lumma | e5cd8af4c7685c5427354054de735f971df3e8eba9e9352844beeeb21c3bfee8

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-01-2025 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

r6_internal_free_cheat.rar.exe
Size

852.2MB
MD5

37d8c5974a5f387bd89405fdd1aea581
SHA1

1e498afbfaf4f79b34ef900273ffadc300f50f1a
SHA256

e5cd8af4c7685c5427354054de735f971df3e8eba9e9352844beeeb21c3bfee8
SHA512

4785bd5fb83bc0cdb555e597a35e8787ad9fbe96b79bbc181ac059404cd7423eaec3943e8d49a24421aeecd14d87625c50ac111fa214be510689c31447d00fc0
SSDEEP

393216:mCMAUBGCDgY9yJUzqsQXh7b3ii/YC2E3SeLsl8vgSy6:mnbByYmT7308V

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://comptetscant.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2308	Missile.com

Loads dropped DLL 1 IoCs

pid	Process
1740	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3060	tasklist.exe
1644	tasklist.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\InflationMichigan	r6_internal_free_cheat.rar.exe
File opened for modification	C:\Windows\ValidVillas	r6_internal_free_cheat.rar.exe
File opened for modification	C:\Windows\SauceCompany	r6_internal_free_cheat.rar.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	r6_internal_free_cheat.rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Missile.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2308	Missile.com
2308	Missile.com
2308	Missile.com
2812	chrome.exe
2812	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	tasklist.exe
Token: SeDebugPrivilege	1644	tasklist.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe
Token: SeShutdownPrivilege	2812	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
2308	Missile.com
2308	Missile.com
2308	Missile.com
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
2308	Missile.com
2308	Missile.com
2308	Missile.com
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe
2812	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 1740	2200	r6_internal_free_cheat.rar.exe	30
PID 2200 wrote to memory of 1740	2200	r6_internal_free_cheat.rar.exe	30
PID 2200 wrote to memory of 1740	2200	r6_internal_free_cheat.rar.exe	30
PID 2200 wrote to memory of 1740	2200	r6_internal_free_cheat.rar.exe	30
PID 1740 wrote to memory of 3060	1740	cmd.exe	32
PID 1740 wrote to memory of 3060	1740	cmd.exe	32
PID 1740 wrote to memory of 3060	1740	cmd.exe	32
PID 1740 wrote to memory of 3060	1740	cmd.exe	32
PID 1740 wrote to memory of 2372	1740	cmd.exe	33
PID 1740 wrote to memory of 2372	1740	cmd.exe	33
PID 1740 wrote to memory of 2372	1740	cmd.exe	33
PID 1740 wrote to memory of 2372	1740	cmd.exe	33
PID 1740 wrote to memory of 1644	1740	cmd.exe	35
PID 1740 wrote to memory of 1644	1740	cmd.exe	35
PID 1740 wrote to memory of 1644	1740	cmd.exe	35
PID 1740 wrote to memory of 1644	1740	cmd.exe	35
PID 1740 wrote to memory of 2680	1740	cmd.exe	36
PID 1740 wrote to memory of 2680	1740	cmd.exe	36
PID 1740 wrote to memory of 2680	1740	cmd.exe	36
PID 1740 wrote to memory of 2680	1740	cmd.exe	36
PID 1740 wrote to memory of 2348	1740	cmd.exe	37
PID 1740 wrote to memory of 2348	1740	cmd.exe	37
PID 1740 wrote to memory of 2348	1740	cmd.exe	37
PID 1740 wrote to memory of 2348	1740	cmd.exe	37
PID 1740 wrote to memory of 2872	1740	cmd.exe	38
PID 1740 wrote to memory of 2872	1740	cmd.exe	38
PID 1740 wrote to memory of 2872	1740	cmd.exe	38
PID 1740 wrote to memory of 2872	1740	cmd.exe	38
PID 1740 wrote to memory of 2644	1740	cmd.exe	39
PID 1740 wrote to memory of 2644	1740	cmd.exe	39
PID 1740 wrote to memory of 2644	1740	cmd.exe	39
PID 1740 wrote to memory of 2644	1740	cmd.exe	39
PID 1740 wrote to memory of 2908	1740	cmd.exe	40
PID 1740 wrote to memory of 2908	1740	cmd.exe	40
PID 1740 wrote to memory of 2908	1740	cmd.exe	40
PID 1740 wrote to memory of 2908	1740	cmd.exe	40
PID 1740 wrote to memory of 2432	1740	cmd.exe	41
PID 1740 wrote to memory of 2432	1740	cmd.exe	41
PID 1740 wrote to memory of 2432	1740	cmd.exe	41
PID 1740 wrote to memory of 2432	1740	cmd.exe	41
PID 1740 wrote to memory of 2308	1740	cmd.exe	42
PID 1740 wrote to memory of 2308	1740	cmd.exe	42
PID 1740 wrote to memory of 2308	1740	cmd.exe	42
PID 1740 wrote to memory of 2308	1740	cmd.exe	42
PID 1740 wrote to memory of 784	1740	cmd.exe	43
PID 1740 wrote to memory of 784	1740	cmd.exe	43
PID 1740 wrote to memory of 784	1740	cmd.exe	43
PID 1740 wrote to memory of 784	1740	cmd.exe	43
PID 2812 wrote to memory of 2688	2812	chrome.exe	46
PID 2812 wrote to memory of 2688	2812	chrome.exe	46
PID 2812 wrote to memory of 2688	2812	chrome.exe	46
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47
PID 2812 wrote to memory of 316	2812	chrome.exe	47

C:\Users\Admin\AppData\Local\Temp\r6_internal_free_cheat.rar.exe
"C:\Users\Admin\AppData\Local\Temp\r6_internal_free_cheat.rar.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Jvc Jvc.cmd & Jvc.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3060
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2372
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1644
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 742992
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2348
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Gm
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2872
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Aw" Ultram
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 742992\Missile.com + Applies + Filled + Accent + Deviation + Guns + Brave + Netscape + Officers + Storage 742992\Missile.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Regional + ..\Minor + ..\Either + ..\Refugees + ..\Gothic + ..\Utils u
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2432
- - C:\Users\Admin\AppData\Local\Temp\742992\Missile.com
    Missile.com u
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2308
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:784

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7329758,0x7fef7329768,0x7fef7329778
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1108,i,9527440476294895077,10459565142518679687,131072 /prefetch:2
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 --field-trial-handle=1108,i,9527440476294895077,10459565142518679687,131072 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1572 --field-trial-handle=1108,i,9527440476294895077,10459565142518679687,131072 /prefetch:8
  2⤵
  PID:1156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2224 --field-trial-handle=1108,i,9527440476294895077,10459565142518679687,131072 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2232 --field-trial-handle=1108,i,9527440476294895077,10459565142518679687,131072 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1080 --field-trial-handle=1108,i,9527440476294895077,10459565142518679687,131072 /prefetch:2
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3356 --field-trial-handle=1108,i,9527440476294895077,10459565142518679687,131072 /prefetch:1
  2⤵
  PID:1132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3808 --field-trial-handle=1108,i,9527440476294895077,10459565142518679687,131072 /prefetch:8
  2⤵
  PID:2644

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:912

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6b50f708-fdf9-48f2-ab0d-f2648515db23.tmp

Filesize
344KB

MD5
604d82c656f40342c3dbd5c71bf4badd

SHA1
0ac06c12b5392a4381bf03f75ba63a1f5c948b25

SHA256
91bf5bdbdbdecbf41cf4440ab61cd0d80e287ed5c8daeb6bf37e27bb4f0519d1

SHA512
040c8ce587d7fa442fbf70bfb956cfc73def5138b8ca6251fe072ce48d987f15e195ccefc1b5b43e1890a95bf10dccc8ca8e7ab3129cb98d25e1ad8a4cab1466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1a515b4a5de0eb13dee47e2fa15a2f8d

SHA1
6657a19bef7f2be242290650e1685e58edf413eb

SHA256
7aae01d8fc811775bcd2a892dc294ba6105acfc1816bb9eb90d58e99b18bf5b5

SHA512
f0a77a463829742b78664a49d0833a6280cf6325c9788efe68360f24d0ad94faaaeebdf6c0c7c503dd21300811bef4444231eee5e4c4d1757583007b06d2d9d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d6205e0cb465794be16d75897401b170

SHA1
5315e35d068fda2cb8575ab8f0372fc1250e8603

SHA256
6b0f0d3a05b9946cf357df7dcd5853b2b9d5cf8bdac526747dc42ceb8dca04aa

SHA512
b899323e3f13d542fcdd52082bc5fab0c3b469fe453d84ebd95209ff42016b8da8693c5d875fca13ae88aeadb2688a4bab10238503843d47368bedbd61084e6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8a204a3bd7ef96a4dda322930cbb56d7

SHA1
d1a9f849d7c3c06b4694e39f9c31ef4c9754d0d6

SHA256
375f61e3aaba4eaed2ab21ca79b5ceebdff0facff821a1a84826452bd6fced9e

SHA512
081bd73c9a74dda9dfc30910c2a2bb4b48f72271827f75d8d292245ab952ab4090d1ce7fa115f88fd94e1795a1ac6bc5bd6152b618b72807c5bbed57fe458536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
f76cbe63a20f512e933f16d83330cf49

SHA1
4ace71b7242953a93424de99772750b4dadb4d30

SHA256
9c26e95c77e35bad5d3da179c21a86a769f93038f037b7435d0bb73012d911eb

SHA512
9eca9c700068813ebe9e379cb2db07f81995007038fdea73843808e7cd59607793392d310d33f6fa4c7200dee132c3593d192721e231095e516f8136b091c21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\742992\Missile.com

Filesize
136B

MD5
bdd240fde36ab67dacba20c0ac60e497

SHA1
ea2709a11e13a59df202c7c24b1e809819281a46

SHA256
268d75c78fc36195c232d3d51460bde0dc7781acee37408e81c50b73a3d0083e

SHA512
bbb28a3485630943d774d6351bba0d6dee559e05c997ae5fd1beea5dde5fd73a7a6a4b4b0ac379745d6cf35f6735be2ec3374ad4a3150d08602b631b16e4d9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\742992\u

Filesize
475KB

MD5
ca5912c9ec5f05cdb1c5b69a3e1cc9e9

SHA1
c2497dffcfe06e066fa2e6dc935cf5892120711d

SHA256
670413128488eb212d6070f4539a0734c23127a02ed3dd9d99df48dc12e128de

SHA512
d36212b1f7fff8a926b0be6823950f9df865d64e6e7c53d22d84c8b8b5c55c8fb8c12ceab331af42876ae5f4923c97c2ccae5426d5163864690a096c69337237

Download Submit
C:\Users\Admin\AppData\Local\Temp\Accent

Filesize
128KB

MD5
cdc4850983aa0c38e38bd1c5ea3c0a8c

SHA1
28774132652ad30ab99b5ebbe14453aa00ecac9e

SHA256
e243e4f12d12f2bee82e1d118b7c2a540fe701cf7c14c098e31fde5d76780c82

SHA512
95806983eca623d31c4a468389cc0e71a06b53cba204193fd61c5e311defff91d17b03da557e0da8a4abe4ca46ef579be5302e7f71674f8d910ec21140648f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Applies

Filesize
113KB

MD5
22e4cc4b4e6a01a435ef2b2cf9d4ae2e

SHA1
5dd27b653213d24f5801f88090b713dd9a5ff96e

SHA256
f942b79a29bd76f0d6e66708b89b6db461d92a5eae6ea4555c220ef7b069a3d4

SHA512
f3853b529f28f46ad73b03f7e1bfb366738bf5516e87088880dfeb4db937d8f9e428da41bbd8a9f19ba3948d8b91c589e347ea5a94ba7cf0aae5460d3321a2f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brave

Filesize
85KB

MD5
f9a5e51274730ff6f68bebf32bd37e77

SHA1
c4e98237e94799fadb54d56b9d95ddbfb9896cc7

SHA256
351d2cee1ad25d0ea8b5e7f153e266d21787084ac38126211f281c6b5c84fb7e

SHA512
3eb9bc8f27cd906c7e15e306ee6f0e8d9f4bf47351f2409cdf2930714b45610bdc6a96c68bd03e0ee1a7f4919caf431308872b8b77358abfdb4ed47eb51e236b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1D52.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Deviation

Filesize
129KB

MD5
e928c41942564cb8913765841cf04f25

SHA1
294f75238366bb5cd3b1cc0b8e7f0f4e0ac98f7e

SHA256
9ca24270c94d4abb65109a3d66c8df25a6e257ffb88947f7e0ffca75b44e8e78

SHA512
c3c39938061f6083256677e9b7cd3f9d73a17788e5ef01bea351ede9d4025934b5b84464da921795a2c4d8e5afc2d5383a5fe45fbfb7599c144cbdaf934a0fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Either

Filesize
94KB

MD5
462e0c19616536badc14cbc5bb5c30d7

SHA1
4236297c3d315691863d61174a81592128b76971

SHA256
a5fe1ad9a4e2ccc4ec5d96941e1035b243019ff449849c6f4a306c94645ca398

SHA512
0bb23b2a4eed1fd7dd871786b05fa376ee3a7659c8b6b7e4239de20b7ea11ee9a682b1ad2ee015cad47867ce38d2b44b4f8d8b4beb867494fe5941105edea8e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Filled

Filesize
88KB

MD5
1a17a767dcbbd6a9d0540b76d36480da

SHA1
33e9c3e951f29bc975b34a1beae43f7c9a15ca4a

SHA256
c9a746e21586b11d8c7c966fb36d5e6b23b787167aa718a8029d2dfa983d740f

SHA512
c9325950991a3ac18466f49979b8262aea6203e30070c9957ff3e5cf397551111e5abda02a31efa7f010a5ca3969f89a42c7d32a4bd34f7319e4d0f7c51805ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gm

Filesize
476KB

MD5
1e33dd4b10e760ab7758ced44e22bcef

SHA1
d2bd3c81a2448c2da09cf172d492f6023b39e6b7

SHA256
a911577dd3b05350be00d1d42f73c506ca4303084e633583503b22b712b69bd1

SHA512
e7b71bc86c55c7d192f2652a74d67ee475c4e9321962ae17d1b131bd1e4c350b427f8bbcec9549400882cc71a6cb4779920450080657d564fbf23f4183d19712

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gothic

Filesize
71KB

MD5
79bfa125d6c8994f029dfac6b7affc3d

SHA1
b00b2b53a1a8e2cceb8f6385957ab9c30ba1a7ab

SHA256
877e2754e58b69df37884908bfd4d141505728f0f5bf1a7ec29fe41bcf042f3d

SHA512
5f079a5802b579632abe5a758fab6772cec32bdd57bcc0255cbadf31075616f978f1b2319194bbf6fc35aad9c8feb4e5ebcf6f15bdbda801190c7461cb8a22b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guns

Filesize
120KB

MD5
a64f415e1ee063001fbf173ff04051d4

SHA1
885ff1a8a83b684e47afd282f940eabf39261898

SHA256
e59a4c866d2c324e469321735cc7563cb7e4b1b8d81c67250d6391da760d0dc2

SHA512
923a4521e3733c5cfdbbc9473cdfe33a4a856d309f6e4834dc9403aabc3c951d166a89d7b883c4e2e74221919e54622a7d0e22405576e0e7e199af50ba4d83d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jvc

Filesize
9KB

MD5
38acf58cb648e0df461ca4d4f4dbe0ed

SHA1
557c12a43d9ddc14b724a1eb08e5476839faf8a4

SHA256
4709a400319e403f43e5208194bce529bbc190c0fd77586a5bd9674f56b20ad1

SHA512
aea50d82dcabc72407776f9780eb9856b94b0184be3c8a7d71d574497c03f6d4de0f33f397936f3ee7f97c263c452ae9a81b9bfa5d9ccee2c96e91e302f1385d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Minor

Filesize
63KB

MD5
2dae3f1e78cdea1f6c70a2ba347f3657

SHA1
f6ca1370aeb039fab7d5e43e5d817f2e375cbc6a

SHA256
b5222bbb5366a12d8bc15cf7f0b45844259382b7a80178b2bbd0dedc63cc0fe2

SHA512
89dbf47a2803c5bcb7bbee788332eb71141b152b945b18f17579f2da05e95cf8cc1087d90a53ab7738150cf45920db68329c29469e80bf394b35e98b8d7cf852

Download Submit
C:\Users\Admin\AppData\Local\Temp\Netscape

Filesize
91KB

MD5
5d7a031f30a220bebb6bf82c62ebfb45

SHA1
212ca7de87df0cc711837f5961da5d47fd481012

SHA256
23706fca324d201f4e8fbf2a3f1754c701f6701a97beff4aa56869e859cb82b0

SHA512
8e7143989b84e55db806af72e907d1cdca964be17b37800632eb7b92a3030ef2bb499a101d3b877e58d9abffb0e7743b73b1be963e7c8289817048e8785b2897

Download Submit
C:\Users\Admin\AppData\Local\Temp\Officers

Filesize
89KB

MD5
3ce9ccd550f8f45cff0c215db2098671

SHA1
5e5f73092fc2ea47714239ad51b6695b7c6ae96b

SHA256
25ece6848b6432d06f6317f9ce2e8c58f988e0abf78f921e9b43ad74f34e19d9

SHA512
43988c0dc4bf6f0454265b1e4895598a0758919da092fe5ca19e4d333f0919c28722df03f0282ad6754e479659fa0583e3108e35341383c879613fe611a7cfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Refugees

Filesize
76KB

MD5
aeeeabf1b1f7699078d8b3bf2de64ca8

SHA1
5a8cc592d28b6dc2f414dd220d146455028f6fe8

SHA256
8aacc1ffad00e2d7a3b1a70891d5efb47e5a7d247cef0666f96b50bd792eab15

SHA512
495ac1b2ea9de7d5cfb582de0ae458dcc73883575ee3d38b6fe7e733b92946fb74b612d9e91634ee676fa6156f2416a33c9412866ac1be9e07a26809a71fff67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Regional

Filesize
89KB

MD5
2031feb788b18c63453d160451b0e2cf

SHA1
3ad74b8097f6307efb0e2cdbd0efcc5056fd07a6

SHA256
9fd341a6409e50e7c0ca0df98135928d2f0d24626554495e33b2489bb217d41d

SHA512
16835172111ff5c17bbf3a03aa49e8fc78459668514f9f839c305ccaa7bfd38d5742189a136b94be41f4300d3b1b0d52cd41a16e1323ad2f56c1d8e037f4fba2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Storage

Filesize
81KB

MD5
c16c4a01b74e68c0ed8cce567a2361d7

SHA1
dd522f5e2a33df224a3c9eed9adc3d50e7dd0666

SHA256
c59ff8a06ce249a5992d01edfe7d675ccfc910d2e24bbf9c90e757be9ede6d4b

SHA512
f9bead2403a82f44ae87759e8b93d93fee3fe9eec64b8b33146d2df988df05d0d22ca6430076044fb534b836768b558d61853a8c60db5252fc3141978248a0e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1DB3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ultram

Filesize
138B

MD5
9eb5a2793730043e1fea41f26f220e98

SHA1
6ac96560288d3f2f5256a2db398e2dd3c9c05f69

SHA256
fd3e46043fd1345b70c3fe5044c0231ca740ab4f6c255d4ddc0d8da9efb3825d

SHA512
c68317506a1a6d7bc35a0a0f95e1c5747323387c616e4e27f19170a3671e398883805036671e7f0d2a1918ccab26d3c520ab83d502d8f907820279c39e13a586

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utils

Filesize
82KB

MD5
a7428a8558f5cc5d1e0234b429fffc33

SHA1
975dd3dc4317ddde6275fc40485524ef7b141424

SHA256
920b54733eec251b06b15a94c425a800edbde3f6f05a34fff8e7af471a9ec1a6

SHA512
9c404d556464a417372e1ddfa73d6fa3712f07a1ec8a08ba4a2a4f5a2de2d5033574bddcd526a910a2acc0c01a90f00275b0dd53fc3dacfb09fa9f0619670fc9

Download Submit
\Users\Admin\AppData\Local\Temp\742992\Missile.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/2308-128-0x0000000003480000-0x00000000034D7000-memory.dmp

Filesize
348KB

Download
memory/2308-129-0x0000000003480000-0x00000000034D7000-memory.dmp

Filesize
348KB

Download
memory/2308-130-0x0000000003480000-0x00000000034D7000-memory.dmp

Filesize
348KB

Download
memory/2308-126-0x0000000003480000-0x00000000034D7000-memory.dmp

Filesize
348KB

Download
memory/2308-127-0x0000000003480000-0x00000000034D7000-memory.dmp

Filesize
348KB

Download