socelars | 90968c420d22839334359a55ca9e4baa297f4be867a87caec12ab61e9aa2771b

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/01/2025, 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Size

1.4MB
MD5

12abdbd546e5d46df428cb5543c0b76c
SHA1

934bcb29a7538ff907cae3423421d0fe60df2db1
SHA256

90968c420d22839334359a55ca9e4baa297f4be867a87caec12ab61e9aa2771b
SHA512

d85925b881898904df2ae499a22eaa900c9137e0a777d8ea3bb9ecc8ac4ac5f9b5aa4d19e08e24de0e99986c560035d5839c31e82a43f21144277457974af0ad
SSDEEP

24576:pQAgpBGV2HpWHuREjDnI2AuADZ8KvqC7dH2dtDPc/oqKFcz5g:ngpG57R8cnDPcQqKKdg

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\aieoplapobidheellikiicjfpamacpfd\11.23.45_0\manifest.json	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
25	iplogger.org
26	iplogger.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4844	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133821319069625747"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4528	chrome.exe
4528	chrome.exe
4388	chrome.exe
4388	chrome.exe
4388	chrome.exe
4388	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeAssignPrimaryTokenPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeLockMemoryPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeIncreaseQuotaPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeMachineAccountPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeTcbPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeSecurityPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeTakeOwnershipPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeLoadDriverPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeSystemProfilePrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeSystemtimePrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeProfSingleProcessPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeIncBasePriorityPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeCreatePagefilePrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeCreatePermanentPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeBackupPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeRestorePrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeShutdownPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeDebugPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeAuditPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeSystemEnvironmentPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeChangeNotifyPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeRemoteShutdownPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeUndockPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeSyncAgentPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeEnableDelegationPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeManageVolumePrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeImpersonatePrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeCreateGlobalPrivilege	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: 31	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: 32	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: 33	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: 34	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: 35	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
Token: SeDebugPrivilege	4844	taskkill.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 752	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe	82
PID 4008 wrote to memory of 752	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe	82
PID 4008 wrote to memory of 752	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe	82
PID 752 wrote to memory of 4844	752	cmd.exe	84
PID 752 wrote to memory of 4844	752	cmd.exe	84
PID 752 wrote to memory of 4844	752	cmd.exe	84
PID 4008 wrote to memory of 4528	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe	86
PID 4008 wrote to memory of 4528	4008	2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe	86
PID 4528 wrote to memory of 4908	4528	chrome.exe	87
PID 4528 wrote to memory of 4908	4528	chrome.exe	87
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 624	4528	chrome.exe	88
PID 4528 wrote to memory of 2580	4528	chrome.exe	89
PID 4528 wrote to memory of 2580	4528	chrome.exe	89
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90
PID 4528 wrote to memory of 1924	4528	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-23_12abdbd546e5d46df428cb5543c0b76c_avoslocker_luca-stealer.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:752
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa39d7cc40,0x7ffa39d7cc4c,0x7ffa39d7cc58
    3⤵
    PID:4908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1876,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1872 /prefetch:2
    3⤵
    PID:624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2012,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    PID:2580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2444 /prefetch:8
    3⤵
    PID:1924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
    3⤵
    PID:2120
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3144,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:4940
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3816,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3800 /prefetch:1
    3⤵
    PID:3868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4700,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
    3⤵
    PID:2252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
    3⤵
    PID:3132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
    3⤵
    PID:3700
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5104,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
    3⤵
    PID:3932
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:8
    3⤵
    PID:916
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
    3⤵
    PID:4856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4936,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:2
    3⤵
    PID:4176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5180,i,16270522011423240886,16874708183568036865,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4388

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
e829ec5b5f767d37a32c6ae0ef8a1b59

SHA1
4d2624c37237b0debca28309f14d592b65e9c7f8

SHA256
db236d7314180d6f4336fbd43352c2b1fc9eecf80940366f79af76a812ea2247

SHA512
40870227727a9702edf29ea527ff25bb903ddf939ac6437e3411dbcef976d12aff8e1a9d4ea31644ff1bbb407e97e83195be96acb4b724a51e38bad01689836f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
eb1be630153520e58ee513cc137ab94a

SHA1
30c64c3546291d1f8e75df5d5ef41ca3df01aeeb

SHA256
f3ec3ec54ab3bb1a2f53834cf2741c1c058bab49f4c52f1362f42c2a3a609a67

SHA512
6f9b713030964e60e78ac932d23955c8defce10c12aedb98c1888c8e3cdd4426c724f19210308fdf9250f003e45c2dc4a5f79364dc82da391d6cded8d5057be1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9fbb2cf4eeca6b55bc66450cb0881d89

SHA1
2b2dc8db5a43e4a9b9812670725207d325306560

SHA256
559e15a59f376ea2ea2d92d069bbe8fe0ad4ac253566e1112c88c3bd444d152b

SHA512
dcdeeda18990913da49e58ac93b486b24d3a051763a84478f0c0529c11dbb605f82d17c350e7ca4004ee0952940fde994e906794a4cea70f9b8964fc131874b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6996bc2ec49feeae2998687118b39d2f

SHA1
302f2e0ca8911b88847e99373ff6006c9edfe502

SHA256
ffc9520068efcaa923f361244bcac6c7e6130b0a21b511225dc84ad29337ea73

SHA512
aa5b7e1b10cf70a3aae69884d4059b84639598797be844eb0450d3aa8b0678fcec1706a0b849e900fec3f947993cbf92f52d6fe7f0027c1e2fb4d306dba7d90d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
09ca055174dd298d54e935ae63caad5c

SHA1
27a7ec8d1bcce50b8e64f4793a858ec0becfe994

SHA256
9765d8b316f1f1cb77c62ad16449c7e9623250f516165e358b2ca54e7c1cb74a

SHA512
ae4787f1cedbf74c5009a72732283a997916b51923cc1f3e1c38bcea6d150d19972b946f28ddacfb9927895e7e87c1a6fc853ba987c52889312c5086e1636f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
93489c8a3334fd1db58fca7fe7a9843b

SHA1
ed2c9d900d583c0e0c531a74360a8352d0db028b

SHA256
57a5fa715e026e84d3b7ff9bfe4e170cf5ce0964f04cd1ab6d52396fc81f6e7f

SHA512
6a1ebac3f134e8f1fb9f1fa079c5170e8ed048ee9907e3b9fc13ff7e720e07837f6984c8c808b36dedb7f85ea94cd08143855960f265df1d57677f416c577d39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a0a8494c9c2851d76a1a88dc10907dbc

SHA1
5f3f8fcc89de9c9b464722d44c0048d374f8786b

SHA256
72aca5a40c830b582be1bc50038ac918a9f67bfd8e896ce555a187eaec320fd5

SHA512
f64dcffeba1670a16ebf8ffe41293c93657bc05352cfc8d99707be54b9ac8b152aa81693abb4e662650da70ad9757fd02af01992c2d27c2bc239aa0d8995861e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1e7e5bbcae0549c59c8eab9f2d8d49f1

SHA1
8516167aa2414797172eb750e230f579de02cc08

SHA256
dd9a3828850ca543e9194ad8cde664f5089f10715cb22f48f8b98710c0a7258a

SHA512
f13599af0fd2d97c83f5fd738f37b367cd2bd615421717038a4f1d83ef2ff1e73a4f8b8aaa724554ef168c328383b1e5fc2ab1a6d260adcfb4f9d283832a5979

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
2b0a3dfb9f19fdd74fb3454f21d01de7

SHA1
19e80dbc5e8f93cd64804605c391c09476350220

SHA256
a7220daf0337a10b0e7ac0bcd8fe5ac5a647d4c10631df67aebd1d9ada6dd1c8

SHA512
0e3fb0435d7d454649bf41348b91265d680f14cefd1109058af04c2b51fe9df6591c76a903db2209fcd9774ce0c91857e12f4b591c1b3d1cb6ec5ff069fc8a90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
17KB

MD5
1f1b608c9161184e9efb255191e8cc7f

SHA1
46cf259318f3ef2a8b79c6eeca9ca3f50a10153a

SHA256
5def0d53a4557757b89b1b9d9932b62e546a7274a73e82c79262c8353fd2cdd0

SHA512
675689efcaa28c08173b637282c091370ca27866b64946d16e8f976703716211ed6b84bcbc787b185ea8da4c576d66762de75632e6a23ff3e2c986b4abe91e24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c20114058544ce4ea568e4b15283ecaf

SHA1
d6f8255dbe22452505f60d5b34f5a32cc7e8defd

SHA256
4f8f8ec4e6f52aee803cab4ba3341eda9c327c8750868bd996c4285ac8403c09

SHA512
b6c80433e8790c3765c9e908d2868512cbe04b9a799a07e5a65d210acc1feccafe93dc69280a435cf39d8434f34d454c1906df86df0b71b5ce1774e7264ba64e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
36ce1462950b1a942d71a397fd4582d8

SHA1
bef5e5742671a78806bdd6e8c03d4af8770dcfed

SHA256
12ffc8e7655657be4479fef9d3856db5f01ca8299e02037b5ed3a098caff7204

SHA512
621fc8d396f267431a4216c81605fe520706991e5cb9fd612de5a84a3364b569dc388b5fb45fcd7bd9cb6d85cceb0769c1eba0266eecbf03dc0e4af129dd3a64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
19b86ef494033781a97821ab7709a9be

SHA1
623a30a3473a69e94efcb941d95b0543ccf56909

SHA256
089277e7d8f2bb72b18dd83cba0584d0d9da7e1cc76e36c3fda00fdabf05a136

SHA512
9a2950c7429704a2c3f3386d45faf4a58353e7cc8ab774c1290f6ed2046ded919664be03b8eec8740eaa0849246ee5d5ca527f9d810b13e264121f05e6bb6604

Download Submit
C:\Users\Admin\AppData\Local\Temp\73bb6244-06c1-473b-91d0-7fc60a2b99d5.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4528_2092201815\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit