blackmatter | hxxps://bazaar[.]abuse[.]ch/sample/a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db/

Analysis

max time kernel
1157s
max time network
731s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/sample/a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db/

Score

10^/10

blackmatter lockbit discovery ransomware

Malware Config

Extracted

Family

blackmatter

Version

25.239

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe	family_lockbit

Executes dropped EXE 1 IoCs

Processes:

a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe

pid process

1348 a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
1348	a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133715165119349779"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings chrome.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2812 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4296 chrome.exe
4296 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4296 chrome.exe
4296 chrome.exe
4296 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe
Token: SeShutdownPrivilege	4296	chrome.exe
Token: SeCreatePagefilePrivilege	4296	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe7zG.exe

pid	process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
1692	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe
4296	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

EXCEL.EXE

pid	process
2812	EXCEL.EXE
2812	EXCEL.EXE
2812	EXCEL.EXE
2812	EXCEL.EXE
2812	EXCEL.EXE
2812	EXCEL.EXE
2812	EXCEL.EXE
2812	EXCEL.EXE
2812	EXCEL.EXE
2812	EXCEL.EXE
2812	EXCEL.EXE
2812	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4296 wrote to memory of 3024	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 3024	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 2416	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 4480	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 4480	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe
PID 4296 wrote to memory of 748	4296	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db/
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff82b12cc40,0x7ff82b12cc4c,0x7ff82b12cc58
  2⤵
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,12739324437157414451,4937378179832340182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2140,i,12739324437157414451,4937378179832340182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,12739324437157414451,4937378179832340182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2284 /prefetch:8
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,12739324437157414451,4937378179832340182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,12739324437157414451,4937378179832340182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4496,i,12739324437157414451,4937378179832340182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4788,i,12739324437157414451,4937378179832340182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3788,i,12739324437157414451,4937378179832340182,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3276 /prefetch:8
  2⤵
  PID:2080

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:636

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap15676:190:7zEvent17927
1⤵
- Suspicious use of FindShellTrayWindow
PID:1692

C:\Users\Admin\Downloads\a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe
"C:\Users\Admin\Downloads\a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1348

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\ApproveAdd.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b1a0d8e98b1b968de6a2a090ad60f3e6

SHA1
f36cb43ddaecb1d7862b028f29be3e6244314ee8

SHA256
a542c0e1dc2cc0a19c544fdca63d9b1ccef0c3246c07f68cdaa535246389a5a0

SHA512
270d14589dc5f229f6447a61bdfcd59a4b9244c9411bd2a14044544804a594a3560c8b8431eccf19eb21740a2bb227e0bbc4a3b65d8967e61ff6e9b5142f8a3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
2ece29fbaab6d3ee873da6a30839a9a0

SHA1
c9311ad719fa2a6caaf0fafef169e10856ecd07b

SHA256
271286f31245f15fad26eacc020fb1746e1e3a1bff5de281cceaea9664ac1e2e

SHA512
c35bb03b74e24b256ab5a62b4d696c0eddb22db5c688be2ab8b6271f201dfd186ae4e4f2144f8b43406d63832480fb048a7c71377c56ebe3717ff388c46f2922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
3dab6baacfb01bd30ff09f3de7b8db46

SHA1
2872a1e84ca102987efcd6827a1c721089ca4454

SHA256
b9f3accf0f3924c99ef7b9133ae90c50e07a3ddfbdd7afd13329529a85d2fafc

SHA512
d9071a68157da9721f20c7eb7447511b9e2e610b86544d72c082329be51335e735170099ce360c87d8aab06030e6805bc5b4b83f42c61e7cdfc6187686f76683

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
35f704f985428d80d61a4ca7240abca4

SHA1
b9a70b20a2b363bb59427ab434af89d905c2fb56

SHA256
715cdd9aa46864570036e608160b4a63632afcc8ba8733061e725d7da0f40774

SHA512
bdcf21c7c0f7cbd41d8f959b2eb4acb4a3285e70bca89aa59823b6c4f02df71e648898a0b7b589d0136cbf1e5f7d19e015f111fa2eb49eb7a2225ca68f9496ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
feed3bf3e8313d741be8d7d69647c979

SHA1
cf4686173462cda9e09e3495a1ea0ab6ade39c58

SHA256
15548df3aedf3070f3b731b69949ec2126ed70b2baf716a44b4ad91efe4074af

SHA512
fa0b61302cf6fa5975434d05c01f50c69b95fbae0902cdb67941a99d68c0fa5aa5299133f24e0d20c637817a43ac6f91d5688e973f0a4288935b1a4f1c69d4f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a8011c6d293574b56aacda75e22e50e1

SHA1
d0fbcd4bafdf1aad37980f2ea6266b6afd4ae793

SHA256
561f43c713c1a4fd37ee66ba81e5e1f7ff939ae2afc57832f96e0bff3dbe4d51

SHA512
5217c9bbe7f2340e68f94d08d7f39de81af0c108b374c08a86e67bd9b790ef2d9f2decaa63a9a2d7db7e5357c18efcb8ec7175f6a1c4548e6d2c97cce918ef33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
3f133c59d71ee25c36fa23b8c6f3c98e

SHA1
cfe051f1b07aee60f524c9997fa72f8dbe44a761

SHA256
7a1f76ee62290ac26572d8199d7b474e520e86d3f52e7943c361c63a88246821

SHA512
363a4dc6786beb519f724c9c77bf1704731b29fe22c1ca407aae2548f2e4f89b04fffaa3cce5d40996517c9bc0738fb453cb08b6cba392244051b37f0368e1a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
13dfb67dcfff4a169c7d7ad8bb318e7d

SHA1
ab64b94e09eb592688223207f8bde3e5ac93640e

SHA256
bc36f947ff6a3c746e4a4859ec45d35dcc7e66a36850544198abdd1712d26f17

SHA512
ad66cc7775ed09ec05cb702de9dcfadb86dbed0e0486b458af7d3cc78654326a62f609ef58b90f4259e2329b12dd58f3867129bafebff6048bb92757bf0b3cc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c6a71d9d944fd7091140d42b4a19ef47

SHA1
c0f8019a5956d7770ecdbd2b0b8ecf9884c08033

SHA256
c1508f81aadf125423400603c20d0d347cf453710dbbbd78da90912c4fd24a4d

SHA512
1118aed60e494798ffd8f58540d7a016a500d017e03169ee440ddbca0db1949422206d24f3937e3d05e9e52606f01ec0a1ea5775d7d94cde3ebdbbb975289f03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2911296375a6a1c2767b57cfee00ae16

SHA1
bff0c68214527a47e5236954b3dc94dbe570349c

SHA256
23263a2bd56ca575c61680d29399c91edca6f0b8b2351ee174b244ef5eddb977

SHA512
0d9a16b0c221351f4dcac96c61bd45aad3ebfe14e2a917d19b55af8405de1d885cd8e5a3fcdfdbce74c9a54ff3dfbb2aaeb272261cbc7564718fdeeb961e3f18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5626a06b5a6e08cabab642ef5c4bf211

SHA1
3d8e97df5e7be178703e2dcafc872f372c6cdc76

SHA256
97ab4555ae9450c1428dd8479eb55d16f3761a0541f22496c5bcc04e2ca6a08c

SHA512
52c2af935e1ccfb2ffbc4f53587ca9a8267000e4dfa786e54940ee4279855138d5d116bb135bef706ee4add631b9084cc6f356f0f7e18a6f16fcb3ce4a6fbca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
551ca3bd8e119eb9f536b4b508b1a0f4

SHA1
69d2f3bbf630deadd1aabceaf30a21a986db031f

SHA256
af3fa29b39750447cb62eb1a14a003834b5cfe94190bc9bbf07640e91a3f6809

SHA512
1b03ed8caf6958011030c5ede4958d4632757ba540d151c849173407b7463a5b91f49f72041a7df8bad6dd74ab9980d780ce24636392968f0098f21a50347523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aaf8776af56d8a84d1124282d21ddf63

SHA1
ffbde2f2ee56752b1e1740d2235fb79ca1e56025

SHA256
1fce15304f62e4b63fa98917888f319d8f25c3141c995c267eef479a550e9f2f

SHA512
efbab46fd466f861a0c5da50185c516990f0a6269fc7f8a08962c96a334548c15fc2a0a5e4adbf73ed5987c7c668387ff250e688e41da0e3723807dfe5f22b82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d9201e7dfe9a652e1cc94013c581157d

SHA1
8d010e0ba6901a24fc42a70980bac089c4527535

SHA256
fdda176d3204baf0643928fffb1ddb97a5a801590dc6a4dffc44aada2b515463

SHA512
e13ba4dd605cb1626a5139ae66e9bcb5496cef78135d470020bdf8e7e6ae30b6db1919136fd1646a667e417beec318ff241b8a7f762087336372ff5fbe47adb6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
95a4b4e47ca9b2e15bb8cb038a858207

SHA1
668ba569d6b6360cc522e404c214b11d911b7b68

SHA256
2d948b14af0ccd318588c4f23c147adbf31b7662710aba1501cd4f67f1eb7265

SHA512
4888349d9d5cdd3f51838243f6bc859f1a153f4602b38739134e6b7532ba72022b053ae59a7cec5b6495e3bcdea54c8d763fa7751a8067163cc1c78c53606dbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d258b47bc0008ae5ca7346430a794fe5

SHA1
179a8be83a2046c9be9e501239bd369ae5a143a7

SHA256
389cde0fe9270ec4037e83b491cec4e85dc6b981d1c0c2f4daa475bb0d85c085

SHA512
3c3306ef817a077238befd78b871e33fbaf660b214b4b705dbc6c66c53b9d67b078cba8cc80bdf5e15034a015616627003c71f3719cd83f2f5425ad9bb80e5c2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
9ec9c31b9be9c1e63953bb689f1b3fb0

SHA1
49d415f62e8eced0d6fcc6297d19b2606b5dbc04

SHA256
1158c3a5588613b0107617addb9ff410dc4481b20766d1fff6138d87e7efe7bd

SHA512
76b8c79dabd72573f950c2d4e1d241cdc35e451dce7eeee9774bf0bbcf99eafe5c950fc877c55448aefab02267755723fe8533fea42e10ad9219a79663e2fbc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
7b8ee3b710c773625f43d26696c2961d

SHA1
52bcd0c60fdbb2c86bfc703476c82ab4909cddf8

SHA256
7da4bf679f43232819b4264c911b50fa7afe2b2155a4ef37f5a231c67de1d85b

SHA512
c0d3ca9184fd53a2bc2478ca3cf20ddf60e080e6faebb2d8aa7eea3920ef4d21bb43ed250e9e720c2294fd56064b9fa6ab67dfc5831f7163b81f8e4868567f33

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
281B

MD5
035f2ac7313e0dd6df12a0a207c56359

SHA1
01b512cfb08f4af8537598569cfed5b6216f8a81

SHA256
cd7e1292a2eb18cec3d7c2e6c4247c14892c2b99322bac3bf4d84383a0c1753c

SHA512
44642e407967b864895ba6799451d3bc7714f7c1b00ab49ca4d7985bf180ca718f96568eea83c44ae1a2a6e0e3e6cf42a55dc329bba17d0eb72a1efb41408d60

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
1KB

MD5
6710afed017be7f578c65a15b84c5215

SHA1
429f054a6f2ef54d0d18b82818de56d8db2f9b1c

SHA256
137890a15835d747e85c60061836782188c8bc9e603efa7d84837bcb058f7c62

SHA512
4a92ff4be64c3ddaa5414b2a02702043289b1818ed9774093ad712c8c8a2f3538f2e570f013b7eebd15f37ddc57a7ff97864156cf0264ed3643876949959ab44

Download Submit
C:\Users\Admin\Downloads\a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Downloads\a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.zip

Filesize
273KB

MD5
b4d3604087f3683ceeefce1af7ed9943

SHA1
4670d92cd1ee09869a2a548c59a4ebdfbb8931d5

SHA256
d7c676e60f2c2256f1886bbfb2d99feca27e5fe25774a65abdc8ccfd59018349

SHA512
8bd1b5b3f3a6429074ef206966adcf26c1fd52af0a20b9d949b946c26fed8efd741b590270a871b985c1f6b92e802ab046f3accee0071a2efaf40b2e97bed411

Download Submit
\??\pipe\crashpad_4296_PZBMWRYZTSRFZAST

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2812-308-0x00007FF7FA1B0000-0x00007FF7FA1C0000-memory.dmp

Filesize
64KB

Download
memory/2812-310-0x00007FF7FA1B0000-0x00007FF7FA1C0000-memory.dmp

Filesize
64KB

Download
memory/2812-311-0x00007FF7FA1B0000-0x00007FF7FA1C0000-memory.dmp

Filesize
64KB

Download
memory/2812-312-0x00007FF7F7A50000-0x00007FF7F7A60000-memory.dmp

Filesize
64KB

Download
memory/2812-313-0x00007FF7F7A50000-0x00007FF7F7A60000-memory.dmp

Filesize
64KB

Download
memory/2812-309-0x00007FF7FA1B0000-0x00007FF7FA1C0000-memory.dmp

Filesize
64KB

Download
memory/2812-307-0x00007FF7FA1B0000-0x00007FF7FA1C0000-memory.dmp

Filesize
64KB

Download