socelars | 4b1fa53e1acfb5a328d7af9a76809fe1277bd8d8a8cc43081607fc4929f6198e

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2024 08:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Size

1.4MB
MD5

37e859fdf2b248c9a753cc95ba6bb42a
SHA1

ea4110fdef55dfd969ca5ef7b56bfa321a6e4142
SHA256

4b1fa53e1acfb5a328d7af9a76809fe1277bd8d8a8cc43081607fc4929f6198e
SHA512

0dd39a6fcfbaf739032bd758016a5f8c72d59c6452559fb2141c87304e2bc4dd05cc9652dfe0209e6f986ab59790e1f329250eb30fc814ff4e7bf59ca0355d1a
SSDEEP

24576:ZxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX3jZ10:jpy+VDa8rtPvX3jZy

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

20 iplogger.org
21 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
20	iplogger.org
21	iplogger.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

5068 taskkill.exe

pid	process
5068	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133562605546683526"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2740 chrome.exe
2740 chrome.exe
1292 chrome.exe
1292 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2740 chrome.exe
2740 chrome.exe
2740 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeTcbPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeSecurityPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeBackupPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeRestorePrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeShutdownPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeDebugPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeAuditPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeUndockPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: 31	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: 32	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: 33	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: 34	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: 35	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
Token: SeDebugPrivilege	5068	taskkill.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe
Token: SeCreatePagefilePrivilege	2740	chrome.exe
Token: SeShutdownPrivilege	2740	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe
2740	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.execmd.exechrome.exe

description	pid	process	target process
PID 4308 wrote to memory of 1636	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe	cmd.exe
PID 4308 wrote to memory of 1636	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe	cmd.exe
PID 4308 wrote to memory of 1636	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 5068	1636	cmd.exe	taskkill.exe
PID 1636 wrote to memory of 5068	1636	cmd.exe	taskkill.exe
PID 1636 wrote to memory of 5068	1636	cmd.exe	taskkill.exe
PID 4308 wrote to memory of 2740	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe	chrome.exe
PID 4308 wrote to memory of 2740	4308	37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe	chrome.exe
PID 2740 wrote to memory of 4708	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 4708	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1464	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 4792	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 4792	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe
PID 2740 wrote to memory of 1740	2740	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37e859fdf2b248c9a753cc95ba6bb42a_JaffaCakes118.exe"
1⤵
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff990f9758,0x7fff990f9768,0x7fff990f9778
3⤵
PID:4708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1888,i,9997517720609620194,10778147376072473831,131072 /prefetch:2
3⤵
PID:1464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1888,i,9997517720609620194,10778147376072473831,131072 /prefetch:8
3⤵
PID:4792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 --field-trial-handle=1888,i,9997517720609620194,10778147376072473831,131072 /prefetch:8
3⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1888,i,9997517720609620194,10778147376072473831,131072 /prefetch:1
3⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=1888,i,9997517720609620194,10778147376072473831,131072 /prefetch:1
3⤵
PID:1860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4628 --field-trial-handle=1888,i,9997517720609620194,10778147376072473831,131072 /prefetch:1
3⤵
PID:4224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 --field-trial-handle=1888,i,9997517720609620194,10778147376072473831,131072 /prefetch:8
3⤵
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 --field-trial-handle=1888,i,9997517720609620194,10778147376072473831,131072 /prefetch:8
3⤵
PID:2676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5268 --field-trial-handle=1888,i,9997517720609620194,10778147376072473831,131072 /prefetch:8
3⤵
PID:2324

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1920 --field-trial-handle=1888,i,9997517720609620194,10778147376072473831,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1292

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
943B

MD5
e8875b9d4db8f8f8896fbaaaabf3dee5

SHA1
16ba171860394f9b48147d1a20f27c9bc40602b9

SHA256
a2e0a9cfc55dcd2e7552e3f51555802f1dc1dd9fe0b2d314b6b552734df60ca8

SHA512
6f89932b532d3faecb86d55379bc95f972e93a5fba38bebeda17a6f99d4d93d3c0042997f00cd2b6d097409e0763839f5f0fa349d11b20ffe0d941b80006fd4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
cdf211604a52bc4659b557c51cef46ed

SHA1
91dfb234df60e48c69d1717b60ce971125dbe8b9

SHA256
7729dffef653a72fe5da877916c57de1ce1ba2523e02d429ecd817fd610b361c

SHA512
ca56ed9160e17053603a6cae07609212383af7762f4cab52e5443a7857d3460c0f2e3f837a709f825c164726222271030c8788719e3cbf462e0fbc9311eae86e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
e13dca7f7edc5940acc618583468ce9c

SHA1
fe77fdf1152e1f1a3f62b16f3d952a8bfac8e887

SHA256
144cd25e675896dafa068a0d9eeccda42b78a380b7c882a833b714942d33d0ed

SHA512
cb78cc7a6a5a9536d383dfaae0df925e4186293f2d408ae29d48f22b778987a4f4beb1174cfe934b25f35ed560a91d752f95ddf132a9dd75aea7cfd5be9811a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
f4a91e5fb42f3ccd8b95535fae0de924

SHA1
41c6791c8cf59d676300bb7179b5a7f1abb6b3a9

SHA256
062ab46b9ac6f3504dcd6c5cd3fedd065d110ad2fd46b63077701dd50e1a8756

SHA512
8c5ee2caf346ab66187cc2425efcc82fd1a85093221b37933fe7c76f2efc577129025b6a63583010f2c38938a990ba89e08de28123587533536f832b6a2f19af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
18KB

MD5
7ab08c73ae58248dbfe9a6e9b2bebdfa

SHA1
b8d49e1961d00518d9ddd1b4e5d3d475c6a23ec8

SHA256
02b6c69421031166d1d898d946df54a73b1f958822fa7f5de9f9b3684441cbb8

SHA512
9c877483d2acbc71009a411c83006feeed218017073ab2fb79a291ed06d17d6c9beaa2ce538b69d0d118f5987a4e160360e430d8e4193a56e3d95313b797c6a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
18KB

MD5
18098f9af37479b18dd716457e44fe15

SHA1
fc0078c2df5f6cdfdf87a14d0554a776ed93aadb

SHA256
eb1b74ffc521e9066402f94ca12578e43386bc4595987498240c3bbd38c3652f

SHA512
4b8dad594f810ab8332a9ae52ded6d484e9420a398e05cfdec60a7fc3cbb163b71dda2ab72a08adb3206b46eb916caf08f7f326c60bdba1b4edbd13e01012c7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
260KB

MD5
0613a4534eec31a9bd0c6951d04e5f5b

SHA1
867e7a2aff65386d7de9897621167f70c156daed

SHA256
96342f94687f2c110961b5e1cc366ce86f10ce2430b48b8e876441e260973d31

SHA512
348243f1ace89fdf120f35f8542fdd60080cdadb97e4ef6bd4299a2f033e9bdd988b9378f47061825786dd2be2358849ac09f32208f565e70982ef8f327e71f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_2740_LGWAEVJMNJUSGEUP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit