blackmatter | hxxps://bazaar[.]abuse[.]ch/sample/a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db/

Analysis

max time kernel
1162s
max time network
1164s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
22-09-2024 22:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bazaar.abuse.ch/sample/a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db/

Score

10^/10

blackmatter lockbit discovery ransomware

Malware Config

Extracted

Family

blackmatter

Version

25.239

Signatures

BlackMatter Ransomware
BlackMatter ransomware group claims to be Darkside and REvil succesor.
ransomware blackmatter
Lockbit
Ransomware family with multiple variants released since late 2019.
ransomware lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0003000000025be9-403.dat	family_lockbit

Executes dropped EXE 2 IoCs

pid	Process
2060	a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe
1020	a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133715163082525778"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2980	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3132	chrome.exe
3132	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe
Token: SeShutdownPrivilege	3132	chrome.exe
Token: SeCreatePagefilePrivilege	3132	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3016	7zG.exe
3132	chrome.exe
3132	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe
3132	chrome.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2980	EXCEL.EXE
2980	EXCEL.EXE
2980	EXCEL.EXE
2980	EXCEL.EXE
2980	EXCEL.EXE
2980	EXCEL.EXE
2980	EXCEL.EXE
2980	EXCEL.EXE
2980	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 4548	3132	chrome.exe	78
PID 3132 wrote to memory of 4548	3132	chrome.exe	78
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 1228	3132	chrome.exe	79
PID 3132 wrote to memory of 2564	3132	chrome.exe	80
PID 3132 wrote to memory of 2564	3132	chrome.exe	80
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81
PID 3132 wrote to memory of 4380	3132	chrome.exe	81

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bazaar.abuse.ch/sample/a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db/
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffab21fcc40,0x7ffab21fcc4c,0x7ffab21fcc58
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1784,i,9855777207302212480,8700229855397077467,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,9855777207302212480,8700229855397077467,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2080 /prefetch:3
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,9855777207302212480,8700229855397077467,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2144 /prefetch:8
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,9855777207302212480,8700229855397077467,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3076,i,9855777207302212480,8700229855397077467,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4388,i,9855777207302212480,8700229855397077467,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4680,i,9855777207302212480,8700229855397077467,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3340,i,9855777207302212480,8700229855397077467,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4704,i,9855777207302212480,8700229855397077467,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5204,i,9855777207302212480,8700229855397077467,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:696

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2580

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3824

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap10348:190:7zEvent11501
1⤵
- Suspicious use of FindShellTrayWindow
PID:3016

C:\Users\Admin\Downloads\a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe
"C:\Users\Admin\Downloads\a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060

C:\Users\Admin\Downloads\a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe
"C:\Users\Admin\Downloads\a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe"
1⤵
- Executes dropped EXE
PID:1020

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\SyncMount.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
fa8d730a3350e7ce68ff51eceb46583f

SHA1
4ddf17d4092e66480f014fc9d69925df7ad17a6a

SHA256
84d06b49a51e373a87915af1f7e86c5a636f6717d70621baac2990b50d41882c

SHA512
ffd50d90bcd5c79af3851734799436fea56a0155fc2f7edb37129519f1119bb416c914c916e238982a575ec7a96bf5db74d68e62aaeda0b1053168d37d018b7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
26e6250c86ef83ac7f8412105dbc6d57

SHA1
7acfa10497bcceeecfd3ee05c27daf5f746ed8fe

SHA256
b17c2b0e82e31044fcc60d3b104bbaaf3c08a88c032fbc15306042c036a602f2

SHA512
660bcb8b3b78934734a95fdf3af3f19912b5f5acbe9ef4f1427506eb7f9fab935732eff821951a53cd9a0b203330a15af0b02d38a0926ea15d61289a7353ef74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
2f51777ca00e656e9c316a646a1eb8fb

SHA1
f0db832df84bf227389cd684cc9f5da79dd3a3bf

SHA256
882dccad21870c0ed304d191cef4e314726f4b24538b69ecc77c72b2bdc4f864

SHA512
0fb02941b50a0fce05d1d7a2c402c9faf2f4ce310b4426a4dfc2d51f759d5665c6e10d395bf4c2d778b52bf43e28207f1920299fcbe3fff95fb7f7df88b0c210

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
0301e5325b4cad86d2ad79ab82ee0999

SHA1
bcaba61dd16dee2c1bcb1597f7fd4de47f59bd92

SHA256
d359fd80406661d0b7bdeb3381c22cb12b08fcb8117be7a795eb70a6e6b5d45b

SHA512
0170f5468e1204d9d24bf6e59571a51ae93f7e09423b446cb029bb9c76814a3328328157bb5ae872c4a5c4313666b963dafb351f0595f97b8e3a14413648a4e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
a682a136c411be9507da5a101d0eb387

SHA1
65a5a1161eac782abcceed79fd8b363c00845783

SHA256
17a03251a49b9a7c3bb6144d66e705c800153b0b85637d2687ae8ff48ad651b6

SHA512
1d6b1af0e814e2f1e496116b85dfa94709bdabfc3bdc9e6a40e52b93e8f96410975f9208b9ba958d048178a38583b7ef63b148a7e71e8277850a587fd3d4aec9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8b9066815f6c7b03ab5abaaa7880063b

SHA1
1208ced354ceff6249da79b08f9f0ec55d0cee4d

SHA256
cdd52c788dac8b9b97a0a72af1394f08fc5fd7e7fe299dc37a77095a3e1995b2

SHA512
d380dba4b9790b068d948a65eb88839e909ad69a662f62c75cf88fa4113bc69e7e33a7a32befd73445615439abaa4ae06d05cd578c163b6825af9826cb4e5844

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
66b49ce40785212d9644aa9a19336be9

SHA1
716ab2ff2c882041d13d91c4786577fd87b6dff8

SHA256
22358de5b97901a4bc7a2fb7075fce717a68dd2127c2136215167d33bd1c0905

SHA512
c2044f48fe8f59d053605cb6e0599ef76dfe59faf87d8e114179f8bcef5d36197cf8fe92523e8813b270e37bdeaa08d7b2cdcdbe4c4c85077d722ff89c6dd628

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
0e38d65909d7af5a4dffb52813701724

SHA1
e6bd2d7469767dc36eca363f1e4c90142fd3e84f

SHA256
2bb8f066cf04594f056db69d5fba647d4f1f2fa298a4622260b31e4a65d9d284

SHA512
2467d3a2f92297e703e2f9f1886290f82fb03d42002c2e8a4b02548402d30de9bf9b59ac554704759d3c7141c0995939757d95be2f89a5e3bb097b2103a187d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
83bfebaf089cdd9cf16db49db6cb614a

SHA1
bda5f01fee2264d7f9b7445d20474153286094c2

SHA256
140b98e7d6ddb40e3b476cfde6889c74ac0630125f0a0ebca982f3ced7004b70

SHA512
ac55ced7235cfb64412ac91fc5a43f87da7a0ac0c8ac06f017b86ec53725bba00b71a88a9980aa2e8be466ec04b828afd4d2ccaefe5cf0ed836806d75aeb9596

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
6d58b6aada71f83f13420e49d22e16db

SHA1
7ce113527af34a004042f03de6f7b7b9fb53354a

SHA256
4c198bf49176fa8bfd05bc8562d3fc9b1cb9f73222b57e49e42d1566b9727974

SHA512
987d08f1dec7696b88302e9a3e8ac15a99d85a5fe5504c10a43abe9d25056e0b8048c1d64fed561f86a83c1763fc2c1216098ad4e74b9c249f366be119d6cd3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\a74c0c16-c9d0-45ad-a5b9-92397cff4a66.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
35082d15c7b5ebbacf93c4b346cf89b8

SHA1
d71199b25f1c23ffd5fe8b8f25280d5117f96858

SHA256
515209590bebf149500e1d84135df6f38a09292084c3d065abfa7642f5b71011

SHA512
6cb8046a399ede0f6ffc83dd9fc7f704c697b4504a1e7a61e57b0119c1c1653e98bcc2b4942c9f573263b145e69cd517de6973c563c08c337f49ba8041a957d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8b518c5212fb2ade397cdeff6137b394

SHA1
797606f0f533ccc7d8f3ee2124a5b3de5784a865

SHA256
823b2d130f5ac714ddb5569a85312bf80c7e5e6c1fdf9c1efbbe55eb7f4fb95f

SHA512
f5e16fe14b0bcc825ad2b2d680014ecff979081a8f2af2ecd400b9b6e0de207691464adb27d58194a0db2292118b5baf4effca8948c7511d9c2cdcdacd99b180

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
685d9edca043528477aa66d999113626

SHA1
781ee3c853e45079e5fc0b2755b93c7b76b3e50f

SHA256
be81050befb6f1b4441af757b76ca1eb9ca447b9ffc1ec466eea32bb9c056b6e

SHA512
0d3df0af99bf94e1f0d8fcf17dab146940b2dd402c7c1cd05ca29c62979caba916c051a4fee701492c7f42c646493b101d70132ac2d1b2b26304ecfe86f373ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
453200d7f006d0b0cd9b7c0b5f74de27

SHA1
cd22851b806a0743f0d27bb74f5a1e12643ba164

SHA256
cbb6e0dc2037b482c8404bd6ca22a3c9115d91b0660487f3bafb39194b36d3e3

SHA512
c0931c842cc67b9cb36b4e64339d794268e1f806648439d99d78b2a18f4f7a459e27b7aa4f3ddd72732832177351c2e1d8611f31774d64b1fe948653e41d74e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
49737f02b5cdca6414d7975dd63c4b51

SHA1
c3b8eb38e6e2791f6f6cc059e159de108c72cddd

SHA256
606eadf4d51f72b650ee07b5f731ac5da10205637b557419b648b05fc44632cb

SHA512
88c51b9fa1296b5cd3fd31ee431fe2a7903d2edac42b54f5c00b3e81957c96419a370e7d52eab58f05ed57d28c7a3253ee9ec61110d3f2d9c57cc6fb33e31215

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54c0c57e6fd510527461bbb6a9e9bac1

SHA1
7c61e2371f6e5fd742f2a965ce746af7b0c8d4ca

SHA256
e44f55b6f64f654468679150735a020d4f76d148ac1c015b6789135f3104ebaa

SHA512
a8e9bca821c4338ba05332d6b88f23b8b201e2c66117ecc7cfe768c792f04f8b9edc0ef78190d6959358cf244238c0a07d05b595831a614fc8e74a89b3c63f68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
266f591aaa0d351fb0b2ee5db867ec71

SHA1
e2139d94b999b9aad1de3cb348d0d4656b730f9f

SHA256
a581b8ef43aa6ca8a0a3621dc9256f4f5ab7891a33b6aa9f420962481d91fe03

SHA512
45fc7bbf2932efee83357c374b6a159467ba7906fde18652f16592c6f06a6007c89fc04c6c293695dfbb536e6a4dd08c784bef0ead587b773ac96f282fa6da1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c77365a1c7c97820554c5c546beec4db

SHA1
423c0f45ba22f0c09a4c7af3538381a68953aa8a

SHA256
22b4781206d84a88622ef0442575d321583de29f18ce2d90e415abf5daba3999

SHA512
5b8034473fb09431c8948881b57ac71937293b693d44fe87981e08ce9ea53660aae3dc733b3a889531a9f0ee8fe5a04617897ec81ffe62ca681345d254db4a2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9622cc1f7bc8e8028dd3c874628ac61f

SHA1
5a4a400ba20e5b2879772c03b8dee4bcd1d17065

SHA256
dcd16270549fbd648b9b82a342874348e803cfb8853a46fa9bb2ccc4fd80ab26

SHA512
a83f5cb01951d24fd483b44767f0f63858934de9cd3e17698aa5648b27aecb213990c99c7e2a56b5ae224d7e09b1e4dac62d52b0c05a3b488f271e48feb9cd60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
83048091921509e5ce7fcaa9bc75bdd4

SHA1
af9088e49eeb88a0065988c8ef38397c33dc7cdf

SHA256
0259ecd4271d3375980fc2dcb0db003a28e0156484b9729e4fc6dda372957de6

SHA512
e0310acb82769fecaccfdb5b2c433be3ceae82ec965be879d6f6c3e7b1e81766d7716acb125f05b0b03f2af822d6116dd87187e88364c2d407c622ab931af996

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e60037c02c900d9422d578877609d5f8

SHA1
71f272dec545dd2e17c731b6e9c8bd470ca9be52

SHA256
5d159d702e4f36db18c5594d095bca642f8bbac39319adc34d2cc6eb6577f7bf

SHA512
b5eb5f2887f1e507b7bcfa42da5f327d208e07056083d6fa16b08b6f0d5ddac46a401ff8a582fa75fc6d79d87c344ee32c07d9eb6f4fa527da42f46149bf9423

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
6d338496f3dd1436275d164804259ec6

SHA1
ecb6b7b6b6ddf4c85b4da1f9de925812b70b7d52

SHA256
e8cea5d5bb5afa5aaf8ed8b39a6ea454e78adec10ff89d8e6c3f4d7db01a6374

SHA512
4194dfdf0e16375ee1c59a1bd60b2bcaa9d7a37df76730dce73cc8aff5d94870b8486696955365b87f041c3b223ef8a0dddce1fec026efd47bb2864d116a971d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
a87eee38ef2965fd292f67e572527e63

SHA1
3e783cecc30927f80822e0251f05ed908de3ca36

SHA256
b72fd0c4e2480c947ccad6337e37bc9e0d3500c28291ea20fc6917e9d0aac2b9

SHA512
d38b245f9fb1ef7092d03698b5d0e3783629a05d063a3c3e950af6d91132dad6b088117cfd53fb0ec822156bdf836d1101467bfb64827ff46d7b4a31c0d2a73c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d70578bd3e0bb113eea0dda5b4f87ad5

SHA1
51e6f6a3464b2245b57af10e0099b133c6cc9c28

SHA256
7c66451b64f550f686b0d42cc78b32afc368cef5b88a4556e906e4cabcfd9cd9

SHA512
2d24235f391cc4d7fa5b7691048e12b704ed9af1b667b87d46cb724273f41aea310e049a4052cd0df20c6743c1840bc624d2fd35ae816479c01c2f84f6641a7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
62d2f7575838480251e65fe530410bb7

SHA1
04319e900efceceb4bfcf91c89a264e2394dc445

SHA256
be2c9824518f6c036fced797cb911f0598eea12e2a7c0fdd7dd9ea18242f7363

SHA512
8de6f7e5eb985a835bf0b5ece66d6c4bcbe403ea14af70f8064b84514f57c95c32c93256d227d44b6dcd83d2cf7fa72f42a52dcb569986a2d45965e292a99773

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fa99fd9b-30b9-474a-adf6-06648f99218f.tmp

Filesize
99KB

MD5
e17f3d2b0c99b3e3afab68880bdb06a4

SHA1
d6cc734859ddd4637753cd94eb61ffae4bd84cea

SHA256
f2b5f7f659b36ada0e9c9335648515fceff7fbb2f3598bc3687d18a0a741c62a

SHA512
0453c5dd2fb2fc390903639008f9b49ad585d20aef9deab1efc01644f98610ecbc74a95f00517c6a4aa31e8ff3fa1bf5d9891dd2b22e44e8c2a5135ba5f487b2

Download Submit
C:\Users\Admin\Downloads\a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.exe

Filesize
469KB

MD5
c2bc344f6dde0573ea9acdfb6698bf4c

SHA1
d6ae7dc2462c8c35c4a074b0a62f07cfef873c77

SHA256
a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db

SHA512
d60cf86c0267cd4e88d21768665bbb43f3048dace1e0013b2361c5bfabf2656ff6215dfb75b6932e09545473305b4f707c069721cdde317b1df1709cd9fc61c0

Download Submit
C:\Users\Admin\Downloads\a736269f5f3a9f2e11dd776e352e1801bc28bb699e47876784b8ef761e0062db.zip

Filesize
273KB

MD5
84ea607d2726ab583b1cd0b075e5a76b

SHA1
fc115a9fb0a0fc6b67c9e69446ba3219c7331ed5

SHA256
7b137e7933f2aed1c78294b7f756ef5f9a3c12d202ae22c5694f95ab6d4fa28a

SHA512
e6cb67d8992b7f200fdd69b0d90e614194072c5d095f37053625941aef6c3b6c4945f964990a62cc2fd76120d0c07282f73e9f6d9e08f6b5c5b6c8a9d4bba1f6

Download Submit
memory/2980-406-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

Filesize
64KB

Download
memory/2980-409-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

Filesize
64KB

Download
memory/2980-410-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

Filesize
64KB

Download
memory/2980-408-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

Filesize
64KB

Download
memory/2980-407-0x00007FFA81530000-0x00007FFA81540000-memory.dmp

Filesize
64KB

Download
memory/2980-411-0x00007FFA7F040000-0x00007FFA7F050000-memory.dmp

Filesize
64KB

Download
memory/2980-412-0x00007FFA7F040000-0x00007FFA7F050000-memory.dmp

Filesize
64KB

Download