socelars | 6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Size

1.5MB
MD5

8b28b4cfd5fc4e1ef82f7a96f10bf89c
SHA1

b3508ba8a9e143063f98fc2d0cdb4782fa838e22
SHA256

6585676245e22cca9f08c5a2f4b7b3020dd02e544a9caa57b1df22687a43192f
SHA512

603d2aea823ae99f9e437cad499d91f539c833123dc525e63262662455b1a826e6840d59f64cb006a8c8e7a228848692eda4c056aeb9b6c33ac4a0bda29ee23a
SSDEEP

24576:VxpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX4RZ13:/py+VDi8rgHfX4RZJ

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
21	iplogger.org
22	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
5036	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133565304943243170"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid	Process
4528	chrome.exe
4528	chrome.exe
3404	chrome.exe
3404	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeTcbPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeSecurityPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeBackupPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeRestorePrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeShutdownPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeDebugPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeAuditPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeUndockPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: 31	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: 32	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: 33	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: 34	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: 35	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
Token: SeDebugPrivilege	5036	taskkill.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe
Token: SeCreatePagefilePrivilege	4528	chrome.exe
Token: SeShutdownPrivilege	4528	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe
4528	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.execmd.exechrome.exe

description	pid	Process	procid_target
PID 2916 wrote to memory of 1892	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe	85
PID 2916 wrote to memory of 1892	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe	85
PID 2916 wrote to memory of 1892	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe	85
PID 1892 wrote to memory of 5036	1892	cmd.exe	87
PID 1892 wrote to memory of 5036	1892	cmd.exe	87
PID 1892 wrote to memory of 5036	1892	cmd.exe	87
PID 2916 wrote to memory of 4528	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe	91
PID 2916 wrote to memory of 4528	2916	8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe	91
PID 4528 wrote to memory of 3040	4528	chrome.exe	92
PID 4528 wrote to memory of 3040	4528	chrome.exe	92
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 5060	4528	chrome.exe	93
PID 4528 wrote to memory of 4964	4528	chrome.exe	94
PID 4528 wrote to memory of 4964	4528	chrome.exe	94
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95
PID 4528 wrote to memory of 1816	4528	chrome.exe	95

C:\Users\Admin\AppData\Local\Temp\8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8b28b4cfd5fc4e1ef82f7a96f10bf89c_JaffaCakes118.exe"
1⤵
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c68d9758,0x7ff8c68d9768,0x7ff8c68d9778
    3⤵
    PID:3040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1884,i,11229229455616148763,8061497061414108979,131072 /prefetch:2
    3⤵
    PID:5060
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1884,i,11229229455616148763,8061497061414108979,131072 /prefetch:8
    3⤵
    PID:4964
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1884,i,11229229455616148763,8061497061414108979,131072 /prefetch:8
    3⤵
    PID:1816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1884,i,11229229455616148763,8061497061414108979,131072 /prefetch:1
    3⤵
    PID:4284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1884,i,11229229455616148763,8061497061414108979,131072 /prefetch:1
    3⤵
    PID:4496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4568 --field-trial-handle=1884,i,11229229455616148763,8061497061414108979,131072 /prefetch:1
    3⤵
    PID:808
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1884,i,11229229455616148763,8061497061414108979,131072 /prefetch:8
    3⤵
    PID:3252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 --field-trial-handle=1884,i,11229229455616148763,8061497061414108979,131072 /prefetch:8
    3⤵
    PID:1692
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5196 --field-trial-handle=1884,i,11229229455616148763,8061497061414108979,131072 /prefetch:8
    3⤵
    PID:3736
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2708 --field-trial-handle=1884,i,11229229455616148763,8061497061414108979,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
337fca1bc86a428715ee964f87be8353

SHA1
b990bdb09c393232b876f7f3f13b43c738b45b20

SHA256
014c80e9884f86130c1dd275ebe2d05fe658412c0242790cc6fd308fe5412d39

SHA512
9f3dcce9f67338e86cb8405c10303679e66a838b314c27e6f35cb4ab26b9095663039a779812a7d8f442ce644c03afaffb3fa23143815a50a27ca6b25db4a5da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
64c45cceb26c042b453d45b707cb07fd

SHA1
5d6da771f2c40f36a0733b489bfb23d9953fc187

SHA256
9457833a493d0cb6dfe9d512150bb4bbd278f365264554b38bc6a446bc11ba30

SHA512
b8dcbf55d61c65152749da8c71c243df9fe07bbc3cbca60dfbc2a8760a1d249cf63aa4efa6ca0cbb59abe8d25ef952decf8bd648425b1097876f34e40d295e7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
15698dd9c1b7574542e6072cbfe815bf

SHA1
2a80a32d1e405478e65e08f8b05e3e2725afab5d

SHA256
7f5327d9db6f57e13c39075f05768316774064f19e60df7f286f412808223343

SHA512
cae11e84d53ee59f7f9f236b3da271bfea8f0c45721b89d5d3f5a214261bed5c5a56b3edd7c80db73cdf35ae92ea5c27439c6c6faadfa54346ee83c52ec22a4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f6bbc7d8f2c6a047128f41139f8b9515

SHA1
effe7bec32580aef3b972949c210587e71376bbe

SHA256
5ce6bbbc388ed2f7b7cc54dc0de9c193837ce24751ce665441d6463f227ad9bb

SHA512
4bb2f065f1d0822ffd0f1ca36fec9d9efe7b5692358987188fc7ddcc39fda087a5571aca0420c3619465ba46aa1e86eb0c2d0213fa4f785ccaf68efed923e0c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
631a88aeb22bb12f14c6f00eb6133162

SHA1
97df9b8433dd9e3a9929abee5577a0d2e3a056ea

SHA256
07bdafdfe327cdc478fdbfadc9ad4d7afc883787b0d1687a7355d64c3573c4b3

SHA512
624a86bee87102874e1dca9a73f078d99b9c60a39dc01a4eeab047322a123764c01ecf0281e7fc1a1b8610eab7c56f6eb1056c19238526b86e2b6a748c2b4765

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
786ecd4816d78c95e3d3108c7e0d3113

SHA1
ce7fba6ab9bd9077d85c66b1973465dd28e1f903

SHA256
1dacec572df1a867251881cb3bf297531c15851d211f39d5270855e6483ae900

SHA512
9a65990abd259e9dc3b1b4d384c9d51d2e0b8893a73add0d77d865d66fe68495cbb03791361125b38576233e26de7eea26a7a2a1c42319e90d6cb9dce78dd3f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
d6cdc76c094a5607eb05065fe1fd513e

SHA1
453778f325db8376d7d08db951577abecc09edd6

SHA256
eb314cd90b9ecb705c2fe98ea099845fc13b918b0e4f7010716439c47c1cd1e1

SHA512
f78125f04bf0d365abc31071b86c38524c6e09a56139ca969b5f0a3f25fea4122101abb1f5b07524e74f9a5b4878c4473a838ec77a0622dfed52836772e91551

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_4528_IZHDYIXZDZZLXRKO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit