socelars | 47276bf684ba8a597ad9ce609323de8ad45e79e7367d7847553b9b359bf5bd29

Analysis

max time kernel
149s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Size

1.4MB
MD5

9da6fd3b6129076a2a7ffaa481ca5cf9
SHA1

379bb58bee6bafad8169c47223e946e4bb9cfa0c
SHA256

9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a
SHA512

18a00a964f7b4e925eb97cd2235ec14cb88f8450a718237fd602bf7c23a5f29ddfa70b285503191fbd5af88a0c15bf37b98fde5b3aef29d75c413548f7e7875a
SSDEEP

24576:+xpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX4vZ1fMKeC0:Opy+VDi8rgHfX4vZ9MKeZ

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	iplogger.org
5	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
4112	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133874133653122343"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
464	chrome.exe
464	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeAssignPrimaryTokenPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeLockMemoryPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeIncreaseQuotaPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeMachineAccountPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeTcbPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeSecurityPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeTakeOwnershipPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeLoadDriverPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeSystemProfilePrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeSystemtimePrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeProfSingleProcessPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeIncBasePriorityPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeCreatePagefilePrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeCreatePermanentPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeBackupPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeRestorePrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeShutdownPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeDebugPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeAuditPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeSystemEnvironmentPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeChangeNotifyPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeRemoteShutdownPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeUndockPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeSyncAgentPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeEnableDelegationPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeManageVolumePrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeImpersonatePrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeCreateGlobalPrivilege	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: 31	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: 32	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: 33	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: 34	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: 35	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
Token: SeDebugPrivilege	4112	taskkill.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe
Token: SeCreatePagefilePrivilege	1204	chrome.exe
Token: SeShutdownPrivilege	1204	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe
1204	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5580 wrote to memory of 5076	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe	88
PID 5580 wrote to memory of 5076	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe	88
PID 5580 wrote to memory of 5076	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe	88
PID 5076 wrote to memory of 4112	5076	cmd.exe	90
PID 5076 wrote to memory of 4112	5076	cmd.exe	90
PID 5076 wrote to memory of 4112	5076	cmd.exe	90
PID 5580 wrote to memory of 1204	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe	95
PID 5580 wrote to memory of 1204	5580	9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe	95
PID 1204 wrote to memory of 5720	1204	chrome.exe	96
PID 1204 wrote to memory of 5720	1204	chrome.exe	96
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 5460	1204	chrome.exe	97
PID 1204 wrote to memory of 4008	1204	chrome.exe	98
PID 1204 wrote to memory of 4008	1204	chrome.exe	98
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99
PID 1204 wrote to memory of 5328	1204	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe
"C:\Users\Admin\AppData\Local\Temp\9797a37016362ce602e53046e32a596c186a489976d38a7e2e9113344415c71a.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5580
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff92026dcf8,0x7ff92026dd04,0x7ff92026dd10
    3⤵
    PID:5720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2000,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1992 /prefetch:2
    3⤵
    PID:5460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1572,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2276 /prefetch:3
    3⤵
    PID:4008
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2376,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2528 /prefetch:8
    3⤵
    PID:5328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3216,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:4936
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:4296
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4376,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4388 /prefetch:2
    3⤵
    PID:8
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4692,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4716 /prefetch:1
    3⤵
    PID:3064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5332,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5352 /prefetch:8
    3⤵
    PID:2664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5552,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5568 /prefetch:8
    3⤵
    PID:1208
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5616,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5784 /prefetch:8
    3⤵
    PID:4780
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5836,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6040 /prefetch:8
    3⤵
    PID:4784
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6028,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5796 /prefetch:8
    3⤵
    PID:4776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5632,i,16012126415907896299,5504423010294581312,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5312 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:464

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4b3e2253229a09b46b02ffd7efa2dbce

SHA1
3410e391073661f28dad43ead350fc038d43054a

SHA256
5293d6b60778fc21883abf39360ffe5eecdf64f6d5ff0b2d6e4b406446e63fd4

SHA512
4bb9d3c3b2accf18f3e734f25f9e17e15c1de2bb5e53af8b8aa956ee52bea3bcf12ae58a5312298b13932d69ad1bf97e19f0223cb4b97e05bc1f6e92e74f44ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9edafc292584ad3b76bb1bbd87d17a2e

SHA1
315cdd41d354e6c167581c1595cc68bb17953b89

SHA256
44e3d9f57f991b33f345134da3906987900c3cff6375a9bbbf680885c7820a88

SHA512
9cb14278fd9eac02814eb14698989181f93a018b86121adcf899990b40a8fd29c17ba660daaf19155b0dbec88cc42e1ffb6911d6bb111ea2c5fbba353732cbd8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c833d60c31e998c5580cb5dad8422c22

SHA1
ea05b7e67cd0685b5d054af832a76f584695f5fd

SHA256
8e13c2652f229025810f14d198726df63ec95c15cf7d73c99e182080f5441a24

SHA512
c65ab084599aa6c9a6b7cfe9d12df8b0fea119e7d342803c4b3562e6198d5dce18352535121b3af9ef522d1f0c259772112411a1c1e42eba6c9e379e0ea5911b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
2be65de24e7dcdc5f2398f6df470094d

SHA1
d1dcdfb54bc2f77c6c739343369182e6b2da3f2f

SHA256
b24a2a430aa7c475a2169f6879e2ed5dc66e024b75bb5b45a9c83db24908d51e

SHA512
2df404f9bcede9ea6645b055ae0b9b6a0a36ab67bd247e98053f39c40a688d2bfd2c3ab314b291a82e957e0d3640ef111d01b1eaf103989a47fa607774163757

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
bf2ee001b2f2ab17c5ea737cef80d403

SHA1
560df5feb8b75e5b15e00fe03c45cc19254d66b5

SHA256
b385d04ae9749cac730ae2a03803f183e0a219c9d0dfa74297443da8d86a9dbe

SHA512
0d9729267c1aacd7b2ae445856904e45f50dc52086396a6a1b7b254154f0516d3da2747620cccf69b731904bf97fa02f733d58d8d25959ca6fe186cdea6a5af2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5968c6a34dd71b3784f6e8d4ef571306

SHA1
630cc83a8571b3677b51ad3a1a2b7a0a6fca6874

SHA256
50ffedff700e74748ce90eab7594989a533bf6b462a2cdc2181a5df17758d827

SHA512
c084ebe3875fd974e755cfb3308f19331e1afa31981c27666ed6e23615d301d3d6297e804064f717780d8f87b01389bbbf440e72e7de069f0e9015c9462530b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57fca0.TMP

Filesize
48B

MD5
539240537c94ff3508a866529da7abe7

SHA1
51faa586b308b69d820f5a070aa0ae8e31022937

SHA256
56312a2314c01ebd4330520fe384559c8d96ec0ae79d596801571f4b1a218ecf

SHA512
7721efad863a5c328868bc4a4b70fb4b29bea37e9130f4c097677d1ba71ec399923c149f7d541749a614ad56d23e846282f8c6773d9f6e10f5b09a5fa7e9b571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
0ee724794cb676656a62d5f9f11c805e

SHA1
2a7707f36f28e85bc3834d1d00ba2e9fd2d6393c

SHA256
a291229b6f1e9e4d1f9bc5995f759d0058f036fccedc850243cab5f4bf48555e

SHA512
b2f1ee1fca2fedddd3603bc54d2e28774928d9fb3b3a8a340a28e2787ab065bada2d1881d8ade685aded51d6889741f83a72a49be5e92eadf4334ebb0d6ed9c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
693fcc5ed0db8586f3d43c34a5cd1f59

SHA1
5b47b779d804758a5265bd82267aff52d5d7a299

SHA256
7a42d0b4f9922886d5331b02dd43f9f4470b25ad5ad631036ff21720a3276e4d

SHA512
1c95cfb75b8b021acc168659ab60c4937521a9b61b63895016d16fc0e18eb493940b9659d0babaff7300e8a5fe5cd72d7394abad66bada20e419f4b1306ddf62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
a81cb10eba29d979877a9d71f2a9f86b

SHA1
64e771958f0c2561d937cd0b8a02475d4c88776d

SHA256
15fdadc577863d228ea2d8cec6dcac15e8d4ea1b5e1c1ae3a86c46dd82bbe020

SHA512
4a48aa1a6809b9eb119c258dc722cafc776c8652ae081675815659665040370fd11ebcc5938384b18b49d1bda9f9037353a32617d19b9b517a5b20bf84015802

Download Submit