socelars | ae0f20124bf7ef06bf7eb4de7243ef4cf08b6523b791547c5f9f106f565b4366

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 19:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Size

1.4MB
MD5

c048209154042d9ff5514cfd008df4bd
SHA1

a51cfe496eeacc2cdc18a5bee96e0103a7814853
SHA256

ae0f20124bf7ef06bf7eb4de7243ef4cf08b6523b791547c5f9f106f565b4366
SHA512

be5cbf56f665ec84ba38db38981892ac96f9cce3151ed1fe484a8ea1a5c67898c3b2c0e9a58baa0dd085ceccb973065cbb33050e6e4c0d4b31814e63ed6dccd7
SSDEEP

24576:PxpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX43Z1oI:5py+VDi8rgHfX43Z2I

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

30 iplogger.org
28 iplogger.org
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
30	iplogger.org
28	iplogger.org

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1404 taskkill.exe

pid	process
1404	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133567310592336489"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid process

5036 chrome.exe
5036 chrome.exe
5036 chrome.exe
5036 chrome.exe
5748 chrome.exe
5748 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

5036 chrome.exe
5036 chrome.exe
5036 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exetaskkill.exechrome.exe

description	pid	process
Token: SeCreateTokenPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeTcbPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeSecurityPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeSystemtimePrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeBackupPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeRestorePrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeShutdownPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeDebugPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeAuditPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeUndockPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeManageVolumePrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeImpersonatePrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: 31	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: 32	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: 33	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: 34	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: 35	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
Token: SeDebugPrivilege	1404	taskkill.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c048209154042d9ff5514cfd008df4bd_JaffaCakes118.execmd.exechrome.exe

description	pid	process	target process
PID 1884 wrote to memory of 3076	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe	cmd.exe
PID 1884 wrote to memory of 3076	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe	cmd.exe
PID 1884 wrote to memory of 3076	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe	cmd.exe
PID 3076 wrote to memory of 1404	3076	cmd.exe	taskkill.exe
PID 3076 wrote to memory of 1404	3076	cmd.exe	taskkill.exe
PID 3076 wrote to memory of 1404	3076	cmd.exe	taskkill.exe
PID 1884 wrote to memory of 5036	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe	chrome.exe
PID 1884 wrote to memory of 5036	1884	c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe	chrome.exe
PID 5036 wrote to memory of 3108	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 3108	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 640	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1032	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1032	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2972	5036	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c048209154042d9ff5514cfd008df4bd_JaffaCakes118.exe"
1⤵
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:3076

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc41439758,0x7ffc41439768,0x7ffc41439778
3⤵
PID:3108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1716 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:2
3⤵
PID:640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:8
3⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2216 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:8
3⤵
PID:2972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3032 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:1
3⤵
PID:1228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3052 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:1
3⤵
PID:2420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4648 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:1
3⤵
PID:5208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:8
3⤵
PID:5464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:8
3⤵
PID:5544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:8
3⤵
PID:5588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5412 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:8
3⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:8
3⤵
PID:1992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1816,i,11449100698980021182,14627889987637717674,131072 /prefetch:2
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5748

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4084 --field-trial-handle=2276,i,5672504106535478802,17394903851940863593,262144 --variations-seed-version /prefetch:8
1⤵
PID:5508

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
b06e17124f77bc1fc80ff1b72fdfd0d2

SHA1
8293c5c8d3cddf8ff67da289abfbd47b44ceb949

SHA256
99e9c28c273722861aef7a378c7ef51b319e22c99cefe42f7ff3c61602b2599e

SHA512
bb504b72ad0a404e7183adae4cedada459cca4681696a061737bc0822edd5694f7efba6b4b4fb94dec291b4a3395b32dce0ce4c24e9dcd1d131e712669283b29

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
371B

MD5
cfa1cecabc0466754ec1254287ca8be0

SHA1
eca619c619e00b2df644da26c7da32879f33d738

SHA256
2ad62f2d60eeb9436e897e328064ff9f878a969c6f2a462da0dad583dc26f228

SHA512
a8fdcfb2a1f32f5ee029fe84b5627ff25fe94e5aa20c804c34f063aaa7af4c99529f8dbb51dff49ea5455033673f98086f66e669d323578dd76e59b8ba1c6bce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
7541668d263134bb407b328113f432d9

SHA1
6c945c02055e15ae81f5e87fb9c2010126722dd8

SHA256
2c203bc4293dbc9b207001e59d3c58cf4b3def11c33ee248d4f14686e281d1e5

SHA512
4e056222bff20f1890927996eb7a5862172cab914aacb38cd510a463c4c586c7dddcbc3ce33bad528da847c81899d3449159c46ce30efa3dd246dca7351a4ac1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
76b31fe5292f0bda14bac3ae8a67e0f5

SHA1
79185accb7fcda631612015b4061ece49dd466b2

SHA256
36e5b82d20560c8258a5980734788dd7b705f427573680c7793ba2f02691f7f3

SHA512
a3e85035b888b32ca10bf21b0b0d359c7de1dee8452695242d659803c5a6fbe5aedb9d51934b76ca02d307c77100b853a22d9893bb39dde1d850b4cd0631ce30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
18KB

MD5
c5fda1d5a91d3a1b434c189796004748

SHA1
94395a6d12972eeb5c0abc9d2824b0a0011c7e41

SHA256
649b8bb32d88fd5a8257c4e3449fe5f75729e79e899b74748230525cd2e52f1e

SHA512
6bb4feca1ce223632d55bd6890c2947edbedc21abe05e27a5c2347aecb4cb8cff92ac983e01ca1ff99b52653e940f44ad73040d6e1d87d2f746d17b3bf7c2f43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
18KB

MD5
357c5b2492215451902c53c9ec3184f3

SHA1
5c6fd2163e8f44b8bf877b26a87c586a39b44dae

SHA256
f997874c45fca97e16d2cb743e42a7fcc9446d94410f6723e4e324bc72b580c7

SHA512
fdf7f86df128844d099cf33153176337ee940c0e7df6c56a98b07c6c924c132931efe2f488ac8149bdc5298901133867c66a68856b5920b106afe599719d5a42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
268KB

MD5
51fb773d3bdc8d5948a78baac922a961

SHA1
9df13e4bfc86b2cdc06d7013a87683de92cf5ba4

SHA256
14e6ab9ae9d18eecc69a61211a5843aa3314379590d8bf8e20ee6149c98cc42d

SHA512
3a82e61ba28a7f8508b3e5e7440101920cdd05cd3e1eb1a0d24d042e553cb45382893bae1d46f7531634bf62a4737f69a204229a67cc61b1e2bc4f93fdf6ccfa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
136KB

MD5
9629e90fdbd93507911d164634095ca7

SHA1
2faed51743dbc39daa6c790d4ea6c0ad13fda7b1

SHA256
8e0610782537eac6472fcaebc9151ea66b7b2b09a426f3aa506106560b08ea87

SHA512
cdced1f0a9d6352f527b598dc7d16138ae0968aa0e06daf0d7bd86dce42ac25aad0dafb9876aad5918ef2f5ad90a7c46507997f4aebe335c3bb07e9a86f93c97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
269KB

MD5
bed57651e40b9969701675b621a518c1

SHA1
ba3860527217f9aaa05c7a56b687483da44d6dde

SHA256
fda8a24349c839c454a1f9a5b4fb7d8f695818f31d516e3f4ce9a13355ed2c3b

SHA512
d31ba877788b92491909b12dcebb87effb8babaa42b9e2fdb8e4417f2998e8e7e7780acf343420f279791a2d2a95b61966d2e9da39fcb2e4f2a8e4cc826667b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e0e1c61e-c5d2-4b40-a16f-fd1905002ef9.tmp
Filesize
288KB

MD5
f63ab9eb0120be68c8cb2f63e15d01cd

SHA1
356b49c14af9830e98ece3cc16500866831308ba

SHA256
be31d07f91a3a9aa9d17465fb39b467972c513374c16d829d48265cc1f78f57a

SHA512
a92b303f24741412523f475a1428d9145c3149f2a54f8f42bd3ae2ffa5165ce52ab1c1099c13d25814cf8af11d9bf29809b841c449bd537ba3ff9bc37c3740e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_5036_CAGCTDYUEUNIOYZI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit