePermanentPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeBackupPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeRestorePrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeShutdownPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeDebugPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeAuditPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeSystemEnvironmentPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeChangeNotifyPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeRemoteShutdownPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeUndockPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeSyncAgentPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeEnableDelegationPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeManageVolumePrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeImpersonatePrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeCreateGlobalPrivilege 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: 31 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: 32 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: 33 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: 34 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: 35 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe Token: SeDebugPrivilege 2784 taskkill.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe Token: SeCreatePagefilePrivilege 1380 chrome.exe Token: SeShutdownPrivilege 1380 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe 1380 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3800 wrote to memory of 444 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe 84 PID 3800 wrote to memory of 444 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe 84 PID 3800 wrote to memory of 444 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe 84 PID 444 wrote to memory of 2784 444 cmd.exe 86 PID 444 wrote to memory of 2784 444 cmd.exe 86 PID 444 wrote to memory of 2784 444 cmd.exe 86 PID 3800 wrote to memory of 1380 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe 92 PID 3800 wrote to memory of 1380 3800 2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe 92 PID 1380 wrote to memory of 4780 1380 chrome.exe 93 PID 1380 wrote to memory of 4780 1380 chrome.exe 93 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 1860 1380 chrome.exe 94 PID 1380 wrote to memory of 5072 1380 chrome.exe 95 PID 1380 wrote to memory of 5072 1380 chrome.exe 95 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96 PID 1380 wrote to memory of 3940 1380 chrome.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2024-12-26_53f9ebac4ea17afdf3753774a1427795_avoslocker_luca-stealer.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Windows\SysWOW64\cmd.execmd.exe /c taskkill /f /im chrome.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im chrome.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2784
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb5bc3cc40,0x7ffb5bc3cc4c,0x7ffb5bc3cc583⤵PID:4780
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1640,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1688 /prefetch:23⤵PID:1860
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1904,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:33⤵PID:5072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2248 /prefetch:83⤵PID:3940
