lumma | hxxps://www[.]mediafire[.]com/file/0a4qugwpjtxldax/%255B2%255D-Caption_Motion-1[.]zip/file

Analysis

max time kernel
138s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
02/03/2025, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/0a4qugwpjtxldax/%255B2%255D-Caption_Motion-1.zip/file

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://uprootquincju.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1620	Captiva.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Captiva.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133853895000512915"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-100612193-3312047696-905266872-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
988	chrome.exe
988	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
2480	chrome.exe
1620	Captiva.exe
1620	Captiva.exe
1620	Captiva.exe
1620	Captiva.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe
Token: SeShutdownPrivilege	988	chrome.exe
Token: SeCreatePagefilePrivilege	988	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe
988	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 988 wrote to memory of 1516	988	chrome.exe	85
PID 988 wrote to memory of 1516	988	chrome.exe	85
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 2476	988	chrome.exe	86
PID 988 wrote to memory of 1784	988	chrome.exe	87
PID 988 wrote to memory of 1784	988	chrome.exe	87
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88
PID 988 wrote to memory of 4820	988	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file/0a4qugwpjtxldax/%255B2%255D-Caption_Motion-1.zip/file
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd4e23cc40,0x7ffd4e23cc4c,0x7ffd4e23cc58
  2⤵
  PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2152,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1208,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2436 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4788,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5368,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4964,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4640,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4732,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5064,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=5720 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4644,i,752028839330810372,16348659966022103896,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4856

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\[2]-Caption_Motion-1\" -spe -an -ai#7zMap13429:102:7zEvent28591
1⤵
PID:3972

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\" -spe -an -ai#7zMap5194:148:7zEvent18270
1⤵
PID:3508

C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe
"C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
194af9cc0b7ad1b3f3000fef29f380f3

SHA1
f1892b0f7e7752d273486abef5400522775e41f6

SHA256
2b1ca71e8e626d861e6f892a5c92c99611d02ca13c8fe2342232cb4f59c221dc

SHA512
b6ae0cb32f4a3135dc2a2decfd2c18093699417a46b249f7889933f17a5f35af295fa77a0e578a8a49e7d536ce5eede25dbdd0dfee013d2db6c2cc82384e59d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
211500c4ca775612e804ecc2f66baeb5

SHA1
439ea799c1be49d8c672c6fb4e077b842f540f60

SHA256
e5b58871b2a46bc0fe0931d028ddd6e6cadcd1978270c6ec9d9f61c8662bf3fe

SHA512
17b9f12b72e6830bbd17ab32a5f4ddb20baf650ff2fd23d938307e4898baccf466be87658ff7c91df1a48d96d0f45612fb84792634065dbf2ab86d965f0dc563

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
622cb930bd3d586f4b3b40dec3817557

SHA1
7826d061d1f15e84c7036b9cf05fe74def192af3

SHA256
6979f7c309ca9b5bee2b0d7ecf344c0dd989e73969c4dc82aa92647a8bd85d81

SHA512
c3f37893cd85e18eca2019873fe2553e3e1e01620b8dfc3818f7426da1f6d943168a183e33451e0ede0e5bee104cbced8c0267893e9f49b8323fbf60234b92d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d07ba788ea74586a1766df53fbd1e6b0

SHA1
f6102592f529bee7f11240d6a6b00ca9abfc2caa

SHA256
0a1a5dfacf73a52c2e059d09edad4a487daf9336a852b238b64c35adf7817cb7

SHA512
74fa5327cc8b326cb8df6fcb26787b50b0a85f5c13e8a1d5c9814608d549d0c9d2142d4f660e7fe8aa59859d85513ef32165a314bc68440b9ff43f3a10d92b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7c9f01be10588a54abcfefaf5cd7eb1f

SHA1
afa03a350b0b7f2f90efb64406b6dcaedebfd789

SHA256
c36a36ee6ea2a738ba6d51f442814513bc15916edaddd1d837f77c5c58b87302

SHA512
99b63d82905b314e7481bdeeb4910826049279b78f94a3e46266636900b4ba81ef2931090483e08abe6095b07341cc385ee5a379072dab87804133e4fb7a4750

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\History

Filesize
256KB

MD5
2aa3253f52b96d96ee1c22990b71aa93

SHA1
c5031f0e7804363e59ce1cc6489d08c59ee48be9

SHA256
a1a78599ef0679b7375bf268c15abf03fc386c463dd53c43042e197f1d824845

SHA512
a4b2918e45612d7466bbb0b8ee9072b2d7929e8e76a99fb683892ee53992734b527fd65a2930951791112aef365366a1f58d27c3a1a683f9a07518673a5d766f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
1b0a1bb38d54b29f8e3f5b59a0fb67b2

SHA1
214bf03b123a18263c33f5fac7775f82bd997fd4

SHA256
f45c173ebafa75ab1b825c4cc6c18094c0f94a35d2693371e08e4d8eb8dbbee9

SHA512
f6606c8eddb027b1d04cb09bb4b157e1aa1b1e23bf40d4c2ec715ca757e96e7f6d629875188b46de5abe408a985d6bbb1077a33617682998f8ea0f6e69c49c58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
f3b89452758707a04c9bf832084c9d3c

SHA1
2dea60134d502136a1541fa21d4591e5a2601429

SHA256
28754ebc76c38b93c018452af55ed4d2b18e61723e49138f0b55e7cc6a076990

SHA512
412f5e2a019335fdd00ecd19f7943cf1c5be6cc5fee96c1f617a934f497d476dbcf6ec67b3b1f9a4011a0e6f14eaf21a95171b7e1f668863cafd90c1d815841f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
789c1bff99a832a50fec4c9ae0fc9174

SHA1
5ccb8da00ed4ba772fca2a601717d487525d2793

SHA256
2cc6c1cc3ad82cee266ee3eb24f3bba8e0ce7fae8035c078ca50e6b438e033ac

SHA512
3dc2ea18b37e25808b95a8eb53cfd05267f8bbbee84cc048b8088ebefb74544ff97f70e025153016f2a8dd2a15b24f9e2fae3e12f5cdd11738744d9c5f1c520a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b2dcd9e76531ad074da4537067c147d5

SHA1
900dbcf3b78ba25e130436c1b739a63b800ba102

SHA256
c0c9f4ee765ece2100513a83c2f311c7f6cc943aea56e0a200d1911c88d70808

SHA512
256fb2bc30720d7eac28d1e6cc07f0a5cbe95316876d36cc8a6c639778f6df021eadc2c235127ca4582122c44a58094b0ed6109d75672b1348652a5aa41b489c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d518b33fc2e705429386abfb99426511

SHA1
047f5a7844a01aa853654cef116210232afb5414

SHA256
1b0518493c67c8385c41e0194b337b042b29381ab063a35aa6a5c28e7879b28d

SHA512
e0a3fc377af143660e4a44ef7df9ef59cbee88ee06ff30d19f9ee6ea23bc9aad28aa24f3b4f0d50e59b2bc8fba5cd9879fe0edf9d019077f7df68db15bd65fed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
efb862eb393660766682d9a2e3528919

SHA1
cd1cf81f9d84ebeaf2488693d1a9f1767fc8f2c9

SHA256
0fdab77e5c04042a74be515b9a29247e50a88bdd3d1ef381e274099431f7d8a1

SHA512
34644300d28f5714134159c7226baab54ca4faa00d28fa8810c9d498f530e2e4971cf4b7a9aa47892d5266ee5aecad5bc5f28f74f0067e267c54c1792bf2652b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
64f2a06c4061ad0407da0768fdd3dc1e

SHA1
4d34d20255eb12eb5bdcea2575f4d9cbe28346e2

SHA256
5828aa072d83e41f32f166289791dc934c1387673b49c9cf838f1df082064b01

SHA512
fe4f59c4ce123f690bb8f30b92e496a9da58e6974a19241fe3f12db5f2fbab5f3c9f1344879f5fdffd8b3a43a1866fa5d9416491c67171b5ba48f80dc8861e91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c25ebbc9765844a0875594bf0e77f715

SHA1
cad93c5e25b319cb0159d5660a2a718749bcd784

SHA256
70ebd892688294153e3e9693ed3bf286ede3b03f986e78aa29421badbea802c6

SHA512
8ab0b07d8fd5e2d6e375ae981be1c33dd2aabad5ce45ead5f8554ad14aa31fc671b7b41fbfe94f3442ddcc8dfea8d73924b4f4b94fc2fc1bdb0897a4e6483649

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f365b162e59c9a04c5516798a8d7922e

SHA1
8468cbbd2d35549841ef2c4e440bfa675a74ccc2

SHA256
18b3e676ca136350483ae91242ebe83a2c15d3ee4748ca9c238af64cca231d0d

SHA512
2be55a0df5af046b5f0e74b4f2072112bd7ffe0ff2d55ad51510b1c89728ee51c96e7dba121c73021254b64e26fd572f6af5ce27e13d874748058d999aad3e46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0ed7a14223b0993e62769e6c80c55fe8

SHA1
ea11678096e761381487858f18a83cc9e2fa9bb8

SHA256
c3a18fb8e0cc069ef30817a5aaf1d9dff716d39811c9df57a63d3f49d690f85b

SHA512
547a46ee41e1ae8b31cc6acbde42891b358e7e049d1283f9b3fd7737a426eac801bb176df6067036cb0a9586d7fabc319e783199542cf79dd5c8e4dd10b85b42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7df81c6e0f9b145aa00624708002654f

SHA1
3664e528fc7c6998a9158f0a6c2a5929eb0c94a4

SHA256
096e17690e89fc6b9439ae0710adac20e09f47bb120a05da065abb27992ab386

SHA512
de026aa5b82cfa422eed27d0c97c84457ebcd0330ab30232946fe0412ccbf27d6227f4fd0430af3179e5f14fb636c9466101a50f331b3670bfcf5cc4a7d44878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3cb1570764eec0f2fdf4cbb9782c0ab0

SHA1
04d267280f1eb4fed81a8c0b8d8deecabc74fda4

SHA256
4834bf4997c34b610b5ab243849314ea916f0305f6b99dd3c903bacbc0cc9f71

SHA512
adb7b947d4369fffd42389244754f5dd7777cd90370e5367d2e4547ceeaaa46d50a788a9fa6a359976d73f3f8664ec232aae82e64e6cb16c9a8d75561ab1164b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
39a9ecc1cd6c0dfff14efb82f9fa2886

SHA1
395301dba427c936bccccc8abee115927878f597

SHA256
4a984266fc5168ddc1b6957eaad69eec27209208b96b0e1d2a9027102253e289

SHA512
703c489788e0866532866622eef239b832872c67e638197008e787b56426f44d8b81f28945c86e20ad6ad11ff318e3aee2892f98e1f8cd551afc126934eeab74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Last Version

Filesize
14B

MD5
ef48733031b712ca7027624fff3ab208

SHA1
da4f3812e6afc4b90d2185f4709dfbb6b47714fa

SHA256
c9ce8dbbe51a4131073db3d6ceef1e11eaca6308ad88a86125f221102d2cee99

SHA512
ce3a5a429e3796977a8019f47806b8c0671b597ead642fcbfbe3144e2b8112d35a9f2250896b7f215d237d0d19c5966caf3fe674165a6d50e14cb2b88c892029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
0c555130d355e3a2830648d55ab0e3ec

SHA1
cbc57ad7dd0d5a4f2240a52e70a8b320bd579640

SHA256
83883ae0691c5a74e03a545c4ea59a54e6b886910e15d833117a8aba2d1ef5ec

SHA512
a32c16534f514022baf1d1f3160853fc668a383c19ff19303d739c83b09e2682419433307e48ad9e046775a9523b7cc885d3e661f718ce2a195fedecc8baf81f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
c3fe2f0b7d65922e740c9cdd2441b13a

SHA1
a6e9b39d78abb2c744d39cfdf052e474d09468d8

SHA256
617b31388990d5940de2e7b676682f2cc23b5c4d582259bc3da6ac8401a2a68d

SHA512
7bb02d3549d52d1b9cfed7f9b941c0af03fe91eb01c9aeef6c5488bdb20dbb96ef816f7407d3fa71c958655b120cfdeab910a5bb58821c797dff54163f6500c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
950083c8bf9dc70157d71ea667e35f32

SHA1
448b5b1d9469f6279aebaffddb2ab58e9f0697cc

SHA256
36343e36718b90c713c8cb9af20df5abea6b85ef3ad0c5ca1b683da70eda3d97

SHA512
b82d817c9577e06d467c18b8dbbe9a45d914b07bef1421b5b7eafab6c1dc586dcc681a98eb830e0ff010ed9472a86f1f206d55dec4e33b56538b6fd59dd0ae0f

Download Submit
C:\Users\Admin\Downloads\[2]-Caption_Motion-1.zip

Filesize
15.9MB

MD5
aedb8645e7ff555e772b3a4b0f9aaf5f

SHA1
6374b193e304e428346002606c74575cbde7923e

SHA256
39de3bc40e97290cf1b0cf6bc898a40bf977f727821052c158fab29bd877747d

SHA512
f447a85740e2de2d0edc09edfacf85e95c93d7ce80cdf1ec95588c03b3e8e57ecfaeaa3da144dc325e5678cae3d892a0cb97a016120fbf22ef626b457a1105f0

Download Submit
C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1.zip

Filesize
15.9MB

MD5
4062af6e50945f4a71bf0cc33d8fcc93

SHA1
dd3b80fba36deb673e87b5ec2118c72ee519d438

SHA256
745085cce1da7dafaf1d71e3182973b6ea15c198bbf31a0b2a377996d2112361

SHA512
b071265a597c1d316ea2d4db9d6befd072eaee98dc9cb0406c1b6dc5323f3a66c0b722b315090204be4cb517970b42de92e7c750be1aa2945febe25e46377922

Download Submit
C:\Users\Admin\Downloads\[2]-Caption_Motion-1\[2]-Caption)_Motionr_1\Captiva.exe

Filesize
7.0MB

MD5
8b7343c22fb99c26da8f3122c6cecdcd

SHA1
898ebaa6ae8293f24306475ea5029520a1533dbc

SHA256
fd37270bdce8937cc3cb0d4d99300f537daba57e70f36f40e4c767411f7938cd

SHA512
8d806c124656ebdf151f92ce9bb6024cb2fe17a5dafeb90c0ceff783c6e8c9044f00bc846727465f64f79946096d60d81d2434ae6cb05b6a18aee5bc05e4ba81

Download Submit
memory/1620-416-0x0000000001140000-0x000000000119E000-memory.dmp

Filesize
376KB

Download