socelars | 47276bf684ba8a597ad9ce609323de8ad45e79e7367d7847553b9b359bf5bd29

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Size

1.4MB
MD5

9da6fd3b6129076a2a7ffaa481ca5cf9
SHA1

379bb58bee6bafad8169c47223e946e4bb9cfa0c
SHA256

9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a
SHA512

18a00a964f7b4e925eb97cd2235ec14cb88f8450a718237fd602bf7c23a5f29ddfa70b285503191fbd5af88a0c15bf37b98fde5b3aef29d75c413548f7e7875a
SSDEEP

24576:+xpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX4vZ1fMKeC0:Opy+VDi8rgHfX4vZ9MKeZ

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	iplogger.org
5	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
5736	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874130932599257"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
5844	chrome.exe
5844	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeAssignPrimaryTokenPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeLockMemoryPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeIncreaseQuotaPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeMachineAccountPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeTcbPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeSecurityPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeTakeOwnershipPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeLoadDriverPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeSystemProfilePrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeSystemtimePrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeProfSingleProcessPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeIncBasePriorityPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeCreatePagefilePrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeCreatePermanentPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeBackupPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeRestorePrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeShutdownPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeDebugPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeAuditPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeSystemEnvironmentPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeChangeNotifyPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeRemoteShutdownPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeUndockPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeSyncAgentPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeEnableDelegationPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeManageVolumePrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeImpersonatePrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeCreateGlobalPrivilege	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: 31	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: 32	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: 33	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: 34	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: 35	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeDebugPrivilege	5736	taskkill.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe
Token: SeCreatePagefilePrivilege	3908	chrome.exe
Token: SeShutdownPrivilege	3908	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe
3908	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 5204	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe	89
PID 2980 wrote to memory of 5204	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe	89
PID 2980 wrote to memory of 5204	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe	89
PID 5204 wrote to memory of 5736	5204	cmd.exe	91
PID 5204 wrote to memory of 5736	5204	cmd.exe	91
PID 5204 wrote to memory of 5736	5204	cmd.exe	91
PID 2980 wrote to memory of 3908	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe	96
PID 2980 wrote to memory of 3908	2980	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe	96
PID 3908 wrote to memory of 5500	3908	chrome.exe	97
PID 3908 wrote to memory of 5500	3908	chrome.exe	97
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 6076	3908	chrome.exe	99
PID 3908 wrote to memory of 4160	3908	chrome.exe	100
PID 3908 wrote to memory of 4160	3908	chrome.exe	100
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101
PID 3908 wrote to memory of 3392	3908	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
"C:\Users\Admin\AppData\Local\Temp\9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5204
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffba459dcf8,0x7ffba459dd04,0x7ffba459dd10
    3⤵
    PID:5500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1948,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1944 /prefetch:2
    3⤵
    PID:6076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2212,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2392,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2276 /prefetch:8
    3⤵
    PID:3392
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3184,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:5088
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3212 /prefetch:1
    3⤵
    PID:2412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4424,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4452 /prefetch:2
    3⤵
    PID:5944
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4680,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4696 /prefetch:1
    3⤵
    PID:5732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5184,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5288 /prefetch:8
    3⤵
    PID:6028
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5500,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5520 /prefetch:8
    3⤵
    PID:4368
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=224,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5748 /prefetch:8
    3⤵
    PID:2832
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5900,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5868 /prefetch:8
    3⤵
    PID:4744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5752,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5576 /prefetch:8
    3⤵
    PID:4708
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5668,i,17321973466555523309,718114364662125379,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5860 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5844

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
be297fb14af9c8076c231108a9c6ee27

SHA1
ef9e634262a0b53d640cc258ab057f15f3c9dc8d

SHA256
2d75d60d9bb17a468c1581b058e885e9ac8e0d3e0a6e8e308d7b8bcd556be2fb

SHA512
3a3e4bf6c4c28b38f07e6b78b45832ef3af64c91a3d7e75008fdcc30426288105a69f7dca0e37a7e971f626aaaf6ad93a23ffaf2c94e04568e21ee442e5a4e26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
d2317432aa2447663893fe99cb166f87

SHA1
ddc7cd1da657e6d91605ee220bb2d99e5f42255a

SHA256
9942e9048c5bb329a60f03dd1283235ee64745adef392e4171ed33a8d1661b80

SHA512
569ed4aa48115e1366168c28a9d6d35e774c77cd20ad22989abc3211b761ce7d7fbfeec41e2665f1c47a6ebd90a818e52ba480207ba78021c030de29e41f22a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
88638d5a00d02ed3aa966099384feed6

SHA1
231d2e5c05451fe78511ecc81d717e851196f6a1

SHA256
620b4dad0389042683d70c9a61f3f91c751c7779406da8ec487a730a4921de70

SHA512
ba95746cf86a9c9793005ffbc14f1f8f04f1ee6c37fe1b6ceb87ac7ccbc3cf442930cfaf9ce9a4c26ec7310f0467b956f5803734b6e454cd054fa99faa99028e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
3367d1f593bc308f1aeab03601f23df8

SHA1
4b2204b25466d2f3b3e6b23c47f2d709f0959faf

SHA256
220494c9ec62555956349dd5772555cae4d49bcf10617370eda6f213b9bb492a

SHA512
4d448977164f74c498907f4c7ec89bfee3c897090307bf55b90cdb43f7de0af487c5d1bdd9b74dbd81beabba6033cc2d77f5b4eb853537906063a071a8faa78e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
ee204b140ac4979d7f94b6148269f6d9

SHA1
c649a51565fe119db0ff1824c7a1991a29ec86bd

SHA256
63a75ca7064ee52971d127341d7c0e8725cbbfdbc782214f6c7619a3c8db4b66

SHA512
b315b4633f627905a05824e333317e64266dd18060ea1acbab19e2590bda8a8cb97931990a4d7b2b9582c99e81c9d488c333b6b1e9cff77f49c802d165a6267c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6f41847fe147e0b0289075c7f3813f6e

SHA1
d34b68aec1ae2149a1739871b2da65001bfe7890

SHA256
3769ac60bc737ae067e171cdb882cbf00e7f75cf046e3ab8038d70053a3a8cfe

SHA512
d3cd2a011830b9781af98046d57c7ef8a04fd2c1247ae0dd7e6905146131780fb3a7b5e3327b648bd09bda44dce3803eda36133c313346261cbf7864c91d0cd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582a95.TMP

Filesize
48B

MD5
51fa2f6fb8017c9161eb3924aadfeeaa

SHA1
43a9bd9342b8248d98677ea117500c485fcced26

SHA256
0b3904c91d08f6eb9fb82894c6a0364fa61bdf68ba0553768ed7689146a6a3f0

SHA512
4e8e83f3ff08664fa368b6d3143cfeaa45557c4e20f7acd498c667b6df7a92bb871c36651317549d1c5b6881099eeddfc863ded42c4412266bd2f93f122a1b65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
d686074666d7aa0f1ddbf2b953ffeba5

SHA1
491abf71cb4a7515b42de1c10c5813f586fb675d

SHA256
d4ba712193cf2b132fe745938f9570edc2e87013ee7023639cf77252a2efe5bd

SHA512
df23cad8e538c6fc91c284c68c61b532c36ba249200ccc8465a57b40772161758e97e0cb69e748b9d33d027496c3142e33497f6db1e0eb4df13bb016f9a29c0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
893ecd5a9075c038675afc16916db814

SHA1
52747569444035e9291a681e993240fda0f6d309

SHA256
ba50c83075f906b68371306089b3d7e314c0dfee9bf509e99786d27f5cb3c654

SHA512
be5557108da8eb18f2a80ae0546d68831fcef31d0f6974ee4c9ee3e1aa0cc710f6d15cac06af4e8e875cfbd740e18d8365905cf1912b295aecfcfb3378e214a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
00847cfeacfccb19e4d53c11bd888007

SHA1
5ba700e34a8a89b37b6d0d3fc7940b97ded43a28

SHA256
c18f7c6704b282e3758d87da272ee37308007de44e5078ac07fc2df0d4b0306b

SHA512
16788c00dcf8c5be913ee196cefcad4fa211decd8d58b3b761892fe9ed353226c94cb8ffedf53a19b415258dbe53e681076b2c49fe6df33d740569a4b44cb812

Download Submit