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3104,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:13⤵PID:1900
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:13⤵PID:2552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1624,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3820 /prefetch:23⤵PID:3640
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3972,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3632 /prefetch:13⤵PID:1840
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5024,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:83⤵PID:4100
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5052 /prefetch:83⤵PID:216
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5216,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5228 /prefetch:83⤵PID:2728
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5356,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5348 /prefetch:83⤵PID:424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5204,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5268 /prefetch:83⤵PID:4892
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5092,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5332 /prefetch:83⤵PID:3068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5560,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:23⤵PID:2360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5436,i,15379492835237670841,10757021548949421769,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5508 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:3540
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 19922⤵
- Program crash
PID:3012
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:3896
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3800 -ip 38001⤵PID:5040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:2764
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
786B
MD59ffe618d587a0685d80e9f8bb7d89d39
SHA18e9cae42c911027aafae56f9b1a16eb8dd7a739c
SHA256a1064146f622fe68b94cd65a0e8f273b583449fbacfd6fd75fec1eaaf2ec8d6e
SHA512a4e1f53d1e3bf0ff6893f188a510c6b3da37b99b52ddd560d4c90226cb14de6c9e311ee0a93192b1a26db2d76382eb2350dc30ab9db7cbd9ca0a80a507ea1a12
-
Filesize
6KB
MD5c8d8c174df68910527edabe6b5278f06
SHA18ac53b3605fea693b59027b9b471202d150f266f
SHA2569434dd7008059a60d6d5ced8c8a63ab5cae407e7152da98ca4dda408510f08f5
SHA512d439e5124399d1901934319535b7156c0ca8d76b5aa4ddf1dd0b598d43582f6d23c16f96be74d3cd5fe764396da55ca51811d08695f356f12f7a8a71bcc7e45c
-
Filesize
13KB
MD54ff108e4584780dce15d610c142c3e62
SHA177e4519962e2f6a9fc93342137dbb31c33b76b04
SHA256fc7e184beeda61bf6427938a84560f52348976bb55e807b224eb53930e97ef6a
SHA512d6eee0fc02205a3422c16ad120cad8d871563d8fcd4bde924654eac5a37026726328f9a47240cf89ed6c9e93ba5f89c833e84e65eee7db2b4d7d1b4240deaef2
-
Filesize
19KB
MD5a46db03794c3b08b5df1b5ac4a4205b6
SHA1d42e0c5e80f5ca84666da2c7951583679fa0b9a8
SHA256cd6b09ccf16fdb52c97215095fe6a6630b36b72aa727355df0b35da426aef74c
SHA512d4896f2f689f9d4532e2d19eda6b52ed33027b5c142bc318e4bbd45fddcbdf258ad1141dca75bc1ac26c430aeb9bef93a8cfe7a9478327ebaf7f6666ca06acde
-
Filesize
3KB
MD5368dbd669e86a3e5d6f38cf0025a31fd
SHA193c6f457d876646713913f3fa59f44a9a373ff03
SHA25640d6653a91bd77ecbd6e59151febb0d8b157b66706aab53d4c281bb1f2fe0cd6
SHA51224881d53e334510748f51ce814c6e41c4de2094fd3acc1f250f8a73e26c64d5a74430b6c891fc03b28fb7bddfcf8b540edcf86498d2bb597e70c2b80b172ee7e
-
Filesize
84KB
MD5a09e13ee94d51c524b7e2a728c7d4039
SHA10dc32db4aa9c5f03f3b38c47d883dbd4fed13aae
SHA256160a426ff2894252cd7cebbdd6d6b7da8fcd319c65b70468f10b6690c45d02ef
SHA512f8da8f95b6ed33542a88af19028e18ae3d9ce25350a06bfc3fbf433ed2b38fefa5e639cddfdac703fc6caa7f3313d974b92a3168276b3a016ceb28f27db0714a
-
Filesize
604B
MD523231681d1c6f85fa32e725d6d63b19b
SHA1f69315530b49ac743b0e012652a3a5efaed94f17
SHA25603164b1ac43853fecdbf988ce900016fb174cf65b03e41c0a9a7bf3a95e8c26a
SHA51236860113871707a08401f29ab2828545932e57a4ae99e727d8ca2a9f85518d3db3a4e5e4d46ac2b6ba09494fa9727c033d77c36c4bdc376ae048541222724bc2
-
Filesize
268B
MD50f26002ee3b4b4440e5949a969ea7503
SHA131fc518828fe4894e8077ec5686dce7b1ed281d7
SHA256282308ebc3702c44129438f8299839ca4d392a0a09fdf0737f08ef1e4aff937d
SHA5124290a1aee5601fcbf1eb2beec9b4924c30cd218e94ae099b87ba72c9a4fa077e39d218fc723b8465d259028a6961cc07c0cd6896aa2f67e83f833ca023a80b11
-
Filesize
1KB
MD56da6b303170ccfdca9d9e75abbfb59f3
SHA11a8070080f50a303f73eba253ba49c1e6d400df6
SHA25666f5620e3bfe4692b14f62baad60e3269327327565ff8b2438e98ce8ed021333
SHA512872957b63e8a0d10791877e5d204022c08c8e8101807d7ebe6fd537d812ad09e14d8555ccf53dc00525a22c02773aa45b8fa643c05247fb0ce6012382855a89a
-
Filesize
649B
MD55e5fafdb1d7bef5b8a9f6c2b099f01b2
SHA1646dd7a0785a8daf4e0a4d6342f5a29a4796753c
SHA256e10f7774463b400a5b632aec29fed9cdc621e1e2d5d196721735bcd5c8394def
SHA512a64df9a16472e406a092448231ed531769791db56b9815f0dcca0595201fce8bfd1d1bc6fa5d3fc650b598f0e84c6e3608d99e65c7392f8da453b7e1285311ed
-
Filesize
168B
MD5401ac4974609ff7b2832d78fa1bff0d6
SHA15f915a12018a2b7cc4c5746d88569e64fcc8ba6e
SHA256c74d0a022c3723c9102f3608f692bbe595791ceaa66cec60f2ffac81d97a2b8f
SHA51206202c64d9d423ab83021105e6c2bbf5122554f72a1be74aaab3608b244b6ac5f63a04f5ffa4dc322da7932d8d12eaf6d607f851f21a63fcb9042b1325226f8c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
2KB
MD50a1332e5056da76d983beabe6954360a
SHA1f55e0cdb93af5641284ac834892b83b946c11e0c
SHA256e4d123b00399ec0054ad9fcc706c638a2f52e4e902094174eec20d7320172818
SHA5125d279d3574e5828c87ae93a55025adbd10e1e0e81b6a62e1d37e9e6c677445048f8bc0cab3637714b8fc2670464bc58f16bd2b69a46b32b40c0152dcf0bb7dd0
-
Filesize
3KB
MD5baec36dc3d3dd4c9f116b9e631a5cdd0
SHA12c7199451b814aca2fef9b8a2224b87ef5d6b2fc
SHA256c5e09f5330c680938fb97d5a796c1fa83b4ef58ec7b465006d750057d0ade776
SHA512d8ac540b3671d98bdbb0055232ba836913cecb67197bc35c90a60ac9d4ec459a6971993c8aff2574649d7df2d7a7aff2fc9390d440e4096f9da54174188c4583
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
859B
MD539419c546fc747d34f686d15bdd3662a
SHA1b83db14369dd2ce49853e03f8f9238dee834c623
SHA25624ef2be824f26f6e3b7d1d15f873189b5d90f8b6a5a9770f1f037eb90c4fca46
SHA512a75394e9eadd5a194c650f7576ef9b31faadf1848d3ca51835434dd7bfc915ab4f379a36d0225eca2e8ae0daffd65915cad0ce67fc5ae578c1ec2156d31adc6f
-
Filesize
859B
MD5f160085352fa0c21bed939eb128239a0
SHA1f2871b4daa665b9d1c3708491094e10e6f8a268f
SHA256e87cecf35a4618322bd000c37ce9d98613368818921d1374066a322cc31a9dc5
SHA5124432e77f749ed93fd6e935a3783c4c0c20326d8b2e6fdacf8a124097759856b29764f25349f657e884742c9d8f765338650c3b8194bf9431fe4e965653cc0b82
-
Filesize
859B
MD5e5c7135263d35a9dc8a99ddc33e04adc
SHA11689bcd8628aeced057c0193394f18f244ce608a
SHA256e6d38deda1602b1c71b4ca919c0ca6574b18ae5aca4780237ed557c7899ca8e6
SHA512dd7a95a9766b20f4ff927945a7341110907e8deb6216e5813ca2d8624f8e508e469ff4e42e748cea726e6774ddfe9e0885194ede2ca28af030d2aa47ad2d0c3f
-
Filesize
859B
MD543eae095c1f919d93aa3072c3966b24f
SHA1aa22d3223571bcbf000ba3416f68de4adba5e730
SHA256bd01bbb500f1203b1a91d7e70d084dfefb312d2c678c889faf2950fc0ff08486
SHA5123b1f4a25cdfbf7808b2202ac6d25a984da87da2409eedc0ca06fe057c3816e58a046d9ae2d8737851c494c47272e784fed58988acde0b87c6af3ff6577a5efb1
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
9KB
MD5fc9672e9779e552ed66700bec8c7d4b9
SHA1f087132e5a2541f544bcffdc139409f97b53ffae
SHA256beed567a5f94bd485e321dd866415b82c43abf91ffd5e6015374e37b80416fba
SHA51224ec18211ed9e09f521235da9be1d19b88140865e3dbdf70cab4eb409d59e4a585e92f82fdd395c086c6aa248b3082184df41b63242aa650c53115a6fc78be7b
-
Filesize
9KB
MD5fafbcd0040a314386d488947acb0688e
SHA1fc8fb8baccda8c05f563d4fede93d56917330569
SHA25693ca381e09d76a662c99b40a514f33580c1ae395ac18ef670fc863b412c37109
SHA512f17f00162baf1264b1837493d5252acadb95e822a95538f7636afd441e4bb95b7fc2be15d029f22d592217df1f5485dd76d09716fa6bce878f3409473c4c725f
-
Filesize
9KB
MD5a9d0e30f4ba5394c0c737bc3f392b0a7
SHA10dd0270e2c238a1bdecd38f0b7d0dadfb0cc03a2
SHA2567aeeabb765c98020e1d38f1d54d853ed305c32968c8789c0a259bffc6662c9bf
SHA512ac34106abeccea271dfb971c9d6fbd39456a40fb17cd18df7cef8b15c92b865a047b145d2f29a9fbfcd59270cec748b37ce5d0fd04c4963de52cb34d2297cc3c
-
Filesize
9KB
MD5a7db488be6e03f3aa97dbe4ccc7b8e71
SHA1257a2035e560cd7cd7cd33e1e4256a75e81061f9
SHA2565f9ac9e93ea711da59e91f7359cb84fedb95caa33ddf247f5b565e095ad543e0
SHA5128b58dcb370a2b7623f8432e9a7f57cac1883be30d95a3f568a0649bbe5b619398ddbbea65ecc6a3a552790132ce05973e9b8b0a6031a3a56609e40d9dcde72cf
-
Filesize
9KB
MD5deaa039512cd8870e8d0a1ed75140830
SHA126ae1a592070717948b1634df3fd3fcc2baf4272
SHA25693bab7d095718b0799ac2576ed2ee6deaddfebca0ccd4d7b2dc3662ff9b0c2c3
SHA512d64908c52a0c0e63a95c369abddd226fa91596db50b1e6e5605c8eb8185524a9650d4f96dd58626f89fc5664262f90e8c73bb53511b69d2f0e99ce485125b3da
-
Filesize
16KB
MD58b63de29b80e6e5656d43e2779428c1d
SHA1f6c7337f55001375ef734fd9a647ccdb35753f66
SHA256c101e3ad32c3a9a02c2b71154635a959bfdf37adb0187889502f1531df989d07
SHA512d147a96660d8669aef1efaed9fc41f71aef2eb98801c745163c22e4866dff960696d0ac9a9b882471495beedf3a1a348c558a5b8cacdebd67903c28cd3dad08a
-
Filesize
16KB
MD5115d8295dba6979957bf7b7b765e1261
SHA196c5a5ae8ff8af5fa37d606dd2781f78459ceb63
SHA2563fe3f14ec53d6c017383bbe9185e5e33175bc181c9283d38d5d62a89a9b21a78
SHA5128691b56b3c479b5a898bf7fe0b4dcaa1f9e9cb96cdb443925535de0acede233d062202821815389df25dc496d39bb7b7c66635f062ab7c0642082621160b0047
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD5c5fa2fc7c483a3c964b260e7645d33d9
SHA1ad86298b35a904776cacde001edbcf658f6e5048
SHA2566bd36ae326c4225c5452b53548ce1327de72dbbd7b3c3a51c572631e367930e0
SHA512a53d6bef60e9f5e8da2bd646cd60d5209da4d5d4194991e27fcf703d8d07910fd8d6514f74c67735fb7dbd70ce88d7f7fd3b52668bf4af7196e9463ed8bfacb1
-
Filesize
231KB
MD580c9a969eb844f5e079eb531ea68d5cc
SHA1f9ddefd0f9fadacc68cc7a11afc32b44ab91bcc3
SHA2569195b52b963da01c15aa69bb62c80b3a8515e516dc7d231b14f5568e0a632089
SHA5127d85db5a4a9805e5ac42cc754f4432a847c0c5a7da32465a5010ae9daecfb0dde4e65e71602aeb7f1f0b338637d9e68629ff7d7ae07e9401cf79f041b09f61c4
-
Filesize
231KB
MD5ba3fb7f1870080bf76361be5eacd2851
SHA15e27cdda10be973eb5d3b6ff47c02d3e42260ca1
SHA2569f5e8e04eca95061103138f9cd741329af55c6193807a1789329410f5c3dab9a
SHA512497acf0e03fb6c61bca6bc697fcc8bbb102ee34207a90cea90ba6c675b4351464df43b34fce9c8ed944da128d46a329d8aff2a2fe039c474352efc2c1ef0d1e1
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727