socelars | 19016f6046c546c36eecab64a02330915059a71931fb6ccc1ab057d4805ba7db

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Size

1.4MB
MD5

c447cdb7f9d41f5f754a696ffd1acc8c
SHA1

d4b47106964860921625a1ef8406cf2a6f69199d
SHA256

19016f6046c546c36eecab64a02330915059a71931fb6ccc1ab057d4805ba7db
SHA512

22415dd83fabde64033d5c8b7bd7da08b6b5683becc63cd214222b8580a36157bbd323a5a82edc62489198c6e7265d8d7c0b77e6ec09c70917c29e7daa25baef
SSDEEP

24576:CxpXPaR2J33o3S7P5zuHHOF2ahfehMHsGKzOYf8EEvX3fZ1Fsa:ipy+VDa8rtPvX3fZ/s

Score

10^/10

socelars spyware stealer

Malware Config

Signatures

Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

Processes:

c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hemlmgggokggmncimchkllhcjcaimcle\9.86.66_0\manifest.json	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
21	iplogger.org
22	iplogger.org

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

taskkill.exe

pid	Process
1752	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133567458052787244"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid	Process
856	chrome.exe
856	chrome.exe
4364	chrome.exe
4364	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
856	chrome.exe
856	chrome.exe
856	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exetaskkill.exechrome.exe

description	pid	Process
Token: SeCreateTokenPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeTcbPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeSecurityPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeSystemtimePrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeBackupPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeRestorePrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeShutdownPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeDebugPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeAuditPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeUndockPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeManageVolumePrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeImpersonatePrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: 31	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: 32	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: 33	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: 34	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: 35	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
Token: SeDebugPrivilege	1752	taskkill.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe
Token: SeCreatePagefilePrivilege	856	chrome.exe
Token: SeShutdownPrivilege	856	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

chrome.exe

pid	Process
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	Process
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe
856	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.execmd.exechrome.exe

description	pid	Process	procid_target
PID 3004 wrote to memory of 4800	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe	89
PID 3004 wrote to memory of 4800	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe	89
PID 3004 wrote to memory of 4800	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe	89
PID 4800 wrote to memory of 1752	4800	cmd.exe	93
PID 4800 wrote to memory of 1752	4800	cmd.exe	93
PID 4800 wrote to memory of 1752	4800	cmd.exe	93
PID 3004 wrote to memory of 856	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe	97
PID 3004 wrote to memory of 856	3004	c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe	97
PID 856 wrote to memory of 3836	856	chrome.exe	98
PID 856 wrote to memory of 3836	856	chrome.exe	98
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 2092	856	chrome.exe	99
PID 856 wrote to memory of 3732	856	chrome.exe	100
PID 856 wrote to memory of 3732	856	chrome.exe	100
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101
PID 856 wrote to memory of 3044	856	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c447cdb7f9d41f5f754a696ffd1acc8c_JaffaCakes118.exe"
1⤵
- Drops Chrome extension
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c taskkill /f /im chrome.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4800
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im chrome.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffdcea79758,0x7ffdcea79768,0x7ffdcea79778
    3⤵
    PID:3836
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1748 --field-trial-handle=1884,i,4421327802915284909,14376912851638016353,131072 /prefetch:2
    3⤵
    PID:2092
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=1884,i,4421327802915284909,14376912851638016353,131072 /prefetch:8
    3⤵
    PID:3732
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 --field-trial-handle=1884,i,4421327802915284909,14376912851638016353,131072 /prefetch:8
    3⤵
    PID:3044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3108 --field-trial-handle=1884,i,4421327802915284909,14376912851638016353,131072 /prefetch:1
    3⤵
    PID:428
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3148 --field-trial-handle=1884,i,4421327802915284909,14376912851638016353,131072 /prefetch:1
    3⤵
    PID:864
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4724 --field-trial-handle=1884,i,4421327802915284909,14376912851638016353,131072 /prefetch:1
    3⤵
    PID:2152
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5088 --field-trial-handle=1884,i,4421327802915284909,14376912851638016353,131072 /prefetch:8
    3⤵
    PID:1840
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5268 --field-trial-handle=1884,i,4421327802915284909,14376912851638016353,131072 /prefetch:8
    3⤵
    PID:724
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 --field-trial-handle=1884,i,4421327802915284909,14376912851638016353,131072 /prefetch:8
    3⤵
    PID:1752
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4948 --field-trial-handle=1884,i,4421327802915284909,14376912851638016353,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4364

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
945B

MD5
9541d32e780a19a528a8291aa6cb82f0

SHA1
bce4ecfc3529d9e34c30eb4cfd8ac20737f447fe

SHA256
c63b4cb33e362184a5f8b8afcdeee6f1dd96360eab9d7bda2a492bf9510dce01

SHA512
63042c750510207344ce9e659f7d7d0cbdfd7e3cd69fb4732eefdc849ebf65c650c5a20ad6073db4df110032129eb063d2562c6d04fefe69ebb78e3a027d47bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
8dd028b030a8b0f922390e3915c3f978

SHA1
0d6dc6e54ba325ca2ee99350023990e60cea469a

SHA256
ce27f688d9260c28fa4766be208d0ce8ac712422963a44923c02a40e45cb79cd

SHA512
bbc2cb862ca87873f680fed8169a663a1d7e9f50770040cc912a9b6244ee6c08084086639e9c814c7c6ecd83fe89acb96dbb232ac8e8390ab66df0e206823bec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0ca5283aa641f9c8edd8743b89c351ad

SHA1
f564b60b83754575bf766ff3620984dd5a94d091

SHA256
bb0c4578af363ad814d4e5df6ce9099da94adedf4e2b17be406c1983aa4ad0f7

SHA512
2b0b7a36acae1f0303bb865bf4d6dff168d0c995c518ee20c912946b21a251f32f858ce98a8deb5aea3c7ac4a419889eeb2b568b43df1bad91d4bf576b30e64e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
da727b0b4ebcc2d648acdab89e20a88e

SHA1
f6fc123227de56c2632cf8733b62d651be40bf37

SHA256
6daf33b0a24027a815b122ace7ef7e7ebefff4e2ed28066bcc2e235136a02d22

SHA512
0e9d7b14aa3903289bd8f9418f18f27207f4b6e57fe82c6338934d9083c026512c10176c71c1719d4851b49f93f60b0220b204370f31dbe774efdbef75872155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
aa1bada652399d957eb02f497d1395f4

SHA1
ea2df85cf6762dea0aaabde557e126d9717981f8

SHA256
7f064b0ce9fae3ac007dfa9f0fbd86600afb995101014e08feaa22f03c77f00a

SHA512
70088fba717db8f965b9d285f7f6120c0cfd0f11648108b94940a797c23c1f831b3c33abe618a563eac21c9f3ae73ae1f44beeb966d11604a9fa1e5534067895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
811fb3aa5faa394600e9023029d00949

SHA1
e2a71eab126216ea00664f296d7c4937ced98c04

SHA256
cd38937d0738819412ab96c49009bcb3fb0548f069efc725b05fd1894d5a56e6

SHA512
06cc95cee3517fbe3f5ce3d922b5f74b25debe29cc75d78de5cbc6ab410771f53376bc277bab3c0e9cf4782884da10101ae41a3d2ce5966bbfc6cf571301a07e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
260KB

MD5
cc28bd20a1658d499ac8b0a7d5927227

SHA1
c8b389260df55b635f1c5b112432a1dae1ee10e8

SHA256
d9fefce68e46ba10730a64b9ea5212a70ecb22625ce0293ce049208ec2474cb1

SHA512
e537014b51582dd0731866844c04b459873c89ec578b3e055f67ff36f571ba16d6fd7838ed153dba6c4ae612ab563a9a61bd2d3b366cbdb1a5133b0905504c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
\??\pipe\crashpad_856_JEZMZIPBVJNSZGEC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit