socelars | c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2025, 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Size

1.4MB
MD5

81b05c43c1d16f7af57ea6bc9ded5729
SHA1

50e54265eeb9b3c9350b6c6cb17c0fc24f5064e1
SHA256

c3662f65c455c8e16f70e3443056b4f924278ba5c68c46bc38f8084ca3fb36a7
SHA512

993a73a26086b37a2038520068b37e4ff9db6806c7489a389818ac1612ec0ae18629bb53d356e4774d25ec23b7ce0e5d15dda4be17e77d66447e6c12d4d7f136
SSDEEP

24576:PxpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX43Z1oIe:5py+VDi8rgHfX43Z2Ie

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	iplogger.org
4	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
780	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133805130540654407"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeAssignPrimaryTokenPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeLockMemoryPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeIncreaseQuotaPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeMachineAccountPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeTcbPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeSecurityPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeTakeOwnershipPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeLoadDriverPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeSystemProfilePrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeSystemtimePrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeProfSingleProcessPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeIncBasePriorityPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeCreatePagefilePrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeCreatePermanentPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeBackupPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeRestorePrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeShutdownPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeDebugPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeAuditPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeSystemEnvironmentPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeChangeNotifyPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeRemoteShutdownPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeUndockPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeSyncAgentPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeEnableDelegationPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeManageVolumePrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeImpersonatePrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeCreateGlobalPrivilege	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: 31	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: 32	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: 33	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: 34	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: 35	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
Token: SeDebugPrivilege	780	taskkill.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe
Token: SeCreatePagefilePrivilege	1576	chrome.exe
Token: SeShutdownPrivilege	1576	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe
1576	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 4428	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe	83
PID 224 wrote to memory of 4428	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe	83
PID 224 wrote to memory of 4428	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe	83
PID 4428 wrote to memory of 780	4428	cmd.exe	85
PID 4428 wrote to memory of 780	4428	cmd.exe	85
PID 4428 wrote to memory of 780	4428	cmd.exe	85
PID 224 wrote to memory of 1576	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe	87
PID 224 wrote to memory of 1576	224	JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe	87
PID 1576 wrote to memory of 1844	1576	chrome.exe	88
PID 1576 wrote to memory of 1844	1576	chrome.exe	88
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 732	1576	chrome.exe	89
PID 1576 wrote to memory of 1424	1576	chrome.exe	90
PID 1576 wrote to memory of 1424	1576	chrome.exe	90
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91
PID 1576 wrote to memory of 2360	1576	chrome.exe	91

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_81b05c43c1d16f7af57ea6bc9ded5729.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9180acc40,0x7ff9180acc4c,0x7ff9180acc58
    3⤵
    PID:1844
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2012 /prefetch:2
    3⤵
    PID:732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1940,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2052 /prefetch:3
    3⤵
    PID:1424
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2272,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2284 /prefetch:8
    3⤵
    PID:2360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
    3⤵
    PID:436
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:3080
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4596,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1
    3⤵
    PID:3924
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:8
    3⤵
    PID:5104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4796,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
    3⤵
    PID:1508
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4432 /prefetch:8
    3⤵
    PID:1652
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:8
    3⤵
    PID:2240
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5252,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3792 /prefetch:8
    3⤵
    PID:4376
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5256 /prefetch:8
    3⤵
    PID:1632
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5176,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4808 /prefetch:2
    3⤵
    PID:1880
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4988,i,14555830264349915676,7684954883382522035,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4868

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
794f92f616e58af6812fad9d4d784638

SHA1
f6e1b4f2bbb9b43ca7bc3f743d5104595709f734

SHA256
eed21886a13ebd48a0b43ec1723d547071c0ca7984ad4ac3edd89159ba78327a

SHA512
cdc601a264ba77ea2576283b2b48a1f95c2d71554530cd89b1e2ed5cccd6512180f4c22e3c46013bdf503cb9eaf1c33356ed0d5df974aa4226e5c7d2b51d0db3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
86da2e1c9acf7b83769385ae5b69f9b5

SHA1
b78d8c4e1b3dad801f7a30a14df5effb151ac842

SHA256
e067c48eded121ac88b1b9c935cadab2075245ca77fb89c499ffa494ce08a3d2

SHA512
a60d3d3b7d666e83084dfad46fb5523e47b16d64b8025630bdb59250defeaaa7e6f2446ca29988aef9ab05e947130a0e2f9653ff6b709e2cfa8eb10cb9d4b936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4edd20e795f975e4e70d644e839b9d38

SHA1
0ef7b410214c32ed0f434d9b36e43fc5a5522d35

SHA256
3e2271e920087a33d366365fc422ef654b409027b0509b049c0d49358a43c23d

SHA512
99d41f04fd21d05b574c9fac901b66c24084cae504521ae0ed9356cc3bc6d13cd7161775b2d1a168d043043535a0856e7c86a1def9239e264c4f00e21b7203c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
45b7dc879720dd4a46273e7429cd6af8

SHA1
0e30279fe9959838a3b24570a9154abf402dc80f

SHA256
6422d28121a51c708c4d25cce9c92e27d8f411f33b5b60b0a615fd94d24986ad

SHA512
9e1485fa5da1073c58fb563e847cf047f041e109b9d3ff99804852723f222599d515d06976e195d2295b5c2301eac0602aae338b740907dcd42872ba69ebe720

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d8cd4f48decbebb11e5a991135762ed8

SHA1
25a7062237f41274e1ce9c7965c091056af5808d

SHA256
c49ac7864a0c942767c3dc40b435a4233bdc311b6e22ee86e256273a3a347bb2

SHA512
3882ca09b35d0f11f7829a9e0e99594896882d6bd4b0d81d34edc07f8261689b9dd5a43ffd07ef2a9d6277f9dd8e719e59775fbc6182e79409fa8d4768638962

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
79a0f9b32a00f39ff630f9e26977df74

SHA1
651849f78041c1c2ea4b1fa0869232a686af2c50

SHA256
b432e63b8d45d8da0583c33c434e2d9126a393c312de19507df6a556206aec49

SHA512
a90d70b389ef3d9adca5f806505e7a2b1fef54b42a84dc4898024ed519dbc6b06be176eed856b31526500671e3d1afd488bb9400f1af19f69c9130185d27963c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
810ea5f6373cfc072537dc82bd0274b9

SHA1
d2074ebfe20d16e568f0b75a5353dcd90a5e985f

SHA256
0df4507276d767592af7f79e8b60618a5953c6c5cc44d25c5e75d1c334e0c5fe

SHA512
86c8d30f2d8a154b902a0025e8ab02d89f7a9ab159015ec7e306ac2e850c79fedd100a40eaa64acee80b10a489bfea86f9e952391d2ad99162fe8a165fc51186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
cc3f3b565ec4cf8609c3041f021f1c6f

SHA1
bd6a8467dc4df8462b1239bdad645611730e270f

SHA256
e33a93fbf27c02e5b1957571851c3fa20597c088b6e1f7d7899585c8f9133513

SHA512
0e66cbb97b91e2f60aa4cc79f088f024273eac81e06b4ef058064c31cd8ff0557e32012513a74e056c9194fd662153c8297b9c93b74dc055ab796dc0121e5da5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
6239d060d9fcb7d72d5ba8d3244ab690

SHA1
6ee5cb648cfe5a5942068bc7be718a8188c49f0d

SHA256
7b8205419bf9402ebaf6097c8a7fd2e0223af1606d9831a48dea07bd0a746cee

SHA512
0f79adc05240858bf5a22b89e87c2ae5d0a6a3c4bbd140a57c540a6c43ce308adb264845349af02ba1d28646ba26984e7174553d1053a9fda73cca064149bb1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
405e865e373676e55145f06bcad56958

SHA1
a2d898b43553a67e785485f14dfa1e83d545d4cf

SHA256
df1f73a6fc0290e0a0c90343fc9fd2b5c9077af79df6f40006a8c3698839eb3e

SHA512
13d96bc14ca14b7457047345a2527b728f4944081f71a4d60aa1011a7d812a1e46e9b578f235b9fa44b3af699bac6c45f6e2f3b1fafaed380922ba284ebdb94c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
7630d75ff456221fcf78b4d0204583be

SHA1
6eb726d703cd96e6f0e053ae5d0b791c07c5c3d3

SHA256
73943278d3a8a96ab47df39018af215056b8c280368e9685443d80c4efda6a80

SHA512
d10d72475b1e2383dd927e195c3a2450875aea7a02d79f746e9353d6750501e20173a9cfd8bec85fa4633d22775cbc025a372df3b019b2d97ae66e5bbef7d507

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
cd6875c3a5d558eb7e37add575596c83

SHA1
64ed676d2740843ea749db31637f589a03dba9f6

SHA256
bcd77ab77ef2a5b5e85f5a2030fae492b8b7b57041478c5100c1053e87813d61

SHA512
cb41d65f3d19116f257a586e8cc93b9fea1d9a1fc130868701265dbf7b153bdfbe66b7e8208a5a1dd9679d883c048bdf41b48ecbf7f5c724ea07d49f2d398674

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1576_907501799\474c49e2-e93f-437f-964e-19bd76129b16.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1576_907501799\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit