socelars | 16f5b681cd4f7a450a5c66506c6f89670b0ff99807347301d9eaa5dea3ec6218

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2024 15:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Size

1.4MB
MD5

357676ecf9d51bc66f25100e00844650
SHA1

d924abd77f1d4cb54463a03349ebdf69b292f6a3
SHA256

16f5b681cd4f7a450a5c66506c6f89670b0ff99807347301d9eaa5dea3ec6218
SHA512

33786949c932e3fc8e96723f0829d5e351d972ee080ad3999904b82eb5d8330e372fb065b58ef9ea50862ba0a7fdeb40a6f42441f53ebdedd70598204696e5db
SSDEEP

24576:nxpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX47Z1gS8:xpy+VDi8rgHfX47Z6S8

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

Processes:

357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

13 iplogger.org
14 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
13	iplogger.org
14	iplogger.org

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

taskkill.exe357676ecf9d51bc66f25100e00844650_JaffaCakes118.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

512 taskkill.exe

pid	process
512	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133731334635618626"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

2728 chrome.exe
2728 chrome.exe
4056 chrome.exe
4056 chrome.exe
4056 chrome.exe
4056 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2728 chrome.exe
2728 chrome.exe
2728 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

357676ecf9d51bc66f25100e00844650_JaffaCakes118.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeTcbPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeSecurityPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeBackupPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeRestorePrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeShutdownPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeDebugPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeAuditPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeUndockPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: 31	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: 32	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: 33	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: 34	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: 35	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
Token: SeDebugPrivilege	512	taskkill.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe
Token: SeCreatePagefilePrivilege	2728	chrome.exe
Token: SeShutdownPrivilege	2728	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe
2728	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

357676ecf9d51bc66f25100e00844650_JaffaCakes118.execmd.exechrome.exe

description	pid	process	target process
PID 3928 wrote to memory of 936	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe	cmd.exe
PID 3928 wrote to memory of 936	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe	cmd.exe
PID 3928 wrote to memory of 936	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe	cmd.exe
PID 936 wrote to memory of 512	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 512	936	cmd.exe	taskkill.exe
PID 936 wrote to memory of 512	936	cmd.exe	taskkill.exe
PID 3928 wrote to memory of 2728	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe	chrome.exe
PID 3928 wrote to memory of 2728	3928	357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe	chrome.exe
PID 2728 wrote to memory of 3732	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 3732	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2092	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2548	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 2548	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe
PID 2728 wrote to memory of 620	2728	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\357676ecf9d51bc66f25100e00844650_JaffaCakes118.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3928
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:936
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff86d73cc40,0x7ff86d73cc4c,0x7ff86d73cc58
    3⤵
    PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,10660514721584919592,4029952480727888634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2064 /prefetch:2
    3⤵
    PID:2092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,10660514721584919592,4029952480727888634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:3
    3⤵
    PID:2548
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,10660514721584919592,4029952480727888634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2572 /prefetch:8
    3⤵
    PID:620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,10660514721584919592,4029952480727888634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
    3⤵
    PID:4588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,10660514721584919592,4029952480727888634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
    3⤵
    PID:4380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3116,i,10660514721584919592,4029952480727888634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3844 /prefetch:1
    3⤵
    PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4676,i,10660514721584919592,4029952480727888634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:8
    3⤵
    PID:2232
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,10660514721584919592,4029952480727888634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
    3⤵
    PID:1104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,10660514721584919592,4029952480727888634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
    3⤵
    PID:2076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4716,i,10660514721584919592,4029952480727888634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4844 /prefetch:8
    3⤵
    PID:1084
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5096,i,10660514721584919592,4029952480727888634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4524 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4056

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2492

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2aac75873f733975665c6778e272c6f0

SHA1
56fab96fc8b503aa21c2bc4bb2c19105d219c45c

SHA256
acbe40f8041e240df70f45edc27f1cc97d53614a46e75e2c8b65e181b0880af6

SHA512
72bf48441a9fa2fb249ec625dd7f4ac8bd4882d4f2e119eaf885c2a628d78bdb9a1ccd27740f78a5ef72bdf7500641522117b8d142a400f6ac93f12407a98fef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b168679ea3d281b26efed68a4f5f8c8b

SHA1
f410670e1d13ac944d46d6aa15bbe7e952fab6ef

SHA256
6447ad6be88fb5538d25f73f3a9f011e44ecd38263ca260c331702ce1bbc09f5

SHA512
f0316993f17e4b2f9ec645740729df0e49138a471bbc1d07907e6ac3bd9099135f0a295bb8efc1f6f75a0b103046ba7c0a133c51307da5cdfd23103f31c4a26e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
07fa58259516be6a8990a3edf75cfb9c

SHA1
7c9afdc29f697cdf080ac4a5afbfd63045a736cf

SHA256
f322117957e90047b9e7ab7de1348ef2dc8936dda7635367e3d2149c204bf0cf

SHA512
a40753dc7f77e8455d86b0c2d025d2f080e8f4ae2f2eb983dffeaa218dce83c99fd0b86ea09161b99b0523957dd67003146917a588d406b59e776458ec196c9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1ba58ef1fc80d2a9e350391a9b3a15c9

SHA1
9c0cf665d38aca6acf56cd1189335eeac6e3ae1c

SHA256
c2a14d6b4cc554478a228b642a86ac3e3dceec0159a1bd95c23798e2af4b09e0

SHA512
3f821300905248842422e3cef034e15da8a22dda49e7ccb0abf2c31804a39dd2489614c10769ae5b85309fee4362146691522d0179d49ae0440c35fc96f1c2c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1453c72ac07045967b7e8b7910773523

SHA1
fea6b7377741f09c452bf23b12bb76fc1b914987

SHA256
7b08eed84e90ff851a9c8c0c255a89ef28aae515cf4a5e3186a7eb51d286403a

SHA512
dc8733b485666a55cd6937d8de82afd673f1ea4274a4945af5351c9487cc9d67407032c82f46ad71822d648797a1a53153243065322e9469ac6d5af60eac1ed1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
206e6e4fa91e6bdf9b1a452935190440

SHA1
b04b2cf40556bed3100bf941abfb82151a45698c

SHA256
fbf13c35373b6c99a29a33e79e26b64997bd7b86a380cc53eb6c8cc6d51da942

SHA512
a14c6fd24ae555bba90c036340aac20e17c0f5fcb803a327cd02e874f2685507832eb6532338bf996e35a344b33915661b59f207db50582a57c839057b8f03fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
597c282598fff1ffd24a64c7e99cbe4a

SHA1
0169f63263612c57bb7efb642bf5bed45ad36e92

SHA256
68d2f1e998224d2f8b181621476dbf348ac6f704c46f398f81fecad81b12b78a

SHA512
6cb2dabafeb3da4f2530bff61615d6d3304a9eb5c3cdc37007bd1eff62bd7dd0e75115db89a4ad583f03b9c02587d9c5feb682a529d424a355bcbce92dcd50f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
f33ea6e038d223f442155a1502c44a09

SHA1
a29925095eef3fef336d713543b97380eabdd87a

SHA256
b98d2812b4c92c80d492043aa8ef53be38412ef05fb5bc8394610dee053089b0

SHA512
f891a9633dbfe5c2d016d61997334660eb9f5978abb2ddbe9728c17d413c9f12f9fd5446081e5bebd48238d33842802fb32e06ffd38c9cfa57a2369154ff2ede

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
51a7a93552f937771e93fd6764dbcc52

SHA1
7844b6e1d20ce202f8b0ad78289891b9bcc90249

SHA256
317e9912e878711eea89dff8d601a8a7ac5ff9d392d5f5da2fa0cc3c9c585d36

SHA512
449c5fa6528f29dfef9672e08fa0ac976f60291876db5ef7bde9119b94f93f4103315708580b2f36206cc4be9ee0737e21c6c45a389fd04638d29922a2385494

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
5a7fa17e4f099c3cf5e7483d382e6c9a

SHA1
957603b2feb3200f3f0f2fcc0960570ce47448b2

SHA256
bd9ff016519150a130295c680a1bdb8b872e660d949246f9f8df2ffcdb2f26b2

SHA512
e1f9689539341c458bcf920791a5b63c2ed26af487a3df7c7ccc04d888838b683da5657d3b20836abefa3416e4fc7b0a6acf6cdc2054ff662606a5d60a5bf5d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
65323b59e3ad5208aa0c4162e61596c1

SHA1
723a6fceb35e051e376579eea2601953ec50d91b

SHA256
1c5cdc9cfdd5f8727213eac285bf606fa05dc6cadb538060fa9580cfce4c7ada

SHA512
85356a1d1d0236040a9fedc1d4b8232cf4bbc211dd2f20c71031a6c64d9ddd1c5bf46657a883f21e01802079651b9704801607fdb558723495413c8711a7290d

Download Submit
\??\pipe\crashpad_2728_QQNOCYLZDPMSNLUZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit