socelars | 61c43e1819dd670f4c589aac171c43ff2af07a0fc07414b1af306472049152da

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Size

1.4MB
MD5

5e2811a1d2df600a913d82630286f395
SHA1

42114ac635c4e8e96dff26ce5a2eb7c5a51a1551
SHA256

61c43e1819dd670f4c589aac171c43ff2af07a0fc07414b1af306472049152da
SHA512

568b015c2c56a92d8aef1ec92f29ca85e568f2eb1f18fc68e64ff3e0c5887a689d89dba270439a2c8fa83bae8fb8c8e89ee0a792c9c7ed16ee34823602feb63a
SSDEEP

24576:axpXPaR2J33o3S7P5zuHHOF2CxfehMHsGKzOYCMEMfX4IZ10zjP8CAq:apy+VDi8rgHfX4IZGzjP8CAq

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
29	iplogger.org
30	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Drops file in System32 directory 2 IoCs

Processes:

chrome.exe

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
5108	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133659057752646439"	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

chrome.exechrome.exe

pid	Process
3460	chrome.exe
3460	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe
1436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5e2811a1d2df600a913d82630286f395_JaffaCakes118.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeTcbPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeSecurityPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeBackupPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeRestorePrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeShutdownPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeDebugPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeAuditPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeUndockPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: 31	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: 32	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: 33	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: 34	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: 35	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
Token: SeDebugPrivilege	5108	taskkill.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe
Token: SeCreatePagefilePrivilege	3460	chrome.exe
Token: SeShutdownPrivilege	3460	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe
3460	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5e2811a1d2df600a913d82630286f395_JaffaCakes118.execmd.exechrome.exe

description	pid	Process	procid_target
PID 2032 wrote to memory of 5044	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe	88
PID 2032 wrote to memory of 5044	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe	88
PID 2032 wrote to memory of 5044	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe	88
PID 5044 wrote to memory of 5108	5044	cmd.exe	90
PID 5044 wrote to memory of 5108	5044	cmd.exe	90
PID 5044 wrote to memory of 5108	5044	cmd.exe	90
PID 2032 wrote to memory of 3460	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe	95
PID 2032 wrote to memory of 3460	2032	5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe	95
PID 3460 wrote to memory of 3948	3460	chrome.exe	96
PID 3460 wrote to memory of 3948	3460	chrome.exe	96
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 4396	3460	chrome.exe	98
PID 3460 wrote to memory of 1748	3460	chrome.exe	99
PID 3460 wrote to memory of 1748	3460	chrome.exe	99
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100
PID 3460 wrote to memory of 1180	3460	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e2811a1d2df600a913d82630286f395_JaffaCakes118.exe"
1⤵
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3460
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8f7bbcc40,0x7ff8f7bbcc4c,0x7ff8f7bbcc58
    3⤵
    PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,3908572477476554537,7210966869135922641,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1888 /prefetch:2
    3⤵
    PID:4396
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2132,i,3908572477476554537,7210966869135922641,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2144 /prefetch:3
    3⤵
    PID:1748
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2268,i,3908572477476554537,7210966869135922641,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2460 /prefetch:8
    3⤵
    PID:1180
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3104,i,3908572477476554537,7210966869135922641,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3120 /prefetch:1
    3⤵
    PID:4596
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,3908572477476554537,7210966869135922641,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:2740
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,3908572477476554537,7210966869135922641,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4564 /prefetch:1
    3⤵
    PID:3348
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4588,i,3908572477476554537,7210966869135922641,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4848 /prefetch:8
    3⤵
    PID:1100
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4516,i,3908572477476554537,7210966869135922641,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4456 /prefetch:8
    3⤵
    PID:2656
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4692,i,3908572477476554537,7210966869135922641,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4956 /prefetch:8
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:1436

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2584

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6277314a4cd32c4f8a7fe9c4f006749b

SHA1
f3d6651e066928f0dfc68601002816b6808fddb3

SHA256
b09510d5cf836791089f4516e4f108116b973a32dcf904d837b5c967cc53f806

SHA512
1690b488e2482a8c3f18816b4b1cb2ccee1bad94f07b73b958d76ff138de5f06c9de36d505671936b215338b3e4e483d4e6ed484539cca9fbc3f1a60fe46d71e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e6205548f8342adfdee39402c25b4766

SHA1
d73394c51822f99bd651cecebfb0bfc9139272da

SHA256
678418b2526a7bedf7d5eb9686baadde0cbf2359c8756c987acabd9e78d78b34

SHA512
6901e6e50c7ae6af6b64625fb9ea05172f4f02f0b245080b7fb3ef6442af82426a9f80902eac00c9a8b194e9004679884edb035fc60aa8f15c230ab73229b741

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1d92139cdc1dabe5083439954021ab8e

SHA1
6c993ba1999e076b9304d3cc778a4c7a07aa67b2

SHA256
fd0153fdb9dbb8351739b24a9eff4f03b66dc2229ee57e3ba4fcde7e70e17194

SHA512
3075257163e924390e06e76dfbd6cbfc5dff26cafd349f12aa141bf05d237d19d0582adf1a9090a17e54c2343f2f471a14645280871d916f99ed0ec030647522

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
86623e14692406ade5c738ffbba5de81

SHA1
9596f942522722f0cfc62246635d47342138da0b

SHA256
2d674c5f8a2e35e542f561f799a03a96acbc8f17e529d1d38d089bbb2556dc3b

SHA512
6fc384892aa2c76b8a8981c059e0d9bc899016e338ec95ba4d06190431a383d46e9e4ccc7a261b5ad26dcf920ab3df589dce0feb9eb590cf409211db08eb7bd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1f10248934528927639fa17e60ed36ff

SHA1
0c0fc34805e47f61a22ab2ff78249ec1f183b39e

SHA256
ec120420f7ae9eaf1489e20364f31b0ddcd29f71781acb4f239f7a29c7b0f706

SHA512
d4406b43cc01d82c61d236617b0deff50622f89634396e9552a0c15d092480adbb8aba83ed6ea6f336b13cf3129619f884983e8f77302be3586649590086550d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e29970146fc355bf09cb9e8aaf1d8750

SHA1
a178b98a1c731d047c94a7019d3f27c1d92645f0

SHA256
aa45cd97eee9ac5865558213c5a6f1c788cb0f735b845162bc90ece612d60a8e

SHA512
f526174b25bcf92da1f2a571ee688c3a58b8ec48d469f3c9c1476f39a87d30c2728cb60558ffcbc0a8808bd799a001a06827e3768f67fb316893a768824eddb8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fca4d342af6169999ea01c8473769315

SHA1
801b3de8fbeb7e5355d3cc5c995bf20b9c4a1a30

SHA256
7377af7f4ec76ad14477fd7f1247ef8197fd21ea9f1c318cc1d4e6fb2ce88acc

SHA512
da644de322d9ecbb0b1e501e37bf2b0c48b52532c516895b9fe78336a6165f9adfc0440e4963d3f29021833ced4f45a183433c84ef694a1708481580e025dbb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ef7f1d68d81ad27309d9ce5c10e89344

SHA1
31554e2be5b464f64215a5ab9a5a672cfa42e803

SHA256
9a308c9258616f0088cdc79663130ce094ea3a1563058fd74e6bdfc861153e75

SHA512
287d4b2e022f7e31d2f31a59fc5cc9e33cbe83bf5f38d58fa51fd1534f22bc1f682c86df49733d6b1228cd3caeb3e02f2c24fce0c51febe73394b322722d33e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
952b7ac36756d220231bbad14e20b5a8

SHA1
b723b04a640224f5a69be0f691b784c4297284fb

SHA256
6c0ecc6c12c563aa5977e0af1fd8bdb724002193a7386abb4a09a2dac91400da

SHA512
c4c9f57ea3a8141fac4a6ebeb56b61400bb261d637d82ccd1d9265f6236833899c15a5f114dcb523e6d6454e885f2d5ad9f085fbeb8b7a40ea6abcf669407204

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
19KB

MD5
57df2c2e03b19866ce5d170d1812f6bb

SHA1
38d5bc337e245bca45c75305301272400316c7a4

SHA256
4d2cf7b6b45351d4064fbd2031c131451f56ce8ec39a9ed6e0dbfbdd471de0d7

SHA512
3e9c08b7f24d00191939ab1dfeedb003e634b05b7b085975624cb4dfa38939d7abfd26f446206a1d2593aaca05189015a30226823a44bc3d5b8c48887adb0706

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
01c444ea33504556f7b56fbaa6343c81

SHA1
924dc44be61b481774cdf9da38e5b238fd66400f

SHA256
a2c90dc6aa7005075728d2e817cb1d5e90536aff87178d8c6457a106e81b4fc3

SHA512
eeb4045f4924c82d7ddbac2316a20cb4a3372486209428169015bfc23677e0dfe73e112aefe014470e16928cc2c85ed1ae78a74d41d419f7aeb97a42e3124cba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
1765c531ccac9a03d3b5e64209f33e69

SHA1
1373b5b92e4090648628d013776a2a223e80b8ef

SHA256
49839c3ee0c8b4ac48590e77d453892fe4df06bd8bd0037418e2b78cd1ecfbc0

SHA512
9aac47ddcfb3d515d5ff6917881fbd38388a89a6e279b612b0414fefe464e4d4e8b73b464cc4573f655a7eef63d7338d82b053be2a12414e921935ae3c7fcccc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
abecf75180b45264f0320e39e928765a

SHA1
a74e1f6bfd809d88ff53abd9b214239e4c515ed7

SHA256
5df89940dfa9126fd1c43f233842b844676196cfc89739dae2f48f7f71eae3e5

SHA512
5217f94645a6ec67f385406d72bcda1c84f428335e97f02df572fd00246af0016273c0a465aca3c749b7f81ce4fdfed6dd678cbe60f7dc1e3dff1dc8479e2461

Download Submit
\??\pipe\crashpad_3460_VVBJOPGGCOZXVGGW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit