socelars | 82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1

Analysis

max time kernel
156s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Size

1.4MB
MD5

275ed964b4feb7d2d12053dd8eeecb7a
SHA1

8c33019c08529ce2868c7ed86a04a16c5046a718
SHA256

82d2e2a8529d4704d2eabfb845dc262234b73866819ef835e291c7f9818aa9b1
SHA512

8cc6c9912dbb6482b2481d8924d4dd17aa7765b40655f2cf946b930335ec0f62cab939158d13f89155ea3ce15d2e0eb3d712fb0fb74081be5756e3d893347246
SSDEEP

24576:dxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX32Z1qsa:npy+VDa8rtPvX32Z8s

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	iplogger.org
26	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4808	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133562046442444668"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2536	chrome.exe
2536	chrome.exe
4868	chrome.exe
4868	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeTcbPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeSecurityPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeSystemtimePrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeBackupPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeRestorePrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeShutdownPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeDebugPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeAuditPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeUndockPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeManageVolumePrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeImpersonatePrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: 31	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: 32	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: 33	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: 34	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: 35	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe
Token: SeCreatePagefilePrivilege	2536	chrome.exe
Token: SeShutdownPrivilege	2536	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe
2536	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 2732	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe	89
PID 4208 wrote to memory of 2732	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe	89
PID 4208 wrote to memory of 2732	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe	89
PID 2732 wrote to memory of 4808	2732	cmd.exe	91
PID 2732 wrote to memory of 4808	2732	cmd.exe	91
PID 2732 wrote to memory of 4808	2732	cmd.exe	91
PID 4208 wrote to memory of 2536	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe	96
PID 4208 wrote to memory of 2536	4208	275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe	96
PID 2536 wrote to memory of 2524	2536	chrome.exe	97
PID 2536 wrote to memory of 2524	2536	chrome.exe	97
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 3716	2536	chrome.exe	98
PID 2536 wrote to memory of 1360	2536	chrome.exe	99
PID 2536 wrote to memory of 1360	2536	chrome.exe	99
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100
PID 2536 wrote to memory of 1412	2536	chrome.exe	100

C:\Users\Admin\AppData\Local\Temp\275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\275ed964b4feb7d2d12053dd8eeecb7a_JaffaCakes118.exe"
1⤵
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffa38989758,0x7ffa38989768,0x7ffa38989778
    3⤵
    PID:2524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1660 --field-trial-handle=1884,i,4517761732585977562,10070565218192888700,131072 /prefetch:2
    3⤵
    PID:3716
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=1884,i,4517761732585977562,10070565218192888700,131072 /prefetch:8
    3⤵
    PID:1360
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1884,i,4517761732585977562,10070565218192888700,131072 /prefetch:8
    3⤵
    PID:1412
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=1884,i,4517761732585977562,10070565218192888700,131072 /prefetch:1
    3⤵
    PID:4552
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1884,i,4517761732585977562,10070565218192888700,131072 /prefetch:1
    3⤵
    PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4712 --field-trial-handle=1884,i,4517761732585977562,10070565218192888700,131072 /prefetch:1
    3⤵
    PID:4456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 --field-trial-handle=1884,i,4517761732585977562,10070565218192888700,131072 /prefetch:8
    3⤵
    PID:4284
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5208 --field-trial-handle=1884,i,4517761732585977562,10070565218192888700,131072 /prefetch:8
    3⤵
    PID:4776
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 --field-trial-handle=1884,i,4517761732585977562,10070565218192888700,131072 /prefetch:8
    3⤵
    PID:4888
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4992 --field-trial-handle=1884,i,4517761732585977562,10070565218192888700,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4868

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
945B

MD5
850ddc8ab94b9f15994a75a53d1ee206

SHA1
5c04b2c63013eb70d87b66ef0462b09ca0ab7f5a

SHA256
9f2b9bd0869f7746ae3b182d82d3d92548ef29c09622daae4b26c20a09a46544

SHA512
a393f197eaf62ee3e48e73c05e3751909eff15b427f5f3f0d2dafee12743090a1d67454079d27208cc0492c67debc9fb4176fc91b02fdcbe1a357df43f6b6967

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
70e32f60569824cdf4b338024dfd476b

SHA1
e4cd359545f6c039f6481b6e917fee385de1b316

SHA256
2456f42561a6653c328c50bee01b5243645170ce38443c9b0d56f032ba19b48b

SHA512
f3e4d2e506d0396817942e5eb7a34e342c3ab89cc7e80540a435df2145822854d412bfad9b8b07e56d0283d9425e1cbaf2ffce7f0eccae8e0c2f78a4bf577b65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f0150643bb8c1f59b4b8d1c42eac1837

SHA1
7ae077ea94de852acdbad3eb207cadd0deb43533

SHA256
b7426e7ebccab26232be5819890129ef824357c65529dfd19943846f934543a8

SHA512
a35c177b071927bf6286772ebe8eb3598c546e23905282926c1578096f562706b9920c3eef8963fe3af52dd5e03ba0f46b74f728e48ed2fa3a4248e520728e85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7cc56004e783ec487f610d753e15f015

SHA1
52a344f348ac1f0ef02fe2b6d87219d80f6a9d02

SHA256
972911851d101eef7dbe912485c2eafae6a11e80b6f220c9dde8ae11d525fa91

SHA512
b243262241535e278718f3eabf382866dff57b6c278922fdd6a81abf00880098efdf185adcc808aa335cb7a15319bead79990cca89c3dad5a2e145e0cde68003

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
9f01536830c3b2f17383bd899a0f4914

SHA1
9bed099daebe20dc68fcb6adfcc0ae20c79170b7

SHA256
4ad4ae8353ed7deaaadecdd3adc7ac5395e3fa68dc756d3ace985c3cd78ecdd2

SHA512
479d279765dc85703cecb0c55f0bff55a8afe40bbba581e6f53dae2d7698d85eed01c5aa1d40466439ddca472595fbb076f9c86e3799a91b912dd90d96c0b3e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
c22056362ba2aff0dd4c81dc64367a51

SHA1
509357154e1baef5a4d058b556781d577020db10

SHA256
5c9ef333b539a4fca415761cd66785e5ac20743b5883fa379e891ac929bf43ae

SHA512
09519882d3b22247b98e1c723fff39a9ed1cac6e1ecd92e2f23fd8c87e6f8fa92d609e506597a7ca12885c95ef407077c8417159e5940c8e2797280a7ca5bef5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
08dadf3e49f8bd5668a9fa060678679e

SHA1
4853c83e99ae0b5c3fdb361dfcf34fa5dbf17104

SHA256
38eee2e4af9859532eff2f702b8bd1394f82ba74d9e74792183dc294676dbd80

SHA512
bd56d8c73971f4771e3b9a887efcb2a41e3ba6c19eabccbf4b3553a1fffc221a3469936c39886939c9387d0fde0040ef9bf8ec0eaf4c13e97ce67f374f1b9a0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit