lumma | hxxps://www[.]mediafire[.]com/file/7cpdep6snikr63f/%25CF%2583U%25C5%259Ee_%257E%257E20112320%257E%257E__As%25CF%2580%25CF%2583_Pswd_%25CF%2583[.]rar/file/?utm=a2aadbbb79681f3b4e1db4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/7cpdep6snikr63f/%25CF%2583U%25C5%259Ee_%257E%257E20112320%257E%257E__As%25CF%2580%25CF%2583_Pswd_%25CF%2583.rar/file/?utm=a2aadbbb79681f3b4e1db4

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://rainbowdream.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Executes dropped EXE 1 IoCs

Processes:

Setup.exe

pid process

1684 Setup.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

Setup.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe

pid	process
1684	Setup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766207583220697"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

chrome.exeSetup.exechrome.exe

pid process

364 chrome.exe
364 chrome.exe
1684 Setup.exe
1684 Setup.exe
3180 chrome.exe
3180 chrome.exe
3180 chrome.exe
3180 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

chrome.exe

pid process

364 chrome.exe
364 chrome.exe
364 chrome.exe
364 chrome.exe
364 chrome.exe
364 chrome.exe
364 chrome.exe
364 chrome.exe
364 chrome.exe
364 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeRestorePrivilege	3724	7zG.exe
Token: 35	3724	7zG.exe
Token: SeSecurityPrivilege	3724	7zG.exe
Token: SeSecurityPrivilege	3724	7zG.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeShutdownPrivilege	364	chrome.exe
Token: SeCreatePagefilePrivilege	364	chrome.exe
Token: SeRestorePrivilege	2120	7zG.exe
Token: 35	2120	7zG.exe

Suspicious use of FindShellTrayWindow 44 IoCs

Processes:

chrome.exe7zG.exe7zG.exe

pid	process
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
3724	7zG.exe
2120	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe
364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 364 wrote to memory of 2388	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 2388	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1596	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 3940	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 3940	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe
PID 364 wrote to memory of 1932	364	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file/7cpdep6snikr63f/%25CF%2583U%25C5%259Ee_%257E%257E20112320%257E%257E__As%25CF%2580%25CF%2583_Pswd_%25CF%2583.rar/file/?utm=a2aadbbb79681f3b4e1db4
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa8b75cc40,0x7ffa8b75cc4c,0x7ffa8b75cc58
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2408 /prefetch:8
  2⤵
  PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=5060,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4464 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4524,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5140,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5188,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4776,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5516,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5688,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5840,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5836,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6028,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4824,i,10817906656902947243,11454797529495277970,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3180

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2508

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\σUŞe_~~20112320~~__Asπσ_Pswd_σ\" -spe -an -ai#7zMap5878:122:7zEvent10350
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3724

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\σUŞe_~~20112320~~__Asπσ_Pswd_σ\" -an -ai#7zMap32003:184:7zEvent14369
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2120

C:\Users\Admin\Downloads\σUŞe_~~20112320~~__Asπσ_Pswd_σ\Setup.exe
"C:\Users\Admin\Downloads\σUŞe_~~20112320~~__Asπσ_Pswd_σ\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
b65d667045a646269e3eb65f457698f1

SHA1
a263ce582c0157238655530107dbec05a3475c54

SHA256
23848757826358c47263fa65d53bb5ec49286b717f7f2c9c8e83192a39e35bb6

SHA512
87f10412feee145f16f790fbbcf0353db1b0097bda352c2cd147028db69a1e98779be880e133fed17af6ed73eb615a51e5616966c8a7b7de364ec75f37c67567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a65bd6fbd81dd4d5da39daed3fecc43b

SHA1
f09ca918e6f55de0f55611dfa265850c1ede54a0

SHA256
930048b2a484ffba7e6c9b6b7858305fcad0a7124b2e1715ed42018cfbbe972b

SHA512
84750b9539439b35f504d3063908ed239997314ce9f8f3619d292f0605f570111d25019ebf6cb6bfd5854e77d902b0fafa0d5d9a5efc295886d0b1098ddd1733

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b939a79ae47f871ac9b728ad9f51afe5

SHA1
f0ecda1af55b15b0433587a180102f2bca9b437b

SHA256
04635c9ec1548ce0437eba6eefb2ccc71e82050892bdfa67e56889aae0562fe8

SHA512
7f071b0a51edaddf61250114406c39947fb9a235c3076c924240a2b825eb18579564f08bf16cd534ca71e4233092072d5890aa9a48e0fe968c46472c66b01409

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
18KB

MD5
0a7825e0f30cf91f654623670a01b971

SHA1
27899c2d5522413e697bb384a4ab0a260717cd9e

SHA256
4fd78de3bfcb9a3e7497082879424d85bf8a4523b92acb0a2b6dae30c021f496

SHA512
8c29cf5fe219be65a64ee6dec3e6744e68225811e6e094893fe449ee2cd65adb1a258f7fa333e6f5897f53ccd829b29feea7662a5570a440c9308a7bb8251a02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
a02ee0c6ed570f81a0bd034962d21e1a

SHA1
b9ae858acdaecf38721994fb1a789ed0a2acd40d

SHA256
3a4549a33a09060eaeda76f420e5bfe9b55ce0ecceecfedd4eeaa8e75607241a

SHA512
6a04881f98b74f3a2b3d9d254babcdbf547210c64f0ac03dda3074e25a4c92fe10951ff5c31e7b859dea620d74786bf121abf988cbad68d8115388bf7e629cb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
54498a1ceaae47026576036f68d7f8c8

SHA1
11c4e9a667d9d6a97529806f70fc286bd31bb820

SHA256
2036ae28aada840c718fd5f4ff3cc006a598fd577cee3edf930af99cf12f5d9f

SHA512
f02a1e3283f7394037295d702be20911ea9c1b09f6b606ad08b721c3c0c3d675ee2ea8ec34b2bb7bee41c6515439b0a3454ed4ff4e8f9dbe5c32b2ae9995f294

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
86c9898f8e98c1b8dd0527c54745ef76

SHA1
f3c9f1009b55385b3451c0a7cb6f9ed1b15c8747

SHA256
008f338ff74b6270d082a656a1ec446aeaa9f411cc888a48be2e6016650da7be

SHA512
4a228a16bd88fb0042f631c3c39e7d3d95dba28286bd258df7938fcaa895732cf1fcf77f930d8275f89085bfae510883167335ccc2994bc4f1ba0211c8b5da58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
31b7837b0af8a930b2201f0c7263151d

SHA1
81ae017e9cf8211b6a19cb11dc342e5d183b13e5

SHA256
2c0226c1bc92cc74a80968c9107fa17b67d6efa1e45fc3b959d0ef2b7f1e6e2b

SHA512
da7e0f726d9a4f048a1168bdef60c76dafb9975c9c5ecbe4953ca203a7823f803639d706831cdb23466b90df50185f7ca2f5bf0dfb780d7e529aad97e222a8a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
2777939c6e44ff5d9e0e8b1c5bf83d8f

SHA1
c05da97fc06cd1aa0d9f6fc181ee4bfcd1cee522

SHA256
e72c709ec791f3231440d9cb68016f9fc2cbfd900149c08cf571f4a77e6eeda1

SHA512
7092babd723e61af8f8049b2d4c497864fbb55cd7ebb59956be127a2b75b786a04fbbd415a62c72a34b465bbaafa03027584525af230ffddd2d1dd51ea406718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
964c338e2f43bb1db11da0750dc9cda3

SHA1
c4798cde2d33a45e618dfc7ba49d82ad1f46d0be

SHA256
af1b0120c876e4324b1b70a405a91ea6d7d0be4121e66ffed2fd97f2a710f8fb

SHA512
0d5cd667da8315b430d609d8c17761716493baf2ec0f0fd4ff9e0cea50ed0f8910992d711b5f11676c370df1ba7bde2d1aee6029f269a957e08005caa53c060e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fab641fbd95e79164e59967ccef77d68

SHA1
f4bf3bec866805525b2a2401ce9e7fb504daab28

SHA256
7abc441813b19a6e79e69789187469cb3fd4f8977b5afe14277f2dfe12c9e02c

SHA512
cd03dabed138e24b341523504c30b90511d40abe080c0ac0ae6d4f05a0d222d5650a31f6c239a06c4730c18db7aeb9ed9e0a5c592d8fdc157ad5c377d1ea913e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bf7daecf4cd636c38c5127efb712e2b5

SHA1
60f74167b11e2081c1c390d51cdacdd0708a0050

SHA256
ef262c2018ab98b96c12260da51b6bd9992f0f2737d3245f0150243eef06c8b8

SHA512
094ec8a4b01bba9621676d5b4296b0c15e81e6bd1f3876a8391f1f98ec5140f08d2d56718b425cdef1a879070ccc42234c925957d285fa9d5264fe73a43822d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d0a11ed089ccfbf6b32a99a40830379f

SHA1
e143c982f5ab260042368da075af8c57ab9c3b78

SHA256
92d6f2ab80da7eb50131cef8c4bdca91087625c5ecd012170de6744be78204ad

SHA512
1f6b858041db3401eac6910833c6fe118c5250b90fe650b7cd8d0aea6cccf4af758c6ca40429fb9e22e7036671c6e4d1920b42e40ae406ba0b7fd8bfd0331203

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
0d969cb61090d9f74a898242c293dabd

SHA1
d44c1fa311217652ebc2548132873e1dc55b50a0

SHA256
218048ba97e68e8b35b6476df7e07522bd1e62aa9d1761a05b02703a6bee3d5a

SHA512
81339c1dc1002a91a40ec9cdc36889b46e5e9bfbdfb7f6f11f1840e01ed94d2df345cb6b09cd78d78be0be2639e73b02825ac0a83373a03f861c27c6aa739834

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e77b08b6-5bcb-4a74-baa5-2ef93a21c21d.tmp

Filesize
116KB

MD5
d51788f3f5b537f1361d0a2cb76d9844

SHA1
c40695ab4619857446322442d3e6b0d2f6af334d

SHA256
462cbacfbc98b139dffe32759c2913b73287906e94052703a017325da6d9e63a

SHA512
ec591f78978bf5f51932950bc06167b6900a026b0931171678875fecb4f394f143855d9afa2d8bd88b727797a2b5f796ea2f07d1f161d13f65d7b0da31e88860

Download Submit
C:\Users\Admin\Downloads\σUŞe_~~20112320~~__Asπσ_Pswd_σ.rar

Filesize
2.4MB

MD5
1481b807ae49b7a9c1c9bf4c81bf308b

SHA1
0789f59a27b57e11820c17a314cef2e2d0f0159c

SHA256
b82b93199c83636a6602b56856de1b91f1a81332e379d7d0c83c67ab301f9da4

SHA512
60449280eaa6488ab0950f6093371d285559257f758a07cac7672e8b7641faad407b953c5d9b2db7265394675c96a12652e178a17357b913d9c1d5c6d4f7f4cc

Download Submit
C:\Users\Admin\Downloads\σUŞe_~~20112320~~__Asπσ_Pswd_σ\Setup.exe

Filesize
7.5MB

MD5
10f4590d9ecd3f13f3aee5961eeae687

SHA1
77552efe6eddede132374977db4402faff403922

SHA256
a7c9b35a28b2b985b5033abe13d67da1378d64096f4bfda663e1a2f2b1b01a6a

SHA512
748ea9fabdc2f0214d87ffe2dc266a1436a57bb1f6f1029d23b82ab8438fd5750e220536a6bb53fef0b92b1e0c2eb62ac41151d2c95b34a6a09a10ce788fc66e

Download Submit
C:\Users\Admin\Downloads\σUŞe_~~20112320~~__Asπσ_Pswd_σ\σUŞe_~~20112320~~__Asπσ_Pswd_σ.zip

Filesize
2.4MB

MD5
bf4377bf6a053f92fd348bda5610b107

SHA1
474f4028e020c1a7b53d3c7487a6357f911b09b6

SHA256
467eba8378cf244ef9147900bf3b7478ed1828981124ba22a9a55e18c5e94bbf

SHA512
a62dd6304d0e751b715daad7ae163c4427283a03deb032bf2fb0addee4d278781db627837d0e8d2b81236cb466a2488dd4d54401f876efb8e0a9210e39672701

Download Submit
\??\pipe\crashpad_364_ROQPJXBWNQUKDPYW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1684-243-0x0000000001140000-0x0000000001194000-memory.dmp

Filesize
336KB

Download