socelars | 63ae0603a0742f791166475f08d0af36dd0f625e55ab25ed18070e92d1cbbaf5

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2025, 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Size

1.5MB
MD5

ba112d9fef4d22198141db8abc8c8eaf
SHA1

1c85c25537f23f7201ad3bed11d692b93939aca8
SHA256

63ae0603a0742f791166475f08d0af36dd0f625e55ab25ed18070e92d1cbbaf5
SHA512

c9a8717f7220ee5d0698cd1fd48c99ba6f67c99fbd0d7ccef77ae8d3a3385c63d8b04f76667e18ba664e196e2fc80d9a8f3e4f09fd8e95e11f76c27f74f542c7
SSDEEP

24576:0xpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX4GZ1mV06GY:kpy+VDi8rgHfX4GZsV06p

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	iplogger.org
4	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4540	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133808647458556521"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1620	chrome.exe
1620	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe
4936	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeAssignPrimaryTokenPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeLockMemoryPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeIncreaseQuotaPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeMachineAccountPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeTcbPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeSecurityPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeTakeOwnershipPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeLoadDriverPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeSystemProfilePrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeSystemtimePrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeProfSingleProcessPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeIncBasePriorityPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeCreatePagefilePrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeCreatePermanentPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeBackupPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeRestorePrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeShutdownPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeDebugPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeAuditPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeSystemEnvironmentPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeChangeNotifyPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeRemoteShutdownPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeUndockPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeSyncAgentPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeEnableDelegationPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeManageVolumePrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeImpersonatePrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeCreateGlobalPrivilege	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: 31	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: 32	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: 33	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: 34	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: 35	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe
Token: SeCreatePagefilePrivilege	1620	chrome.exe
Token: SeShutdownPrivilege	1620	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe
1620	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3860	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe	82
PID 5048 wrote to memory of 3860	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe	82
PID 5048 wrote to memory of 3860	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe	82
PID 3860 wrote to memory of 4540	3860	cmd.exe	84
PID 3860 wrote to memory of 4540	3860	cmd.exe	84
PID 3860 wrote to memory of 4540	3860	cmd.exe	84
PID 5048 wrote to memory of 1620	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe	86
PID 5048 wrote to memory of 1620	5048	JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe	86
PID 1620 wrote to memory of 3668	1620	chrome.exe	87
PID 1620 wrote to memory of 3668	1620	chrome.exe	87
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3052	1620	chrome.exe	88
PID 1620 wrote to memory of 3212	1620	chrome.exe	89
PID 1620 wrote to memory of 3212	1620	chrome.exe	89
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90
PID 1620 wrote to memory of 3672	1620	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ba112d9fef4d22198141db8abc8c8eaf.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc0c6bcc40,0x7ffc0c6bcc4c,0x7ffc0c6bcc58
    3⤵
    PID:3668
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:2
    3⤵
    PID:3052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1608,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2124 /prefetch:3
    3⤵
    PID:3212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2524 /prefetch:8
    3⤵
    PID:3672
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3140 /prefetch:1
    3⤵
    PID:3816
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
    3⤵
    PID:4480
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3704,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3864 /prefetch:1
    3⤵
    PID:540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4532,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4368 /prefetch:8
    3⤵
    PID:4280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4904,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
    3⤵
    PID:4528
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5144,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4916 /prefetch:8
    3⤵
    PID:2256
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5164,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4668 /prefetch:8
    3⤵
    PID:1520
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4720,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
    3⤵
    PID:2868
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5160,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5172 /prefetch:8
    3⤵
    PID:3968
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5360,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4668 /prefetch:2
    3⤵
    PID:4956
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4932,i,14202917000482942139,445674624259041102,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4924 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4936

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a2e8cf88ff4b4e0cbd19f36bd5b5660f

SHA1
bda7bf275ab8a9c37b9623e63807c7798ab970dd

SHA256
99820c28748b4f8823e0c39196e488e6bb3065b9cc3ddf91acdb2722dc257171

SHA512
2f9e6c761699c29cb827a3fba943e5f0a98c911ce6e4457c56191009a9de0e9d16f7ec59a3842311e43a3a3ea383fe22b7d6fe706ae7b97360cd26e8efdf23ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
84a13283a131ca27a594454c926efd25

SHA1
324ff8e2dbc37412df3e5cf1c49645646dcb2e45

SHA256
b053671530364fd978029213912089cfe7223941de172591a316db7c5efb0837

SHA512
05c32d4a33e9243290368bd25dca0b2d8971e4ef3448bd1de1fe6fd34b039a0030a4081159aaffc8a2be73b100aece75c1127158debe632af0792c08ff678522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
6560e7385c70c9b49c6fda93f663c3d9

SHA1
a59a6b12ea87a8f1d197e1fe31cd78d134aaf732

SHA256
a0e8bd8b14a0e9bbf6a485dba79d1a52097fb5a5d8038dda5de69716d2977d10

SHA512
ddbec97bd0a1d2c03e37108ca8c5aee5a6bae01616a85b69b76afea0ae5e5a8b007d03783a67ec9152b73d66021c64234e99271c624102c7f00482838d138f9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8caaa6fa327156e29c3a1ff08a08b1cc

SHA1
f03e29cc25dc22f1d4b89bd3cc1387fa30a12e2d

SHA256
32938abfff68eb3f99d3213ea631f83f228419fac539f4875eaff957b52603b4

SHA512
5a9f816bdb19b9e9e053c27f0abc7ed640feb9b192ffb0bf05fb0d38a75da4807d0ca8eec6cbec95bf608419cccc8ee08f86c5f214dfe1de34db55c1339997b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad65f2144606694c49cf0b71f5952644

SHA1
fe18fcb428e8854ac42928655cd2f5d8425141d9

SHA256
7c207194cba531a3556911054b3e9945e5484deed657c5ca0eb5d00cb5476c86

SHA512
05ef90766d00cc621faae4b7456b67b5a10750f9bc2810b2fac2ffe0f543f8dda728a590b49397c07fc11fe865a6817a56b704b936ba1ff1dee78ac734f6f8b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
39ef3d707f825cbdf13c8afd6ba0a4a5

SHA1
784e35b2ad5a067bfbe74d0449d2dd587ec8de2f

SHA256
2e7c6d16e189e966efd0c574eb3ea68fc56cb7a86d970e3e0cd55860d5f4db43

SHA512
26050b2fab4504cdc670ecf15a4f5bf466d6f1ae571e40be48438d988b0d7b24a72a7532c16cadcf07acb3e582c00f966b2004dc1e0772188b3c0185fe6ccac2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
803503283e7f144bbdf3cad3ec2c4db0

SHA1
8808ba512311a5b39f383171ffa56f8ff7eb1259

SHA256
b2704bf4b2e4a65bdcd526fbe9eafc622306f55db672348494946603b7f9d7d9

SHA512
ec1ac8bc2c7dc1626a7701c67321537f0c8a6d9ab39cb98c248277a9d1e35bab7f5cd624020ea2fb1d212fcc87dff27a22fe9b12ea59931b1302c801de41c07b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6e9e27451dad9b2f0dd846449a5b2836

SHA1
113ed299c42714b4d2c7990c80fff30f04f12077

SHA256
ab91c436b518fbbc4695c9dfc05be0ede73e25695eaf4666219ef36833884433

SHA512
caf0928c5e38a80ed2710055dc07bb481f0e711e8971a26d5ef434e496c45277e465e74f7b91cbb438e5aaa0527efc58800790b4479b37da1be9d52a0360a587

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
ff7d487e375a1275e4d20bf0e1ee9358

SHA1
86abd4e97204cabfde2090250863a96f7f7f60be

SHA256
14b0a9d73e2e354a19227d5a4bfa32a440e9afe4adc932f66d855d7208d33d73

SHA512
22b9b02808db4399057455f2ee364f616983fe6c2346daa6b096be91b673f26b96a9ba6da4e5b93265315ee3bde480cc177ee253e64a00f4f687a342736ba211

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
161c8b6fb09575c573d3f168e9c58242

SHA1
3bce5b652c42f08dca63504b2334a5db520a50d5

SHA256
e40ea58b77a3484e443fc3145ddb454bdc5a14e5e6c42a18759696368d35caf2

SHA512
ca65419c190ab5c70d070192246af0941069bbd79b38a3183df7b308dbe21fd352cad2d331c7ec6ff3c7af7839ae3df4294933cac72039e77c60f67da2d5a779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a36b09c0c8dd9871fa2f7fc4ea559f97

SHA1
d9fd0fe420f04112fd362ba815469f75e6eb76f2

SHA256
d30c444f9b1414ab67b08954103d165d8d92b8dcfd484cb03d98e9f6879c93a7

SHA512
af833c65bd5da23351a9648f35c29a679f359da0aea8d8847998798b1d2a7cf038206897c9dc11097be26391281538b5b75ec8a46769e78a2f8620b300965c4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
f5edecf10c04694d966eeed821f8f6b0

SHA1
5aced7860d83a50a83c04820b80c2caaa77bee63

SHA256
872edfa37796140f21b7f347c4b8d3b3a5f0862389744978fad21049b096ba7f

SHA512
8d0e0087ef72c46cda7876006c16b25ab7c00114626cb37a3c8782fb04d2d3bff86d085ac9f29fd04c796a841303045b580771b5313617697cc639d970cf1636

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
da8420b57f9ec9f4bf88baefcf90cdad

SHA1
58aef281ccfc06806b664a2a21c3f7fbd0e7f136

SHA256
dc07bd62cb6c711cc6e28960e767352dade6f7295519ced977ce5e1ad44d3003

SHA512
845ddeb8c381f5a4b0714768e4e98365f25a6844caceb48fe13181dabb1183435f9426725dfd6ba77520b9b09d4a36cb2fa95f148f0b53ee5bf2bd3c3ebae82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1620_2089759460\03f0fb34-ae88-413a-81fc-1766d7879d8c.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1620_2089759460\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit