socelars | 152f1e7aeed37a32e3d2153a7c05fe4dacb44a2dcfdf63ed31f91b28d36fcf21

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AXmudvi_MxQYK2Swucq9CluH.exe
Size

1.4MB
MD5

ecad37c9dbd960cae35da8c5ba2cba3b
SHA1

5aff572af1769d19692a9e25fdd5f180a4743fb7
SHA256

c136ce5780472330b6210c23508ffdacf4a6bd87931267a7e37b5fb940963227
SHA512

f2645dc3a0ca7f87df8258e65b25583686107735ff451e9ca2e44870391a26f1c985af2a16c895daa77e02a77d444e4f61c4f96d5fc6323e734609bb5715d033
SSDEEP

24576:KEpfLmZkUtN/Wy+jtYkQkbF7vZjHYdG/9QDkMhJgXgalJAiQ/X:7pylrKY2m4+7/gXgalJZwX

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\jfhgpjbcoignfibliobpclhpfnadhofn\10.59.13_0\manifest.json	AXmudvi_MxQYK2Swucq9CluH.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	iplogger.org
8	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AXmudvi_MxQYK2Swucq9CluH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3576	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133800009104187769"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1656	chrome.exe
1656	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe
4720	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeAssignPrimaryTokenPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeLockMemoryPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeIncreaseQuotaPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeMachineAccountPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeTcbPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeSecurityPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeTakeOwnershipPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeLoadDriverPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeSystemProfilePrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeSystemtimePrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeProfSingleProcessPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeIncBasePriorityPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeCreatePagefilePrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeCreatePermanentPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeBackupPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeRestorePrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeShutdownPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeDebugPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeAuditPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeSystemEnvironmentPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeChangeNotifyPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeRemoteShutdownPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeUndockPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeSyncAgentPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeEnableDelegationPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeManageVolumePrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeImpersonatePrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeCreateGlobalPrivilege	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: 31	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: 32	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: 33	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: 34	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: 35	2500	AXmudvi_MxQYK2Swucq9CluH.exe
Token: SeDebugPrivilege	3576	taskkill.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe
Token: SeCreatePagefilePrivilege	1656	chrome.exe
Token: SeShutdownPrivilege	1656	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe
1656	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 4988	2500	AXmudvi_MxQYK2Swucq9CluH.exe	83
PID 2500 wrote to memory of 4988	2500	AXmudvi_MxQYK2Swucq9CluH.exe	83
PID 2500 wrote to memory of 4988	2500	AXmudvi_MxQYK2Swucq9CluH.exe	83
PID 4988 wrote to memory of 3576	4988	cmd.exe	85
PID 4988 wrote to memory of 3576	4988	cmd.exe	85
PID 4988 wrote to memory of 3576	4988	cmd.exe	85
PID 2500 wrote to memory of 1656	2500	AXmudvi_MxQYK2Swucq9CluH.exe	88
PID 2500 wrote to memory of 1656	2500	AXmudvi_MxQYK2Swucq9CluH.exe	88
PID 1656 wrote to memory of 3376	1656	chrome.exe	89
PID 1656 wrote to memory of 3376	1656	chrome.exe	89
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 2188	1656	chrome.exe	90
PID 1656 wrote to memory of 4076	1656	chrome.exe	91
PID 1656 wrote to memory of 4076	1656	chrome.exe	91
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92
PID 1656 wrote to memory of 1884	1656	chrome.exe	92

C:\Users\Admin\AppData\Local\Temp\AXmudvi_MxQYK2Swucq9CluH.exe
"C:\Users\Admin\AppData\Local\Temp\AXmudvi_MxQYK2Swucq9CluH.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4988
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8b7f3cc40,0x7ff8b7f3cc4c,0x7ff8b7f3cc58
    3⤵
    PID:3376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2120,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:2188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1648 /prefetch:3
    3⤵
    PID:4076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2464 /prefetch:8
    3⤵
    PID:1884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
    3⤵
    PID:2404
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:3412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3836,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3820 /prefetch:1
    3⤵
    PID:1588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
    3⤵
    PID:3432
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4824,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
    3⤵
    PID:1780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5004,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4804 /prefetch:8
    3⤵
    PID:3988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
    3⤵
    PID:4732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
    3⤵
    PID:2984
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5264 /prefetch:8
    3⤵
    PID:1524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5096,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:2
    3⤵
    PID:4760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5012,i,7162782941164981806,13430982720048727691,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4456 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4720

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a782d65f89d84915f5868e89c7fd5ef0

SHA1
f73015bdcb2067a7da6ed9353c687582b8dc38cc

SHA256
f8ac5c712d478c03bab04fc0b3057f6b92a14a0246b2e8d515197d76ce857e39

SHA512
3a720311f46259821acfdc8e23662f492949e18cabb327fe7558f31238596ebcd734e3bfd5361b472d5f650e726f4f53fe75979947a616b2209ae54bdeefdfbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
61043e3ccc6d16fa100628ea96ceb8a6

SHA1
036a4289aefc42bbd2f78891d783e3f143edd31d

SHA256
0799c50e3599a1a36ab12143b4b5cdb7e561a6c1c8977115540c36d1d29dd5d1

SHA512
27c74e38dd42d527606fbc55736792a156a8282816db96d8f6e0c5c8c909557fe014adf354963676a89d593258f1400fb2d66db65b2f6b17cc3e8042249059ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8062e1a0374547344aba59c2cfff4d4c

SHA1
b0221ca6d9ac0785ce96bd4b8066478b021155c2

SHA256
04fdd183227f243236b36b5bb58b95dd19c72ef63b1838cd06979691d2dc484a

SHA512
9f06b564870305a77113dcdf90638baada1b3798928aa3b778e2d3b8dd502777ddb947145f96c7bb27a88736f43cedfb05b9324b4e656dd92fa34ebbe0e8e4b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4c47e8951b9406805706ef17c57a088a

SHA1
aaaba50644f1c190feec7ae375f7f86fa9996b5a

SHA256
2e08bb4ade10b28286967069d7d5dd26f2e397b33c695e2a8af68012d29443f0

SHA512
c8ee1ecd5502d8a1f16329569bff91cb6775e620ef3a226aa9d9bbb360610f57cf689be96ebbc76ac9a3f95d60d028806e36177edc3aa3cd206ed625c078cd00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3ea7b806f370ee867c0b79b1f21b9e0c

SHA1
42401e4a7e498b1d13b8c01148ce49d837c2d689

SHA256
f3d08379eed764cb1a2f235023347db413be9dfd146e20d9765792e42211ff3e

SHA512
93869cc4bf75d3a4876c6e3986d84ded567e934a43c59fbfebbca8b447e32d2b028750d305d8777e96e4911a9cca61ba52ffdcd1e51d8a858c31a8c51e0c2170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bf2649cf41f2caf95693606aef8a28ee

SHA1
05d259e413e3f6535f502f772566040b7bbe7598

SHA256
160601b739d7f291c1f4de524342edebfbb2de4558cd616d7a6145c708b73ca6

SHA512
8301afd5a08812881446921a9814078aa5b98d2b9354fb3b8ada760b74a14c870d0f700be69e1d98993f183ca27faefdca241b34d99855e1905d6761c72dae28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3e3e87282e5250c48a338726c5e348c0

SHA1
9832ade4e056c6868d7af30297f0888e17226d3e

SHA256
2f797e4af104847f92ea07371456ace3663c4df313dce676025a774a2d0d646b

SHA512
0a7470b60dfa152d73317d7f10237d9d96d0dc9662305693e5a27e667275ee620357ae1e144702be414f7ea401ad1c9a586d31847885fbf9875ea3ce65461434

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
889ea662a56b6362c170dd10dc6660e7

SHA1
1300ed8d7c7e541581870712b7beddb43e7f0cde

SHA256
adc2a19e420d07ee5e338d09fb918562f817c614589b7e25fe5de7009601cb39

SHA512
780415fa8ce2965f4289cceeab6700b4e131771a4b09ec086d5fc6258d2b2141f217caf438a277fa7212de9f784d229c48b0f35128d96411e9df104e7a109192

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
c4f4f10527515e350475234d38267351

SHA1
841f108a99e81d0055a2b87e01fffc5f21bf1b2e

SHA256
3c4e778a71453a50ccb43e8410953042685d2eedcf94c22f651b75e9d540819c

SHA512
d2532b4cc7f957837576a1cf47d4e6be1d1326ad8816e30bf2a4c1f57629eef22f8d80db4a08278e167bb6d89b8a2bdf1c765dbd55506e1a9f95a6ab6e5c0288

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
53afd7ea721ba15ce5b3715400594bb9

SHA1
3ec9089c911e311f58fefe8d386954d2374a4834

SHA256
e3a273c786a472a8b4c0c837f117d999c3d6d8e9e6da4bd7c0c9445ca1abc0c1

SHA512
96492c8ba87a4885704e791eecc1628cf703faef8de3152957132568133b1d180c7bd810cc47d17088416f6fd6aa0c50d5a0863dabc5deae1f03c044432282a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a9da6d439371b4253c8e9f830785c581

SHA1
94ce2a01dd23c3c0a714e240a6d698d9694f9c2a

SHA256
c638d08a3b7e66d1cde2698cd683b7064500f7485b9e953f213fa1bc1890ed35

SHA512
47be58aef4fce9855bd0ca23a80fadd6424c47a63c25a463f5c24e8fc2607ed185545cdabe7d24d27cf00ebecce2c1c492741152240384ffb398f33dad81d43b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
44808fee2106573b4aba76c1ad27804b

SHA1
c28d12628b8e3cc2091f2b02ce26be985e99413e

SHA256
2a6748815fb8e8907ead7b58d2e73b187b0cc2dc7ae3034ebff631ad140c4957

SHA512
f96e71cc137c3833797446f771befb736ec7f6406bccd68cc2cbf3205d7b4e6adc5e03565dcceac707fdf706ffa8f746a17c40d377332b20b56b88b1b3d171dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
b0a6c8ef883f64543d36482def07df73

SHA1
0d5fe0779a96739f6953ed61812a8b2372c87e3d

SHA256
6d53b6426ece0092a0560d1695ca2811f41824468949c658c00f468989b65257

SHA512
9f7e2bdbafa51ae088362e5faa411697abf8d1239de4ffa595888d4e00dada2f90e5ff69e6a1d5c48dae5451f8e47184e40c9f683614f332ceb016833173a163

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1656_1596451209\08f85516-2717-4ace-89ed-cd5f2f5041e0.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1656_1596451209\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit