socelars | 90968c420d22839334359a55ca9e4baa297f4be867a87caec12ab61e9aa2771b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Size

1.4MB
MD5

12abdbd546e5d46df428cb5543c0b76c
SHA1

934bcb29a7538ff907cae3423421d0fe60df2db1
SHA256

90968c420d22839334359a55ca9e4baa297f4be867a87caec12ab61e9aa2771b
SHA512

d85925b881898904df2ae499a22eaa900c9137e0a777d8ea3bb9ecc8ac4ac5f9b5aa4d19e08e24de0e99986c560035d5839c31e82a43f21144277457974af0ad
SSDEEP

24576:pQAgpBGV2HpWHuREjDnI2AuADZ8KvqC7dH2dtDPc/oqKFcz5g:ngpG57R8cnDPcQqKKdg

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aieoplapobidheellikiicjfpamacpfd\11.23.45_0\manifest.json	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
17	iplogger.org
18	iplogger.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2980	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133821314236783576"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2796	chrome.exe
2796	chrome.exe
1372	chrome.exe
1372	chrome.exe
1372	chrome.exe
1372	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeLockMemoryPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeMachineAccountPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeTcbPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeSecurityPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeTakeOwnershipPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeLoadDriverPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeSystemProfilePrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeSystemtimePrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeProfSingleProcessPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeIncBasePriorityPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeCreatePagefilePrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeCreatePermanentPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeBackupPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeRestorePrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeShutdownPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeDebugPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeAuditPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeSystemEnvironmentPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeChangeNotifyPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeRemoteShutdownPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeUndockPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeSyncAgentPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeEnableDelegationPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeManageVolumePrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeImpersonatePrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeCreateGlobalPrivilege	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: 31	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: 32	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: 33	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: 34	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: 35	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeDebugPrivilege	2980	taskkill.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe
2796	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 3716	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe	83
PID 3500 wrote to memory of 3716	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe	83
PID 3500 wrote to memory of 3716	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe	83
PID 3716 wrote to memory of 2980	3716	cmd.exe	85
PID 3716 wrote to memory of 2980	3716	cmd.exe	85
PID 3716 wrote to memory of 2980	3716	cmd.exe	85
PID 3500 wrote to memory of 2796	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe	92
PID 3500 wrote to memory of 2796	3500	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe	92
PID 2796 wrote to memory of 4624	2796	chrome.exe	93
PID 2796 wrote to memory of 4624	2796	chrome.exe	93
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3856	2796	chrome.exe	94
PID 2796 wrote to memory of 3728	2796	chrome.exe	95
PID 2796 wrote to memory of 3728	2796	chrome.exe	95
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96
PID 2796 wrote to memory of 2692	2796	chrome.exe	96

C:\Users\Admin\AppData\Local\Temp\2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd5bc2cc40,0x7ffd5bc2cc4c,0x7ffd5bc2cc58
    3⤵
    PID:4624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
    3⤵
    PID:3856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1800,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2032 /prefetch:3
    3⤵
    PID:3728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:8
    3⤵
    PID:2692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:2856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3204 /prefetch:1
    3⤵
    PID:4180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4568,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3900 /prefetch:1
    3⤵
    PID:4716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
    3⤵
    PID:3276
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8
    3⤵
    PID:916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4788,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5056 /prefetch:8
    3⤵
    PID:5032
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
    3⤵
    PID:3764
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5152,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
    3⤵
    PID:3684
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
    3⤵
    PID:3596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5280,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5236 /prefetch:2
    3⤵
    PID:3088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5188,i,11081670037706365865,11350580843142535882,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5024 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1372

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8ce5ade77c1f4511414ba26869f7b3dd

SHA1
7215cc20b6f50dd614e93331011d5a208c5a119b

SHA256
d4378655c767ed396c7e06b279a6c37207cec2f74270e7a9591fce36f9e42caa

SHA512
e1cf7d6d91cf7f41aa36a7495e5beaaf6223d61fd895f81c7bbb4c4653b01f1a8096b2a5d051d7a014fb3c55130544c4ad77def2b76c62aea7570fbe1d4b83ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d2eca026dc426ea2f8ef96f17ece8b63

SHA1
918e81a859a5ec059c5dff967954afeadfd63128

SHA256
53ae34cb96cf5d68c642bb27a423e5b8a063a552cf03d814bdb1cf9485b362e6

SHA512
dd613a21e024fbca13978938c19ba20777b0791ea59fd78a8a57dd6b4425a6bad221a62b677a97b4d3af0e824f7c310d104d10085d09c47396a8382487eecfd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b7a81ce7e27c9016581772c2fb5ab272

SHA1
f44e31fea1ba03bcb70c8ec14a6f33919f07c594

SHA256
f63e93471d792ca3a8dacc4450977bace413da4acf84b884aa9e83ec75e340a8

SHA512
2fb227573d8e7c57494cdbaee5da6168fed56753a1d7f4831996d1452d853341405d0677d85ca174601948bbddeefcb3f73a95028ac03af111ceac7646803175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b0aef55dc40750b6dcfbb5167cb146cf

SHA1
cbeaa5d80f72013afc61c235bdea6a434e74da56

SHA256
a0346cf0e09b1e6141208a53f1717a1666b0bcf626c72ef275e53293f8a80360

SHA512
4ddc2249f130ad9d601642cf8a72d620ea29465c621577a6dfd915880f82427fb4b9dea8c517365e9f148e5418d15bb365fb810f4a3cbb9d4379179a27d97b05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dfda8c99302bb1861f5a05a3965559b8

SHA1
250a6a53150e2ff97c2c8d4513c79c9ceba01473

SHA256
14f8e35c3ab65fdc49326421b360a518de52d476492ad99f63d034edf3f4743e

SHA512
d0008712c18de048f495a6264805d5272ef77f6ae633a9cbdb47f4e5a40f6ed31fd919b9f60d18f12bb0bdff5df1bed7f8b926c41c3067dd983cadccf7a2cf26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2aecdbc331755562cf4c697d99dafca0

SHA1
d5858df82aa95811c261dd4bfc7475a7dbcaa524

SHA256
ff10478005ad72dd0a77068281c6cf3f90649868f65443d643cfe81bb72ee9ec

SHA512
c8a01c24ed89ca75adf7379df351dffcab2cfcb053aaad4f3ed2470a5e7cef6abb9a88efe7bf73c64621ff4fe834ec38e6b7f5497c82b4f635f8e563419cc381

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e6b95c843589daf06cebcb6beffe5659

SHA1
321fac5aa3d8b1f5012e956b2eb561786a3ffc31

SHA256
f81e02a443bddad8c9a0018e8824fcaa6b7c4ea315279cac3b6d025bd1556b11

SHA512
2603e417c1ea3a8922fc47c6b087533b049eaa45eeb21076ad9c79b53bbced6bbf8f2d1a2fdbc8565f537b34171cb0309806797c2111185218e3bf668485e85a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
19f278039ad11d42f5a0f3942f8e80b7

SHA1
3f41917f391faabbf7f2356be6ff2ae824195975

SHA256
f4e95f1bd46ebc91e42875c77bfecd30ae223f66c130f6bcf9b05c8d87c71c5c

SHA512
c46aba4202c2e869ed3b9c2787a963dc4fef01b9d0770d38274a8b4469e9ca62051a3c636d5f7c95fd75752559eba660a2290fd55e985b61dbcc7100b807a8a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c20394c602ce34b8c1c58597dc1904ad

SHA1
ca97371919b99c80d8c465f75d79bf119abae8e6

SHA256
5f58d7e476cdd23bbc778a353a5ec2086aee07bbfdc88a488ef1e0777ced04c9

SHA512
a346a207834e2c68ead8b747525e83adb44190656ecfd1b70fb1d9937d28d6ba46f486793c18719b33a187fc908d97500cd4ef018f16b2bb3fbaafd32c42c467

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
e5d075a1c4f5dfb7912041e1d4581fce

SHA1
90f73bd56a51976b32ba485b3019313b824d99df

SHA256
2e9624f10d73f8680c9674aa4c4e470c05e72f689e775785d0727a6859de3831

SHA512
121bdb908b759e92412f7c89c4d7ac499dbabee5e6d33f25e73918c984c99b9b2df8c3cd43f4ce144fb09ad16551b3fb6c79af3f0aac13521ba8bf91fec71dc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
8baadc031b2f847417d913c8a29ea397

SHA1
7633c1ab12dac6294540424b043fe26f3885e5ad

SHA256
ac4350b539b3588c8a0fd089c792cbb118d95ccfa43f05b1aa3281e1a0fa6fc3

SHA512
1c9c2b270dbf7bb4ffa15df4ddb85f6dac30346d2f56ef4a4c78468814b1ab422810eb0e79192435fcc2bef4d69d9333580bb585c73bfd66b01557da3e9cec29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
36763da7a4e6a496242a806eed7dd6b3

SHA1
215b3debd5b7e11254a8071718b607e30637b493

SHA256
c0dc09d541efcbba913283d64cf06ddff1a0b498e44a90055dd4f0d80eb8e031

SHA512
20bd90c9f5473307614b373cab6957558e4cc288220c399dd3ffc996a6634b4791108feaa381fd2d606425af21e2838d4dfd8a1f2439283e0bf6aaa89324b736

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
450a201f969e0c71fc0a27a7a8e1ac02

SHA1
a8d56f5dbfa943d7f2e66e293883f3ec6d57dc3e

SHA256
8cc5f9bd45d71b1b940f5b599ef15d5afd1ad4d16f32fc2f3701baa15cca3508

SHA512
f84636db0c11ab6ab0318b4cef809f8aa9b6ee3fab9e5f6db74c68128b6f20fd2e5041d12e721e53faf4e25197642e035ddf83f35975cef3cca39dc9e7407ea5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
2e99c0dea2b3c9f392ba86bc2fc9bed7

SHA1
8e36a401ca08f6c15177b1699e5bc592ac4dfa38

SHA256
64995135ff30eb07afa5dd65e1f12171ce3a5ad4714ed95bf42e93800d15daca

SHA512
9cbb1d7da79ffc0ccc72970582b8e3bb353dcf9fad8e72026ca344bc492e8131e47e585ef0826631a9ae31be7520bd2eefc35b9a59419e7119c7959e85092d04

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2796_1260660278\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2796_1260660278\d3423f59-7148-4f74-b6b0-d98a3f9b90bb.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit