lumma | hxxps://mega[.]nz/file/l5I1CYCQ#mVQyp51V014kSme2DjJgSrGAFiNbPPWz9OV0emxh4TQ

Resubmissions

17/01/2025, 14:39

250117-r1cxjasja1 10

Analysis

max time kernel
94s
max time network
97s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17/01/2025, 14:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/l5I1CYCQ#mVQyp51V014kSme2DjJgSrGAFiNbPPWz9OV0emxh4TQ

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://comptetscant.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
380	setup.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\06cc5a2e-9060-4d8c-a0a3-bfba93b9fe03.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250117143925.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3463531801-1484541064-3495084620-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4304	msedge.exe
4304	msedge.exe
2912	msedge.exe
2912	msedge.exe
680	identity_helper.exe
680	identity_helper.exe
5012	msedge.exe
5012	msedge.exe
380	setup.exe
380	setup.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: 33	1968	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1968	AUDIODG.EXE
Token: SeRestorePrivilege	4656	7zG.exe
Token: 35	4656	7zG.exe
Token: SeSecurityPrivilege	4656	7zG.exe
Token: SeSecurityPrivilege	4656	7zG.exe
Token: SeRestorePrivilege	464	7zG.exe
Token: 35	464	7zG.exe
Token: SeSecurityPrivilege	464	7zG.exe
Token: SeSecurityPrivilege	464	7zG.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
4656	7zG.exe
464	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe
2912	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 1156	2912	msedge.exe	81
PID 2912 wrote to memory of 1156	2912	msedge.exe	81
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 1148	2912	msedge.exe	83
PID 2912 wrote to memory of 4304	2912	msedge.exe	84
PID 2912 wrote to memory of 4304	2912	msedge.exe	84
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85
PID 2912 wrote to memory of 3912	2912	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/l5I1CYCQ#mVQyp51V014kSme2DjJgSrGAFiNbPPWz9OV0emxh4TQ
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x100,0x7ffa412846f8,0x7ffa41284708,0x7ffa41284718
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
  2⤵
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4768
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7aab95460,0x7ff7aab95470,0x7ff7aab95480
    3⤵
    PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6400 /prefetch:8
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6176 /prefetch:8
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6900 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,1837835670154055442,5768484367738458496,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:1
  2⤵
  PID:2680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1108

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1944

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#Pa$$w0rD__5567--0peɴ_Set-Up#@\" -spe -an -ai#7zMap27041:122:7zEvent16026
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4656

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#Pa$$w0rD__5567--0peɴ_Set-Up#@\#Pa$$w0rD__5567--0peɴ_Set-Up#@\" -spe -an -ai#7zMap13511:182:7zEvent27112
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:464

C:\Users\Admin\Downloads\#Pa$$w0rD__5567--0peɴ_Set-Up#@\#Pa$$w0rD__5567--0peɴ_Set-Up#@\setup.exe
"C:\Users\Admin\Downloads\#Pa$$w0rD__5567--0peɴ_Set-Up#@\#Pa$$w0rD__5567--0peɴ_Set-Up#@\setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c2eb126a03012e4645cbf12fa576adb

SHA1
f4fc0dbbe2fca0aab23014eeee6d533aad91b5fb

SHA256
ce9774b847a66f7dce4153518d56469986dedfe78acbcca8e97a64d21df5a1ec

SHA512
40008285483a37d186c6feaaea96e92f8d665193eb2cd4af0ccd2e77544fa2afedd8aa89b8f09e49e1d6960cbe8543389151d2413c8be408794b70da0eb122e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
501a25f290332c25255eaaf70ee6f240

SHA1
23cba10495d7098ad6de6936cf31c1b0eefd1246

SHA256
420c031363bcb69b4cc540b0afad7180d21b4957a2d6eabe23a40e669aeeebcc

SHA512
84ba813e4036be7d9fa08d5fab885421017d008f8fe8d99f56313b54f490c9151a27a67734bb17101691df563efef7e5379250f476e869a848f225786a913081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
1a76428c3191d8c70d56423b4572ff16

SHA1
2b5bebd8515453eb95df2a6ae4c47fc2806e47b0

SHA256
8ecc97be05c9e44750b7a50fd686abbb6e344053bb485fb07ebd05a4792aa9c3

SHA512
854fea143a200a1d20ff335b20ade39433f8031d7a7f70b0a184e2a26b4ba1b78b2c9ec6fab17b18df086689271a1daae37425d49c98b0f39677e8a04e54279c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
4761813801bcebf1b346a3449c7a0ee2

SHA1
fbb2bf681cd24559ce8d67afa795d2afa1f86869

SHA256
dbc68afc0a594629300a34b22b4b3b5f29524c220655faea76b9c8c50a5c5efe

SHA512
dad8a069e76bfa46676deb7bd423c2db7ccd7bc71b639a2097305dd87a399a481572719e8fd7bf4c2db6a4da93c50acd8ad1d9b21cb09e8da1e7889ec5c787ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
ba4e2003fe7d847c86a7514b27c21c5f

SHA1
7dc5189fa073797ff6cec15cf7921146f4fa0ab5

SHA256
16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a

SHA512
079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58e76d.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8ab17244bd71aec2daa11fa57b1b4dac

SHA1
3dd2e89bf6c9498f3ac81e5f14564dc2027dabbb

SHA256
fef19cb3442125f359c66dbad652707999104da7360fa71e28a56368c050681a

SHA512
640b4f0f5073539af146225598573ce759f76c7af64827d3a21efcda1c9422bb3cf55041b462183ff365e2f6d5451a8ed58964b6ab3ec99dfd594937ca015bd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d96f04b07174baac8db4f6d9ebbd4b24

SHA1
a4e08481f09456d052502243f85cdd39a3febc9d

SHA256
9c0a98377fb9a2207b376d1f6393bd36d7de9f0a82d4cc49364dd97a77eaee78

SHA512
5ba13274031e25ccf75c5da4c2d5a6e74da3952bfa2ddd720de41c8d6d9d14a473ccba18919c907cd1447be09a34c025a1e6169d815ef28ed6627ec46dbe281d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aadda302f2dd822a9f82b215b6e3f4c4

SHA1
965300eb4a5050307b1f0b709f920527169245e2

SHA256
3cca0cd02d69a9c8a1b0a15e2118063a79923c4d697bf76cdeb10ec2afa434b3

SHA512
6eb4cd0cef401dcc57a1e7bb730c521506c971fd728eb46814ff2eb36a4fa711f2acdd9d169a215342acadeb31bf8122024a32e8e2aa0a75f55670f01fe09877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ef30b5850d78b050b13ae82ee13c6b28

SHA1
25bcd922ab2c62d47c9bfac3fafcca08317ad8e5

SHA256
dfd732ede1af0d6dc560b9fbef26f92f9fdf83a72da3e6910cb39843be4fed30

SHA512
f9bdbddff6fe99cacf3a670ab5504849668c9049053eca2a4b51f74eb050ea4d60629ce29a571223b1cf293101d646067f9f00e4fb3039738921e1c042419f8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
756e057549f94bab5abb74774dfb349b

SHA1
b982c53adc083e1df2cf56d865ff963fce8fb087

SHA256
1497b86eff4998c97f433013df81f1b27e1a047c2da6e4c32e31d80b4a1c48bc

SHA512
782e5d5ac4d7ebf59fe2352f351d1d037c315a7b40a61321ad7db18d94953f14a103d0a5abcf1628cd6aa25cb84858d942f9e5c447fe1b529d93b228290ed4dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe583350.TMP

Filesize
48B

MD5
580b0f03b27dbaf9dc2ee2dd48808265

SHA1
39d57016a0d0b395c7791d39dbb52e54ec4831ce

SHA256
25dbbd2232cdd36124bfb5c48e3c735c741784c540968632aa674a237156a1fb

SHA512
42df32ae3ba9e84e758a0569ec3642487be85b199e9b46b19afdf8712696c92c2dbac9a1e165101a99d32abccfabfb9436f54c6c399157a2530c626825e73708

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b2f1b054-af0d-4258-8082-c2a29389ffb5.tmp

Filesize
24KB

MD5
94ce4b2ff0abce6d838ac24a1b0f4e73

SHA1
02f4a956ed4f2e2e0ca9c4b75bf8e7245a1cec88

SHA256
06180545891f02875414f56a2a8ca3f21c2f415e03644674cff1c9674cb9b222

SHA512
b3bf05777fa4abbd7c475657dea5ca9c00600ab6226843150eff563837c3232c3b513afc0ac5ff1976e35979a51f34710ab74582d1316282bdcb67cc17493c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
7fa8671ebc2c75ac7a98afeb49b1c8eb

SHA1
d5e18d6ee2a5d0182711a18c2a4ca8388d81f4a7

SHA256
8fafcb9adbc7f065802eb89650ba0de99fd03373b2ac4ae3a3d3230467f8d4f5

SHA512
d7004403c8bf279f2c8410bc20910659dbad2b7cc743162c8e2b8278a3389f505b870acb08292973e9cfede062f040ee80b878960614f1508b72cf6238b388b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
38a02276084e871da7a1b3d4b2657949

SHA1
7c447d811c2ce67744e762d891bd4b80fc0bb052

SHA256
dcf62d9f37de69416746fe9aa6a28bfb54a09f06272c3ef1a2bde0a4373b7cab

SHA512
2423e096b863027c5866b9d2dcb39dc3e2a56051ff26f5cf886f9b32139a3383399106bd30d35c271805925dcf4fe59ee8b43a885b22faad4b2356d74f894d9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
b9307d0982280d61b8d9f2fe1915e9a3

SHA1
3d3f9399758686aa328f19bb509bccf6e1556d8f

SHA256
72bb684247177f707cb26362b3979d14670fa6bf24515332c9c7e85d9a581e95

SHA512
9bb3b875e1b1e418e91adfb6b17c4a51bdb7be18da7d9432c8563c223f754a976dad7952faf4c7cbf531ceaab7fc76a79bed2e024974b97484d2b243c12ef3a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
2618d6c41e00d4367bb32da0a0bf177f

SHA1
13898fd84cbe19c194d3844a642c8ae5b8afef9c

SHA256
cb1fa33d2e6e96e421df2a9d4ee0dd6e6a0845f593be00e9829040db41a3c0e8

SHA512
54833e440b2ee4ecd1ed7863d31b9a88ab25bebd1a4580ce118513f8408c77045a5ad4f6d4bed34fbf8946258ff0579691dfa22ec290e37ab8d5ef23b4a32122

Download Submit
C:\Users\Admin\Downloads\#Pa$$w0rD__5567--0peɴ_Set-Up#@.zip

Filesize
10.8MB

MD5
437e0c7c131718c16a2d34368c3ea31d

SHA1
8fc78cfd7cd9d53fe2fa158501ceb2562d8b4df7

SHA256
7b62eb49af0f5c49c71b0371aa9fbed5e22e5af28ffb28523110d2f8c735dcd8

SHA512
d933a313ee04d94b30182bdd0052720b68ee5bb775447b7121512690a2aa75c3eef9a127f66d1b72fc587c91edb19defa54eaf1f2176f6b725a3aae3b4252cdf

Download Submit
C:\Users\Admin\Downloads\#Pa$$w0rD__5567--0peɴ_Set-Up#@\#Pa$$w0rD__5567--0peɴ_Set-Up#@.7z

Filesize
10.8MB

MD5
ea37985516cb78ad59627a534623b827

SHA1
0905a23747eda9c05fdb8b9b2289a8b117fefc0f

SHA256
7bad5e968304e285506d4c98c0821f169b606a4a1795143c791373cfa6a88142

SHA512
c2658b93ee77f20ae11b93fb8335034077523415ec0074d21343465586330849247614ff0c7f60d8d6222941dc0e59d02f795019c768636577591504cec7f33b

Download Submit
C:\Users\Admin\Downloads\#Pa$$w0rD__5567--0peɴ_Set-Up#@\#Pa$$w0rD__5567--0peɴ_Set-Up#@\Resources\htwj

Filesize
2.4MB

MD5
ceea78710c5247be6a4dda72a209f3d5

SHA1
92d6cc42c820df8fee42748e1f778d3265cf582a

SHA256
6bf12cad0c848c4ff37152c30d263188d07da8c5f17dac4f49c2ba0691221add

SHA512
e2164edb3eee4bbf97aca6da81b1d2cb7b35bd2569d72c8f0a9fdf42738ae83100a399c7c831229706d857a4d4adbd5ea5cf1ab50b7c0feb43954bb9a7f44471

Download Submit
memory/380-703-0x00000000012E0000-0x0000000001332000-memory.dmp

Filesize
328KB

Download