socelars | ba654b1af0f5bde386b187968d1976d9027591dd63ed4c16caad121b21b6fe42

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/01/2025, 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Size

1.5MB
MD5

c05dc38b9c685a25d4f3af38f020e922
SHA1

e3c4a3a2151e4029e67d18d702e6db4c6e5f00a9
SHA256

ba654b1af0f5bde386b187968d1976d9027591dd63ed4c16caad121b21b6fe42
SHA512

e2e0a975a5d5f754c6c3abad60be5f322aa9b7682e4856ee70fa72d69b630697056fc83c98ce935ef40d82f5e24ce94a624503e56910f3a898f6ac10c9f17784
SSDEEP

24576:nxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX3tZ1n106GY:xpy+VDa8rtPvX3tZd106p

Score

10^/10

socelars discovery spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Socelars family
socelars
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	iplogger.org
4	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2984	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133808754132605456"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1380	chrome.exe
1380	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe
1880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeAssignPrimaryTokenPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeLockMemoryPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeIncreaseQuotaPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeMachineAccountPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeTcbPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeSecurityPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeTakeOwnershipPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeLoadDriverPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeSystemProfilePrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeSystemtimePrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeProfSingleProcessPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeIncBasePriorityPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeCreatePagefilePrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeCreatePermanentPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeBackupPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeRestorePrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeShutdownPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeDebugPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeAuditPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeSystemEnvironmentPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeChangeNotifyPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeRemoteShutdownPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeUndockPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeSyncAgentPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeEnableDelegationPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeManageVolumePrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeImpersonatePrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeCreateGlobalPrivilege	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: 31	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: 32	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: 33	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: 34	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: 35	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeCreatePagefilePrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3512 wrote to memory of 4568	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe	82
PID 3512 wrote to memory of 4568	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe	82
PID 3512 wrote to memory of 4568	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe	82
PID 4568 wrote to memory of 2984	4568	cmd.exe	84
PID 4568 wrote to memory of 2984	4568	cmd.exe	84
PID 4568 wrote to memory of 2984	4568	cmd.exe	84
PID 3512 wrote to memory of 1380	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe	86
PID 3512 wrote to memory of 1380	3512	JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe	86
PID 1380 wrote to memory of 1884	1380	chrome.exe	87
PID 1380 wrote to memory of 1884	1380	chrome.exe	87
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2576	1380	chrome.exe	88
PID 1380 wrote to memory of 2972	1380	chrome.exe	89
PID 1380 wrote to memory of 2972	1380	chrome.exe	89
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90
PID 1380 wrote to memory of 4680	1380	chrome.exe	90

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c05dc38b9c685a25d4f3af38f020e922.exe"
1⤵
- Drops Chrome extension
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4568
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb48b4cc40,0x7ffb48b4cc4c,0x7ffb48b4cc58
    3⤵
    PID:1884
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1940,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1936 /prefetch:2
    3⤵
    PID:2576
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1888,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1996 /prefetch:3
    3⤵
    PID:2972
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2444 /prefetch:8
    3⤵
    PID:4680
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
    3⤵
    PID:2516
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3188,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
    3⤵
    PID:4076
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3692,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3668 /prefetch:1
    3⤵
    PID:2064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
    3⤵
    PID:316
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5024,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5032 /prefetch:8
    3⤵
    PID:4556
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8
    3⤵
    PID:2440
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5192,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5200 /prefetch:8
    3⤵
    PID:1072
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4860,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
    3⤵
    PID:3588
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5216,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5064 /prefetch:8
    3⤵
    PID:1992
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5572,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5500 /prefetch:2
    3⤵
    PID:3272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5444,i,120945249022612051,4559340591862009189,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1880

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b6f87170568714f21d64bbcc59605e2f

SHA1
dd2895515ce1646965439812eb08100ec0fdeb57

SHA256
2dec4bedbaf80f7dba8996467a1b4ca690e142aa58c5a176a7a0eff88dac9b50

SHA512
ded0c349d9d89c066105960370a97a1d90a62fe9cca37c574f999de36f29dec3e725ff48e5948af5171e5f81479da39ecc3722ee44aedfc3ef03b72b20ca3eea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b75bc2672198a1a95243938b98ffc6b0

SHA1
7c23cbb46458626f70532d8749a3539b29501022

SHA256
f4fe6ab7566e94a0d2b47f15ce6336697167f40b821b136317326e6515b0dff5

SHA512
6beee449464f2ceac1691ca1e223d52af8368a29c3430f61dbb06542eeebb581c8b0cd75d9d0078ea8fd63a2a09e13642d8f8696138cea6e95c8df3d132c45ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0252858b7720ea8bfa37be75b833ab83

SHA1
21776af4e24f396d60e6f0e51bc0cbfa2c7a64ce

SHA256
4e721117c656c1098d763d6816c7bcfb44684bf02d94b9e6f8d1babb2536fb35

SHA512
4d43ea7544905eef7f22f81835c8770b28e9f5525ca27c4948ff40f11b76afec90982dcfca652b9e22b1f92cbde5080019dfbb8c36c67a0b78fcf69b32793c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fa0fd6ed3040d7c4f51830a8d241261a

SHA1
f5e4ba52dfd6dc7bcd98d74626fb11ffde6e964b

SHA256
1dd68d52cc6f8b881bf7a9be10d9035eb2cb594d94ebdaced850ac9c5195f46f

SHA512
e223a8b5988d597b223f6c5bfc551b8a5a48942207ee453fa52883099e8e306ff91480be2c05672ca9d093eb7a8286e2b71cc66e521bf87f830395dd34df475c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9dac2f0d8830c4eb4739050d660c43c5

SHA1
dab3fbae8d93c191e2c9085f6db38538a5e34fbe

SHA256
52d3aaa29bc0ad083f392ff1b06142c53b15cdab64486405b841f1af4a887504

SHA512
a4fdbc564465ca19ea8c15abbe85ddfcaaec564e731847f749e053903420c35ee84f6b1080a9c724152fa19412fae23e177dd7a4f981271eaabb28020be56f11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b0d24e06c1e306870ce0c6984c60ee67

SHA1
c2795f112b2f98820d0fee84f0f0bc08697c46aa

SHA256
85fe2c4c2c0e3f0b884ad8f9c6b569e34e09d93bb1ae89645a4db4b40de8b7b5

SHA512
2b295b2f46054e463cccc989680f8e594c59d8a21b2e10e82fe426df52eac931b6626b32ab8d4c88026e4954914954717dd059c91c57e836d7474c16454eba61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
10f3fa451c7d0fc238b68b42c793f97e

SHA1
6f256cd4cbfa9ac2eed7d626990200c6471ef2cc

SHA256
c2fa04de98f9216167f080ce0e76d44e80a86e90fb587bbc64581fa7ae0e5fff

SHA512
daca7dacb0be51440cb27ef7c2429ca093ee555d15f00836df8aef0463da120565be6899f8489b7104127b4ec61977859a3faf180b84566546b14a685882dbd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6a054be5cb35509501e1a462f34eba3

SHA1
a5c144df3ce79aeed59a86ed52529151cfd1fea4

SHA256
3923b5091e8977602603416ec45ccb6a82e64686d556cb87b368755a20b90d1d

SHA512
50dcd126e955ebf42f492ed621fed2cdc132eeab57220032de6378c1cb14b21dae739c1792e0f96b1860eb645a24b43854f2347972e03086d4c7c6636358d715

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
128225f5ab078012779112a7549f27f8

SHA1
a2218dad4b74535572129ee01c4534d22716b284

SHA256
3eade4ca5904ed89c0fc18725d9ac2d2f7dae69101acfb0809d6d5de0788ae03

SHA512
2dabbc5defcfabec8f9e9ae1d0b509ff76485b3e363d72fc635c597fec1f16e363097f056e7fb235cce8513bf1a373f36d37b092e80bd0307a6c5b368e17cfce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a6b3aa6afea57dcb9efadd4b7544c28e

SHA1
3cb12e2e38ad1c8eef6aa66697e6035ebfef065e

SHA256
60e8a01833a040b47204ae54c6f1a94994c2223fb2e68796e3d6a1eb4437e90a

SHA512
468bc6701c0dc6c466d6b316fae6c91613727e95e132cfcae41acac56e5d025a46cba6e18e9fd6bc1bc3bd04ef5842cf24e29ca218902696dd47320512dff9fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e8a04ec0d55c643201541986f8ce82f6

SHA1
ba0a3c11d666340796831841b96fb33907a28f42

SHA256
2b01eae7f9b715c18b96a0ebf27d60f54ec1db779ee743b24bd6038fb3773d1f

SHA512
f52c968efa1aab492e0aa02f65cbb7d998b2d3fd0b6127042bc7888b92e625a96d485549b0ce4e2a7e553591f5fe50eadc9fe9b74cd98191dd18c29a36d0e0e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
e91ced5f958aa07e915c882af4a86b08

SHA1
959cc2d5395f88a160a4e20f7d03c4add8599d11

SHA256
7e9ccc03b5a43973e9c4657e446c18c34f468aaafc007fb40da30a14a4f6729e

SHA512
a1c620baa0879f68a05014ea201b35264fc50728ad68506a142840021b5f3cb4138428f78a4e2b3ee42cfeae013f0ebf01d2495b295fefffbd4a82ca3e3807fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
605b50d3a433c4ce3111c0aed99efc71

SHA1
bd1852cdfe9282965cf68ecaedcaa1a880e44f63

SHA256
4d461bbc08f1710b05723f7cf0499d483013c3bae2efc8415b25fed4dc8f8396

SHA512
dea6a503a52c3d459e04963687cc18ad59fd103b1c0decdf4f834974e714fce524267452669e9b4b892ea7b1a26e1c2624a1f92c1d0bfad60aec8b7a5bcbb21e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
194732b40cba97e629fb361b6c536362

SHA1
b2a7278f63d59ccf59dbe51528983fd00cd87e90

SHA256
455bca5b82579ef9187d5da9fa62a277c33a740b4401a988ee998fbbf100be7f

SHA512
e1115ec4342c89914f8f1db5eae9fb7cdfbf1edee4e4ed41a255d91b6f91a5000b118014e475df01eb0fb21c5e67790ee22aab2ce0cce9df53832ee89662f5d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
01f39e35951a2f3eb7096f0e41aeca44

SHA1
705209e0903aa63bec52ce6cb2b0230d0a33e0d0

SHA256
a4ee35429cfc10cab4b4031924e4636603aec728b5277a87cf53f66d066bdef1

SHA512
b4335d7da86bfbbb505a655e034dbf2f51af039230dd4e8ee87d3857e7a6f4f09d59f2c7f98089419915dc5610f0f29b505b73da756a32b5ae8c8e0fd01e96d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
a6d7d4585cc369a044e69b7bdd689436

SHA1
2349676b40c054dcd8f6cfd2f38b2efb14e6d4ad

SHA256
a580ba1cbc31442095f6b0472014ad89ecc8c19d8e01708f72815dfdcc30ffbc

SHA512
008ca6a145206d3dafda63fc5ac7e9972db9a2bec51a7c2c9a9baf508a5a118e70eaabdb1884303cd08da539f92698009dcf78ac1feaa6b07b677b9ae88bfa23

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1380_454630841\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1380_454630841\ae9eaafc-cf78-47f5-a862-c9e5185515d4.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit