socelars | 9daf6dd041934892100ae2edf69e27db7b2baa0ba22ce101e7c6fdfe179de5c3

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2024 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Size

1.4MB
MD5

30cad29a59ac340db201eeeff45ebdd5
SHA1

618e11093f8445ae1ac096d9fe68f0e7afb1431d
SHA256

9daf6dd041934892100ae2edf69e27db7b2baa0ba22ce101e7c6fdfe179de5c3
SHA512

33ea1643df24bffbde854aad4f3b261e9565420e7c0f9eed49460740e927ebf859d16ba077e26fea531599191d1396a3b9d834b1272eccc5b86b1e62406dd54c
SSDEEP

24576:NxpXPaR2J33o3S7P5zuHHOF26ufehMHsGKzOYffEMSXkduZ1H1:3py+VDr8rCHSXuuZV1

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

Processes:

30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

17 iplogger.org
18 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
17	iplogger.org
18	iplogger.org

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exe30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1392 taskkill.exe

pid	process
1392	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133730506914484163"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

2676 chrome.exe
2676 chrome.exe
4164 chrome.exe
4164 chrome.exe
4164 chrome.exe
4164 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2676 chrome.exe
2676 chrome.exe
2676 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeTcbPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeSecurityPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeBackupPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeRestorePrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeShutdownPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeDebugPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeAuditPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeUndockPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: 31	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: 32	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: 33	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: 34	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: 35	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe
Token: SeCreatePagefilePrivilege	2676	chrome.exe
Token: SeShutdownPrivilege	2676	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe
2676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.execmd.exechrome.exe

description	pid	process	target process
PID 2244 wrote to memory of 3896	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe	cmd.exe
PID 2244 wrote to memory of 3896	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe	cmd.exe
PID 2244 wrote to memory of 3896	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe	cmd.exe
PID 3896 wrote to memory of 1392	3896	cmd.exe	taskkill.exe
PID 3896 wrote to memory of 1392	3896	cmd.exe	taskkill.exe
PID 3896 wrote to memory of 1392	3896	cmd.exe	taskkill.exe
PID 2244 wrote to memory of 2676	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe	chrome.exe
PID 2244 wrote to memory of 2676	2244	30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe	chrome.exe
PID 2676 wrote to memory of 4640	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4640	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4776	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4252	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 4252	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe
PID 2676 wrote to memory of 2976	2676	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\30cad29a59ac340db201eeeff45ebdd5_JaffaCakes118.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3896
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe7706cc40,0x7ffe7706cc4c,0x7ffe7706cc58
    3⤵
    PID:4640
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1956,i,12608979981003225542,17691023894792037553,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
    3⤵
    PID:4776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1908,i,12608979981003225542,17691023894792037553,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1916 /prefetch:3
    3⤵
    PID:4252
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,12608979981003225542,17691023894792037553,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2448 /prefetch:8
    3⤵
    PID:2976
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,12608979981003225542,17691023894792037553,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:2324
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,12608979981003225542,17691023894792037553,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
    3⤵
    PID:5000
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4532,i,12608979981003225542,17691023894792037553,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:1
    3⤵
    PID:628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4620,i,12608979981003225542,17691023894792037553,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3840 /prefetch:8
    3⤵
    PID:5048
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,12608979981003225542,17691023894792037553,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4776 /prefetch:8
    3⤵
    PID:4728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,12608979981003225542,17691023894792037553,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4644 /prefetch:8
    3⤵
    PID:2364
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4700,i,12608979981003225542,17691023894792037553,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:8
    3⤵
    PID:2600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=836,i,12608979981003225542,17691023894792037553,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4164

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
20cb4a61bb73eb15607e8176be64bddd

SHA1
039e4358446f8f82e0526d628c752312d2baf6dd

SHA256
b4bd34f289ae3692fdb423a9e77d98b45abf6329d6140e2972842eb8c56199ed

SHA512
97877a9d1544b0842b7b049af287a2126a3094274b0fe48ffeca88bbbf31c1fae64ad875893511c99c11ab4a3ab15b65af313e488545a219aa68bb8c7bdcb1e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
a1ad4bf0dbb2989b178e97f4f5a52cc1

SHA1
e5ddd95077f3de698529205055e2b80207c8e6c6

SHA256
d6accbf8a93a02dbda207f2ef620dce5a450432f8d92af27fef6101636823c47

SHA512
438c4eda51e10df95e9da82600db8ce72426afedcdcf4c344ddc9d121efba06f2a6323d0dcca1303539de5fbaf6e0df4eaa7a47f48585f2be078cb61913a8495

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a6af4e26612df335a4112e85ba0f3ef8

SHA1
e154e2b7c0bc5eef2fa350e1165d7ec425517a63

SHA256
1c971f96c5b30c2ce121c1cbfb4055f51cd456e16efaa39614f2cfb9f7e1f8bd

SHA512
0524f1a6b7a6d93a39666321c5eb58ff1bcba2e255ce344f339492eda2c3992c6ffc3d061bfb2a376692618b17e0871e93ab6b240fc47527a37de426b07ae986

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
eb6c4feac304235b120bfdb866648bac

SHA1
95fa6dc267d62a3382cbac895f8ccde1fac8882b

SHA256
59b33994c4c2bb0415753ea0595d4efdb67e3295293f68f2e784c3e7c9ab2b8c

SHA512
0765d406eb14fddb29993c6f373c97df6c451e681fea58ef5925d03dbefd57fa1354b6b3fe72010c2b03f2a185b939087688dd1eb067a65c01e7415d3340f6c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5317e206109773ec7a8272abf7b788f3

SHA1
de1a19f214a7ca9f0e261a2e7f153a09fd21882a

SHA256
205e58e5c81a6e7b1081edcc4e987433ae80ba3f3bf90652ea8975ee8f8030d2

SHA512
9aecc3609bfb4e36320edefdd8260240763a19dd2414020644c31e34cc0aad9df4454212abe0a6a90ae1890abb10965f8489fbdf64e8d8b4da2482cf0956bd4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e682d20cc1cd7189c4beb37926fc3096

SHA1
d7b484910f2a096a37be8d689396b0417a460e70

SHA256
2b0e1d4ec354ff4c7ccbe52ddd4f7a7e0fdabb40411ebe2dddefc43d12ebf6e9

SHA512
41e273c9a9a7dc377450adf4cc38f419c3c5b4c670e7ee22b978e2c69608575b98920942da0c21f6b878d08986355a6d53f451447de77015ed8f3082740b5787

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8df1153d928153251eb6354f1994177f

SHA1
b66699b867262fe7d6a73f49dbdb88738a74b30f

SHA256
6a1ef324f61f1a3b8c59d7dc082b753a3e9fae938da6d161e4855d960f949aac

SHA512
4b5848be9881621eb10c27a27e62a7c60400e0adabb2279b6b6e979bbc23f0e537970aa2b85c7154c5133a598796443cf40ed25ea813f9dd1c029f3d906a962b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
9f3ea848d496995807da9cf8bd938e5d

SHA1
23325af28f11712420caf859a56d494c3b978028

SHA256
9a8bee7873b572e90d1baef09c0ecf76735573a5dc3e3758ab5a6160588b753a

SHA512
bd0c94d662ee61c45a78931029f8fbe50a48f2a9aac6f15cb4015e6b20bfbc81300e818f5e445cc2dee548a7bb67859429d555cdaba40286510ff1adfa15d460

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
bc3c8bff7bf4f965bb0f43620a335ae4

SHA1
5f6b85511031a8f3167cadd180ea052fe6a571b5

SHA256
461369969e90b39517739e4153193e908003961ef365dca13f30050b77182d26

SHA512
a38b0a356ea2da8a40b60e138ff76292034ca9d19df8897c08192ae6c50b9deae9c8d2a9cdf9497ddfc49003ef3e1401873387c145e2eba53ef6ca82f6a9562e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
8bef3f29eb363e960afa7d6b45f5b832

SHA1
c0dd81d51b9b1bb218600689484cb4ea6c77bf8e

SHA256
fd75b3e66ce374b20ec526fc3969a8e7171033ac83891c5df855b14fcf951c97

SHA512
598dfb727320cd698af485891945ba93e187fee4469be5d032b2694e8e9640caa1f6bfab64b6dff13e352320976dd5c6e4a18893c8a57f14d96307a0963ff946

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
fa85c77a499399864c9b4b4edd533d3e

SHA1
3adc697cf783fec9e0e4dbdee12aaff66f11d8da

SHA256
57c8e982110039e53910304efee51d0e9dae8db8a8efce23da2c4ae324ef1232

SHA512
da0198f3627d5cc32741cee208b088054701d2d3a1e03fb8efb5df1a304bd47dc0d1fb7e48b11f53eb84477d4d1e5ab907648cb1e9f9859e00060de0c1721236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
1144db988bbc3197552d606c3e4d90bd

SHA1
eaaf4bac7061112765af0146851e78349621f017

SHA256
1e77aab5f05dc7c6a6b6f2effd698b957825ceb6c13bccf8694a3c71c1975817

SHA512
a5a65f0fe7a9c2dbbd214161c4441e8ffbc29cda7cd8b8b713dedce29c33c69a68d0318fe2ffacd682c800f6bce2d599b21f9a1e693d2a37ff012be1fa1df9f7

Download Submit
\??\pipe\crashpad_2676_YDNVPSITVOGXISEA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit