lumma | hxxps://www[.]mediafire[.]com/folder/fpt4u0qvdip1h/Cool

Analysis

max time kernel
122s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
01/03/2025, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/fpt4u0qvdip1h/Cool

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://uprootquincju.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Captiva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Captiva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Captiva.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Captiva.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2278412438-3475196406-3686434223-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4580	msedge.exe
4580	msedge.exe
2536	msedge.exe
2536	msedge.exe
4076	identity_helper.exe
4076	identity_helper.exe
4384	msedge.exe
4384	msedge.exe
4388	Captiva.exe
4388	Captiva.exe
4388	Captiva.exe
4388	Captiva.exe
3744	Captiva.exe
3744	Captiva.exe
544	Captiva.exe
3744	Captiva.exe
544	Captiva.exe
3744	Captiva.exe
544	Captiva.exe
544	Captiva.exe
1440	Captiva.exe
1440	Captiva.exe
1440	Captiva.exe
1440	Captiva.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe
2536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1792	2536	msedge.exe	84
PID 2536 wrote to memory of 1792	2536	msedge.exe	84
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 3456	2536	msedge.exe	85
PID 2536 wrote to memory of 4580	2536	msedge.exe	86
PID 2536 wrote to memory of 4580	2536	msedge.exe	86
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87
PID 2536 wrote to memory of 2996	2536	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/folder/fpt4u0qvdip1h/Cool
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee67346f8,0x7ffee6734708,0x7ffee6734718
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6648 /prefetch:1
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,5935436854564457729,14004570942570843801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4576

C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe
"C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4388

C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe
"C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:544

C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe
"C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3744

C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe
"C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1440

C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe
"C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe"
1⤵
PID:6088

C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe
"C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe"
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\07B2F8147B62CC28.dat

Filesize
5.0MB

MD5
98386320ff5b33c1515c229e72a920f9

SHA1
04521264749ee50936acd02ba625054b77e30cea

SHA256
77a083e50a81725159940257d4f783eb0ee85fe1d244cf5c8a8b88f3980ae7e2

SHA512
4a3fd2df158813da213e844a07a3f687ba25f9270191ceb349db34f5899ad9399d03b0d2e2af07d62011dfb24c78e29619e94d3c4adb79a8cea3d581069fd0d6

Download Submit
C:\ProgramData\08B902A439FF00ED.dat

Filesize
288KB

MD5
cc42310c6b79fdea5a1f97dd860bc5c9

SHA1
8c5ae2648ee12ef044471ae7f26b4c814603e36d

SHA256
21f33455cd566ff43d91f43b052bfc39ab962c6c65cd3177ebdad3ad7716e452

SHA512
0953ed6e87fa90b85ae9f575079ab08a41a70253885738d6434e5e62ec2418481aaf0bafe158273488584b364d1acbf05478032c9e2ab9b874aeb15fe2404b33

Download Submit
C:\ProgramData\590F744D666E9D17.dat

Filesize
20KB

MD5
293d5a449a50521ceee32100ea173aeb

SHA1
42ea9b83c6460e7a931d28773c6099f86b8bf39d

SHA256
ed55173a04db3509f1930a53897d31664a794daae730bc84605ed4d6bd361045

SHA512
43a2587d8554735359877c88a54eb34915cdeed930dc678085e9f73246d486b1e81eccc2e172f8eb6f41b027df59ec1bfbc71fff4cd58f1685c2cc338ad2b4c4

Download Submit
C:\ProgramData\63AC792A39648212.dat

Filesize
224KB

MD5
4159c1ce33b6e3fdd5925cb7082750b6

SHA1
65ae3dfc8d7a9f325d8c704710e1b25b1ab7bbaf

SHA256
7381495db0a464104c80e2c4f49e1d519af1340c88cccc8c74d884142e8e9160

SHA512
fe66f91f52779dfd20f24ca5a59bd7611678237574a899b18f8ed3fd37af17bd029402aa28e06b505f965c8af7f6b9906e578a3d1eeb3a1e36205802d7fc0803

Download Submit
C:\ProgramData\75EEA0D9EF0BB244.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\ProgramData\A7C9E94D3FAAA4D9.dat

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\ProgramData\ABC1D96ACD57A750.dat

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\ProgramData\F836B1868C9221A3.dat

Filesize
114KB

MD5
17c6530503a40284486a7d10c7e87613

SHA1
1fd1dd5c6b5521fada17389e588b69bf3b22fb09

SHA256
6792c7c2010f1e8b04e16db6fdcaa862774a541fede9193d884c3c68e6e984bd

SHA512
b82a10c5be0fecfb4fcd1789f1d86dbe1c47c611fa69ca160ee09a0b66dbdd582fa1674d8d435ef3e03abf196f9669232eb82f7a02552e9414eaf8d56dbf9016

Download Submit
C:\ProgramData\FD29F56DDC9B7586.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4c9b7e612ef21ee665c70534d72524b0

SHA1
e76e22880ffa7d643933bf09544ceb23573d5add

SHA256
a64366387921aba157bba7472244791d5368aef8ecaf6472b616e1e130d7d05e

SHA512
e195e1ce5e7c06d193aa1f924d0079ea72b66eb22c3aea5b6811172251768f649368734e817996d9f0f72ddfd0e2bf2454aaee0bc650eaffd56fa125a334ae88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f4a0b24e1ad3a25fc9435eb63195e60

SHA1
052b5a37605d7e0e27d8b47bf162a000850196cd

SHA256
7d70a8fc286520712421636b563e9ee32335bca9a5be764544a084c77ddd5feb

SHA512
70897560b30f7885745fede85def923fb9a4f63820e351247d5dcbe81daab9dab49c1db03b29c390f58b3907d5025737a84fff026af2372c3233bc585dcfd284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
6ed2aba4d73861ccf1a0bbb21d33f143

SHA1
6368ca6c3abc29a09f0c2837a38112f62582cfa5

SHA256
214b262cb96edac22c2ef1d1e1f7dcb752c227c486dfd1cdd216a97a452a6951

SHA512
13338d8393dbc665847f95296b4f28597c3228032b36347c4303c0b17f77b5af7c4ba5d262523aa90e4a91ff7592ac9a935f2206e8e1d1de122a3627b36056a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
128KB

MD5
f743c55256a07a9819ffb874f0689637

SHA1
ab3e152d49d8ca1fc58f46cc839c68dceedd516d

SHA256
21db5f3556e5d631bced07267084b0b1d03bc2910cb23be98885170622d7d04e

SHA512
af7583abb3cba4bdca4de66b36b9254442c5d18f128c05bea8814aaf228663bd2096f79d753d7628d89a8ee1c30f17af00f8caa88660499f5092aa92f4cc7a6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
87172303a06a1b9e20c204e917091ec0

SHA1
600ca235ba19ac3abeebffcf30fb21e288f0de10

SHA256
27809f6c56e65ec94fcaedbc81aa6c1edfa8a8cef7e6fd58c102af7f7f863cd8

SHA512
0cdbf7595fb5b13d99e311853f7e9dbe578f2e030b33bcc092d13d346f207312012fc9d0d9f3a2ffa842cd789c116a05236d04807e6f2cc8ae6120abe1767252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d25ebb73540c502d1785294fd6ba79d7

SHA1
9975e4c2d9577ba4e6dbec6ddec8c117060de4eb

SHA256
7bfb5364e85c8c49b27eb5a36e03e491f9921406c68782cc4c1f74762b76ccbf

SHA512
834e37a24d3b45d5e65a397b0363e2e863bf1a37919c79e1718c35fc7606a0edd25cd532ef917d919c9664a082d957f1723309e3e3a7fbcd3b24a9a62a25f05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c458cbf5f8a8b9cb799cb898e1886077

SHA1
a8a4df50c3f93bf53d0f5ec3b1663ec9ab7da432

SHA256
deb585e3f8f139258ac5536f87a119c25a4981d9796bf83464c467e9b1d04d56

SHA512
017072276380517c66b31ef32485887eb69ed60a0655ed3a9eafcd8d89000df380f09afb0550927f6b27f0ab6602f7ed2da4d44d0b5c32a4503f37fbaf6bdced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
1ed4513db9b7cb9cbea346dc27142371

SHA1
c5e20308826e782f9f28eb2041f5dec72cfabcd3

SHA256
cf3e4253198a410b10ad8dbbae00a6b24e28d1c2527c398f626daecc16475804

SHA512
0136567612e69825551a169a925f16b12f9205cd34a796b587bd1c23c9a684f224d4851cf7f3d43f9e616f4387c203af8c1cf1dd04a281b8e6d955f919524797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c9e6b2a8f59714502d9d14f217b79299

SHA1
ca995949635d77d2a5ff9a6a2860f4a6b638ac5d

SHA256
92f63bdc48542328000364b300237ccd83c38745b160695ccb51b8a61983d1ef

SHA512
60f921718169356a7d01fae86e0bd9b024f3ca219f6f3c6f8316c8bf2b090fbb903ac328c96078f396e2806c4b83a667e906e08edf7d8ce709c9d38ae2f27820

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dedc3a30986516dc7db6d16c698c2ed7

SHA1
1bb2cfaa22b1c4208f7d6cec53cba47963a371ad

SHA256
ef981c69fcc91652c3db3cc21b1ad9e08b0ea07ee20c69ff56579191fc925da9

SHA512
9060ea1e00f3c15b36f167275905dc85c584d39cc55fd9be2ee919cbc54095668431cad83a767c23a78ff37297fceed74051bc2ce159b757362196f66cde168e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
96a1fbb06388c5a21d49d76a3eedd5c1

SHA1
d663a24bcec0983b9a934c8626c91397b1b0ba29

SHA256
3ab81c2087787898ec0303b83c92bfcda4efa35761e65848194dcb8af7addabf

SHA512
92d4dfad92cc8681208062872331ebfccb9273f8bd00cd5b832ebacb1edbecf94e4faba8fcad05f525195d34253d8014d89cea3fa62f9e1c130a076b35f5fd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e6e5.TMP

Filesize
1KB

MD5
048b9fbccb4a6c8f33da779eda56ced5

SHA1
359989fd5613d103b89f6d521f9009f4bc50fda1

SHA256
1fb140ec37210da1c5be86190a6cd607ac9b7b1681f24e5e24c31e2e173ee765

SHA512
373b3ebfa07322b79e6844fbcc63d3806ecb2903d088d4e3135e5a73f35376cf0d01c7099a1457b5c44a11934502d1aef3bcc7ba386cdcf04ddf49c8ed100385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b3ca079b83ed8ef2e136e87ccbde57e3

SHA1
d6c64947b4459e06e8519cbdcd41ef0ccadecc03

SHA256
528fb7d12cf194481a5897c6d7ab630daab73e1fdde376dc8e4062ada69c303d

SHA512
9edb98fb9df718968a3c936a1219ac8a60d7ef597d5c6cf40a5652be36ff87c28347bae18754e64d04e911196762874113e92dc1977c6268eb471072f4cf3bb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
213cc71923a7761c8bf034e8a3b57b14

SHA1
587ecce0b214f542f843282223f8614cfce84057

SHA256
b68ad65b16f07d47ee49713edbc35496a6ae5e5b5bd9622a47da416753f8a3b3

SHA512
d5930bb88e45f39af09e8fea44ba4702e8eddc4d2539084667433f6036a96ae83312720536d9f48442d526bb50dbc39de5ea2f50f08099342a1ee47087cdabc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d2aacbe6ace9787fbd6f07b6c7125fa0

SHA1
c75467054656c52bfc7021ef4dd2254ddda8de8d

SHA256
79441142cfe4dfa1ba1d85e80e52dbcd462715ddaa0d9570070eb16fe9c68f85

SHA512
0a98ceeea8c0b7364ca90381ba495f9536c38fa7533700edd48ad2de9d37d594fd2efbd38c8c235344e1e1f0f6c0e3cbf11b01784ea935a89da0066ce3124092

Download Submit
C:\Users\Admin\Downloads\[2]-Caption_Motion-1.zip

Filesize
15.9MB

MD5
aedb8645e7ff555e772b3a4b0f9aaf5f

SHA1
6374b193e304e428346002606c74575cbde7923e

SHA256
39de3bc40e97290cf1b0cf6bc898a40bf977f727821052c158fab29bd877747d

SHA512
f447a85740e2de2d0edc09edfacf85e95c93d7ce80cdf1ec95588c03b3e8e57ecfaeaa3da144dc325e5678cae3d892a0cb97a016120fbf22ef626b457a1105f0

Download Submit
memory/544-448-0x0000000003350000-0x00000000033AE000-memory.dmp

Filesize
376KB

Download
memory/1440-489-0x0000000003340000-0x000000000339E000-memory.dmp

Filesize
376KB

Download
memory/3744-452-0x0000000000870000-0x00000000008CE000-memory.dmp

Filesize
376KB

Download
memory/4388-408-0x0000000000980000-0x00000000009DE000-memory.dmp

Filesize
376KB

Download