socelars | 4bc4dff91705c7d4494daf2cade0d36f6242bcef6764d8487192fec9469b5299

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-03-2024 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Size

1.4MB
MD5

35766b49005d9d0de409bdcf237f3ba5
SHA1

0a20107a5512f7d6625db2794b2db0b504a281a0
SHA256

4bc4dff91705c7d4494daf2cade0d36f6242bcef6764d8487192fec9469b5299
SHA512

cafebb21d033c5001aae24c7ffc921039692e3ba538c3efce101e51a9a3c3c940f86c97f40e99b8e6979f439c418160cf4889a6551a2fb80439b4818e5be014c
SSDEEP

24576:ZxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX3jZ10m:jpy+VDa8rtPvX3jZym

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
17	iplogger.org
20	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1616	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133562524533166629"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid	Process
3948	chrome.exe
3948	chrome.exe
3764	chrome.exe
3764	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeTcbPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeSecurityPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeSystemtimePrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeBackupPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeRestorePrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeShutdownPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeDebugPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeAuditPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeUndockPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeManageVolumePrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeImpersonatePrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: 31	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: 32	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: 33	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: 34	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: 35	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
Token: SeDebugPrivilege	1616	taskkill.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe
Token: SeCreatePagefilePrivilege	3948	chrome.exe
Token: SeShutdownPrivilege	3948	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe
3948	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.execmd.exechrome.exe

description	pid	Process	procid_target
PID 5000 wrote to memory of 3100	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe	89
PID 5000 wrote to memory of 3100	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe	89
PID 5000 wrote to memory of 3100	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe	89
PID 3100 wrote to memory of 1616	3100	cmd.exe	91
PID 3100 wrote to memory of 1616	3100	cmd.exe	91
PID 3100 wrote to memory of 1616	3100	cmd.exe	91
PID 5000 wrote to memory of 3948	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe	97
PID 5000 wrote to memory of 3948	5000	35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe	97
PID 3948 wrote to memory of 4900	3948	chrome.exe	98
PID 3948 wrote to memory of 4900	3948	chrome.exe	98
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 4592	3948	chrome.exe	99
PID 3948 wrote to memory of 1988	3948	chrome.exe	100
PID 3948 wrote to memory of 1988	3948	chrome.exe	100
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101
PID 3948 wrote to memory of 4244	3948	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35766b49005d9d0de409bdcf237f3ba5_JaffaCakes118.exe"
1⤵
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7fffb2f69758,0x7fffb2f69768,0x7fffb2f69778
    3⤵
    PID:4900
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1732 --field-trial-handle=1712,i,9984795205962001765,10145425499219577566,131072 /prefetch:2
    3⤵
    PID:4592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1712,i,9984795205962001765,10145425499219577566,131072 /prefetch:8
    3⤵
    PID:1988
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1712,i,9984795205962001765,10145425499219577566,131072 /prefetch:8
    3⤵
    PID:4244
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3036 --field-trial-handle=1712,i,9984795205962001765,10145425499219577566,131072 /prefetch:1
    3⤵
    PID:3584
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3044 --field-trial-handle=1712,i,9984795205962001765,10145425499219577566,131072 /prefetch:1
    3⤵
    PID:1064
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4132 --field-trial-handle=1712,i,9984795205962001765,10145425499219577566,131072 /prefetch:1
    3⤵
    PID:1448
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1712,i,9984795205962001765,10145425499219577566,131072 /prefetch:8
    3⤵
    PID:2280
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 --field-trial-handle=1712,i,9984795205962001765,10145425499219577566,131072 /prefetch:8
    3⤵
    PID:1372
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5232 --field-trial-handle=1712,i,9984795205962001765,10145425499219577566,131072 /prefetch:8
    3⤵
    PID:4536
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2788 --field-trial-handle=1712,i,9984795205962001765,10145425499219577566,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3764

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
944B

MD5
cac95e828eca0aaca5fd99557fa6862d

SHA1
c25f52f46c99290ad2a6110c50f295a8b22d2874

SHA256
9a9e00c708190812a5a51102ad0ade43485b809210a27af80182f7ef41243c17

SHA512
3e15c2be2413175293190c3326cd46c2c97faace01a8e1db69d3a42a2506bb55f31cda1391c20d94b5c7ef50fb66763d753d74d06587dc615f74354610b801e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
e6d06b074b605fdafda2502eeec59487

SHA1
60e4a9eb5517d127419ab6c6e25158107e7730c8

SHA256
3d63731afde832332c0644c73fce8204cec14825e656d17f1343739decb377af

SHA512
21391aacb54409600aa122d03e0a2a878c3192ba71b211e974a9598d16ab48560a4db7dac8b4b3046b4afed9ada1f76094a704b99e2d86da32a3da90fa84485e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9c6f61a89bb585f5c9a3beafef5f0af9

SHA1
b8566ab2fa4c9bbf29db19d6ed8703db7b1da93d

SHA256
a252f05d47b9e8fa85a406ec86267562967aa0fc17e20c15809bc1e79b886467

SHA512
93f828adb288e24d691269db16bc7628fe8f249902764f97254828dc485df6a98908f840be689f68acde0bd6fa9046883e97264c8c80b2c9ce98df601b4f2764

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b41b878ad18271b7c6459cce95a58d55

SHA1
167b92644d7f53865cdb03f47151ccbafeaafffe

SHA256
56548b70e4125fccac7aa3b0c18e7d0d57a114fd0800e292060d48cd7d82ec95

SHA512
c7891a6cffc3c7c3a58c9afb15b743b2bbc99f1718d3dff6fec9f0c8f3a70711185307ecdd2e80dff41fb0179ea211c4c86fa8343c8974d0ce1fd36745416cea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
18098f9af37479b18dd716457e44fe15

SHA1
fc0078c2df5f6cdfdf87a14d0554a776ed93aadb

SHA256
eb1b74ffc521e9066402f94ca12578e43386bc4595987498240c3bbd38c3652f

SHA512
4b8dad594f810ab8332a9ae52ded6d484e9420a398e05cfdec60a7fc3cbb163b71dda2ab72a08adb3206b46eb916caf08f7f326c60bdba1b4edbd13e01012c7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
60747f43671c46689cf6710e3cac6dbf

SHA1
54eefcc4dfa8a3974a1df81ab585b2f8c5ae4b8c

SHA256
067de643736cd98fb143d4fd800c87189b7d903f91fd9d08776fdff8f8921201

SHA512
6c057ce121855a3c0493304fa27fc931af6863d90883d8b799b8e35e163a46680ec796179dd699b6bef936780d1461fd98331810f3ce0299b4fd2f125f825b52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
bc28a20cca4205b9482a3c2425607800

SHA1
9063828b341a90a901c55a967d4ded9097b18ce8

SHA256
9a94b32211f4220593cd1f4f94619d0be859ee6db8a6b5e2eed5fcf69d3d6b6d

SHA512
195d0162e29fcf0485bc632604665a98bff2577b06b73831c73f0b4665b023d53b584fd1baf7f965bad57ee79aa9b61901170b7a1e81511792cb9b463c5e24b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_3948_NIDUNGHWETBZPGUY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit