socelars | 34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Size

1.4MB
MD5

6ed21f7aa1df0769e185b6dba72084f9
SHA1

0cb7edceb3b79b6e723144789b4c6549daa57f05
SHA256

34c3f1bc4872912b7fcc4ca0c0b4825fcee90df86d9218c8c7d557f852ed3af1
SHA512

bbfb5f5660b185ef5cf3ff141d36f0f88c427eca9fe4996b82fbc0f340944bbb3fc2dccce45da1445e76b3f63ecdacfa73ed932d444dcb13abb256073c815737
SSDEEP

24576:axpXPaR2J33o3S7P5zuHHOF26ufehMHsGKzOYffEMSXkdOZ1w6:apy+VDr8rCHSXuOZu6

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	iplogger.org
6	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3176	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133804043615996839"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe
4352	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeAssignPrimaryTokenPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeLockMemoryPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeIncreaseQuotaPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeMachineAccountPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeTcbPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeSecurityPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeTakeOwnershipPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeLoadDriverPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeSystemProfilePrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeSystemtimePrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeProfSingleProcessPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeIncBasePriorityPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeCreatePagefilePrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeCreatePermanentPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeBackupPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeRestorePrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeShutdownPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeDebugPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeAuditPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeSystemEnvironmentPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeChangeNotifyPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeRemoteShutdownPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeUndockPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeSyncAgentPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeEnableDelegationPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeManageVolumePrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeImpersonatePrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeCreateGlobalPrivilege	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: 31	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: 32	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: 33	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: 34	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: 35	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
Token: SeDebugPrivilege	3176	taskkill.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe
Token: SeCreatePagefilePrivilege	2176	chrome.exe
Token: SeShutdownPrivilege	2176	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe
2176	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4256 wrote to memory of 1864	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe	82
PID 4256 wrote to memory of 1864	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe	82
PID 4256 wrote to memory of 1864	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe	82
PID 1864 wrote to memory of 3176	1864	cmd.exe	84
PID 1864 wrote to memory of 3176	1864	cmd.exe	84
PID 1864 wrote to memory of 3176	1864	cmd.exe	84
PID 4256 wrote to memory of 2176	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe	86
PID 4256 wrote to memory of 2176	4256	JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe	86
PID 2176 wrote to memory of 2196	2176	chrome.exe	87
PID 2176 wrote to memory of 2196	2176	chrome.exe	87
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 1720	2176	chrome.exe	88
PID 2176 wrote to memory of 2012	2176	chrome.exe	89
PID 2176 wrote to memory of 2012	2176	chrome.exe	89
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90
PID 2176 wrote to memory of 3564	2176	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6ed21f7aa1df0769e185b6dba72084f9.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffe1f0cc40,0x7fffe1f0cc4c,0x7fffe1f0cc58
    3⤵
    PID:2196
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2028 /prefetch:2
    3⤵
    PID:1720
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1848,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2080 /prefetch:3
    3⤵
    PID:2012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2276,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:8
    3⤵
    PID:3564
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
    3⤵
    PID:1380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:1980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4492,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4564 /prefetch:1
    3⤵
    PID:4952
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4828,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4836 /prefetch:8
    3⤵
    PID:1160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4948,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4892 /prefetch:8
    3⤵
    PID:3596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
    3⤵
    PID:2016
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5204,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
    3⤵
    PID:652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5044 /prefetch:8
    3⤵
    PID:4744
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5184 /prefetch:8
    3⤵
    PID:4716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4788,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5324 /prefetch:2
    3⤵
    PID:3572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5288,i,12248426202725337859,15570548215031027551,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4352

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
145d14ee1168d7e4d13087f61c660edf

SHA1
beaf6819a06184fe0564ce99f59f5bca8b474582

SHA256
3d26a7c6938f449ef0af400100a803d9ea95122e1598a08fab0f00a6c4624c1c

SHA512
3617a7ed06dde8391319c2bcd4a9c84a152c5f0fbe740e0fd188fa58e9816427bbcdcef9ea8aa4dd63eb741d75bcd06d49bd89e79aa6439fdf67735332bda888

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9efcf5087b5befc84d845fb8624420e0

SHA1
228f0ecdc86e9581731a21817b6859bff915cb91

SHA256
362ba66da2809791908f6f678d6418842010380e28cbee3ee0a056a7109cfa7b

SHA512
d9941cb2e6705feab49858594749967bfeb1829824cf4f5e2f4b212d090b4eff716b9ba6824e2edf06f1592591a4c5ccd4481b9f12d8ba0a1dfc00de1a72e33d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\d8d4daa0-fea7-486a-a4eb-590a94ca9596.tmp

Filesize
1KB

MD5
b4fbba90cb4b7cf14559d7a140686a57

SHA1
4b4cb84469e2452440afe1569309d0d3fc4d3689

SHA256
fcd400a00959b081b31f6f17243075d0ff73a36ab6051628bfe6706bbce78729

SHA512
3a5d5c1055cfa23d46776cf3b60f3e7059b9a8737e7ce7729ad830abccfb6eb6709d54780c4a9bd241bddbc14fad09b89723f68bf075a92b71a997077d85bef1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ebdf59ae24fc6a32aa90d164d093b613

SHA1
0b7ec4e6f555e6348f6bb14c921886c3d51d790c

SHA256
48760351ee08bbcbed92341d9345de379a40d53f86992b574d8566fc32ea4774

SHA512
712e3f6fece34cd3cc0c0b5e28431c42cc361b9aeb8a706c78f130d4c12535c56e2cc1a8f190c21a6246d332c0c36e8af1729f84bae0864a5b3233c7c1a38811

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
599778524f2a922247a7a4f6debacca3

SHA1
bdb26bb3f3aa270569850f6722fbb513d043a055

SHA256
754fbbfe5ba59c27cd1629c097614c8310ea83f7f8ac40011c0727ee8b04ed05

SHA512
b26b97479e413174b522eee1fbfa1e2670758a803cb1593de86ef1d92f5964e5343a9673cabc545437661a428c02f3bea4b3d1465874ee77d6db686094383a90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6fe456f5029bd605e7395d9adfeef1db

SHA1
0300785641c9c8d2e8eaab010d836423d1b64bcf

SHA256
2771c1c15f65db05ff1000876e53478b21a71503c70b88819c9e22b0ec92acf5

SHA512
0c36064c2e0cebb6200eb5c91a09db1019c52c3bf8fadbc36aa2588fa251f734f70c03c5578dd17349deb7770799707f85b2f8be619540eaa9a9941826025164

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e85b10a3063182b445b9a40cbf6fcfac

SHA1
c9c53a2d4a81ca4cabb886fae381b04e5e2d1750

SHA256
6f6de2d0528d0890f49a850f1f08ec36ab2463189042b173082ec8439f1f69b8

SHA512
875e383b48426a029fcc914ab440babdc7164b6f406a8439599d8fb07c4338d1c7c805232e23d257f6e5f6f8eadd79c831257164fbdf0690db0bc8c1cb6655d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b4fe38448c5e118f6f7082f0cc8bc1c

SHA1
cae485a6d49ec6faa27ae116abd2814b1c9372ea

SHA256
723cc8436026beef9383bc7c4e2e89b02fe3f6b2d323f554ddb5d3d54c7f67e1

SHA512
2154110f155825acb0ce86c075bcb63f0b951d18be516548a8475473f294ad5bd322004d50250cafa9cf5315d7f5e08eb3c10a1857bd1720421f76c290bbaa33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
537ed45d59971803ecc4dcf19841eb17

SHA1
2264a979272c601b8349207bfe22b1c4924a1d35

SHA256
19f4c11a38ab6896a2de857e8d5a19bbd04d8551eeb7ac1e7a39e776a6ba9271

SHA512
b29275da2e61568e4a39a55d520b2f8795a518766cc48f44fc86cb5100bcf4c556f9295837ae1f7e8136e9564fd903eab9f2e4dfe0347c569d0710c119fb0ada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
67de455b654d98e4a5bae41ac151b7b7

SHA1
6c39953a31a8d391a971f299f29c08cb3923bd49

SHA256
aea3044561748ca79a8578465f398edb6470c972628987c69bf620711aead697

SHA512
23d9b612a3e60d9903cea5a76981ab567933314a238ed4fa79d34e712662544b394d24eaffb951236f10b2755a77cde9124ffaec85a4afbdc94f41fae0ffff42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
bed0c7fd97b6d747964f7b559cd53c21

SHA1
015bc67af96cef61318cab045b586216ec217344

SHA256
d39def62117c19189c6df652ff43d3621b4473d45c49bb995999336bf238f9b5

SHA512
8ab88549a2c3bf6902c56bd952719e2b588f5b638518607cdbac633899f7acbf35fed9f343b357ab3621e8be8b7a0e772fa04d1fcf06cbcea6abb3a464b3ab5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
605b50d3a433c4ce3111c0aed99efc71

SHA1
bd1852cdfe9282965cf68ecaedcaa1a880e44f63

SHA256
4d461bbc08f1710b05723f7cf0499d483013c3bae2efc8415b25fed4dc8f8396

SHA512
dea6a503a52c3d459e04963687cc18ad59fd103b1c0decdf4f834974e714fce524267452669e9b4b892ea7b1a26e1c2624a1f92c1d0bfad60aec8b7a5bcbb21e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
fcc8d387b09ab8e6396c4eb58494e0fd

SHA1
7b6cf9fb7fee5796f6966b9dec2614adde9102b6

SHA256
0bda4c25fc4b10a680054392673c66053d1a04a4a7a4db3708125ea6a8c18f2f

SHA512
f5d5fc1672d5f696f1a06886e3275951bb8010149224008e070b1a1c355aae56bee22e8f20c6ed9ecab106c4ea6f20e0620e0dd2b2231fb69cdaeb953e40e563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
efbe7024302b37d56f9994d0a1f1dd5c

SHA1
140c7ce54eb858e90d1199795fd3a499bffc1611

SHA256
b071f902df9da9d3b276c301116d4839860ac787e3f48d28029b711ddf2f5505

SHA512
4b77b549647fc2be26b6cc26be34e3d359cee233f2cec8ed1751b9f7251735aaa08b865ee0d0b8e7cfe4fc885d3008dcd188644250f3252081e641061178a65c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
a53d2b752e620a7ec8d1e862ed4c6655

SHA1
662e18ed0bcce7f0f042e8a30d156293c5dc8d06

SHA256
8f48d37ac629d49ad3b6ff9971f869a0ae72df313abc26ee781327c7d2c23453

SHA512
16f7c54e699fd4c9b2194bcde0edc8ad6d90483902862b03f975ccab2a99d2b8f1a5a6fc1589d8942e043b634bf18b7b44b13c90a635d4b00fbb3654bd7860bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2176_463151750\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2176_463151750\cf5f6481-d7e2-43b7-8804-fa9bfc243aac.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit