Overview
overview
10Static
static
9Botstrap-R...64.zip
windows7-x64
10Botstrap-R...64.zip
windows10-2004-x64
1README.txt
windows7-x64
1README.txt
windows10-2004-x64
1Release.zip
windows7-x64
1Release.zip
windows10-2004-x64
1Release/Bo...er.exe
windows7-x64
10Release/Bo...er.exe
windows10-2004-x64
10Release/au...in.dll
windows7-x64
3Release/au...in.dll
windows10-2004-x64
3Release/lo...v2.dll
windows7-x64
1Release/lo...v2.dll
windows10-2004-x64
1Release/lo...de.ps1
windows7-x64
3Release/lo...de.ps1
windows10-2004-x64
3Release/lo...ng.dll
windows7-x64
1Release/lo...ng.dll
windows10-2004-x64
1Release/lo...ng.dll
windows7-x64
1Release/lo...ng.dll
windows10-2004-x64
1Release/lo...ng.dll
windows7-x64
1Release/lo...ng.dll
windows10-2004-x64
1Release/lo...d.json
windows7-x64
3Release/lo...d.json
windows10-2004-x64
3Release/lo...-1.dll
windows7-x64
1Release/lo...-1.dll
windows10-2004-x64
1Release/ru...er.dll
windows7-x64
1Release/ru...er.dll
windows10-2004-x64
1Release/ru...er.dll
windows7-x64
1Release/ru...er.dll
windows10-2004-x64
1Release/sc...Dex.js
windows7-x64
3Release/sc...Dex.js
windows10-2004-x64
3Release/sc...ve.lua
windows7-x64
3Release/sc...ve.lua
windows10-2004-x64
3Analysis
-
max time kernel
85s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
20-12-2024 11:13
Behavioral task
behavioral1
Sample
Botstrap-Release-x64.zip
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
Botstrap-Release-x64.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
README.txt
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
README.txt
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Release.zip
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
Release.zip
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Release/Bootstrapper.exe
Resource
win7-20240708-en
Behavioral task
behavioral8
Sample
Release/Bootstrapper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Release/autoexec/bin.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Release/autoexec/bin.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Release/locales/libGLESv2.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
Release/locales/libGLESv2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
Release/locales/locales/de.ps1
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Release/locales/locales/de.ps1
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Release/locales/resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
Release/locales/resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
Release/locales/resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
Release/locales/resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Release/locales/resources/app.asar.unpacked/node_modules/vibrancy-win/binding.dll
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
Release/locales/resources/app.asar.unpacked/node_modules/vibrancy-win/binding.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
Release/locales/resources/vk_swiftshader_icd.json
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
Release/locales/resources/vk_swiftshader_icd.json
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
Release/locales/resources/vulkan-1.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
Release/locales/resources/vulkan-1.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Release/runtimes/win-arm64/native/WebView2Loader.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Release/runtimes/win-arm64/native/WebView2Loader.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
Release/runtimes/win-x64/native/WebView2Loader.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
Release/runtimes/win-x64/native/WebView2Loader.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
Release/scripts/Dex.js
Resource
win7-20241023-en
Behavioral task
behavioral30
Sample
Release/scripts/Dex.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
Release/scripts/Sine Wave.lua
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
Release/scripts/Sine Wave.lua
Resource
win10v2004-20241007-en
General
-
Target
Botstrap-Release-x64.zip
-
Size
37.8MB
-
MD5
0752f7ec8d6217d0b734e467944cb40a
-
SHA1
00b7a44b75776b5ebab1bc11ffbb2f8c09e19490
-
SHA256
8589dbf34b3918f9cc1e318a525b942f4c1f5f33191fabcc19099c724f54d788
-
SHA512
415d2d26f38d3fdde143c195eb4067493665c4908e9cc1730f45a47aefb245681eef43a71ec0dfb1e1886a76c9520aaf849241e7a649f06a32f3f201e6621ecd
-
SSDEEP
786432:JGtFuj1OGVBAOtAf+K43c0pQpa6TWAllA+II:JG7cUKgbsapjqPI
Malware Config
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://spellshagey.biz/api
Extracted
lumma
https://spellshagey.biz/api
Signatures
-
Lumma family
-
Executes dropped EXE 4 IoCs
pid Process 2468 Bootstrapper.exe 2352 Bootstrapper.exe 2912 Bootstrapper.exe 2008 Bootstrapper.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Binary Proxy Execution: Verclsid 1 TTPs 1 IoCs
Adversaries may abuse Verclsid to proxy execution of malicious code.
pid Process 2868 verclsid.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 788 notepad.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2476 chrome.exe 2476 chrome.exe 2352 Bootstrapper.exe 2352 Bootstrapper.exe 2352 Bootstrapper.exe 2352 Bootstrapper.exe 2092 7zFM.exe 2468 Bootstrapper.exe 2468 Bootstrapper.exe 2468 Bootstrapper.exe 2468 Bootstrapper.exe 2092 7zFM.exe 2092 7zFM.exe 2912 Bootstrapper.exe 2912 Bootstrapper.exe 2912 Bootstrapper.exe 2912 Bootstrapper.exe 2092 7zFM.exe 2008 Bootstrapper.exe 2008 Bootstrapper.exe 2008 Bootstrapper.exe 2008 Bootstrapper.exe 2092 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2092 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2092 7zFM.exe Token: 35 2092 7zFM.exe Token: SeSecurityPrivilege 2092 7zFM.exe Token: SeSecurityPrivilege 2092 7zFM.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeSecurityPrivilege 2092 7zFM.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeSecurityPrivilege 2092 7zFM.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe Token: SeShutdownPrivilege 2476 chrome.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 2092 7zFM.exe 2092 7zFM.exe 2092 7zFM.exe 2092 7zFM.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2092 7zFM.exe 2092 7zFM.exe 2092 7zFM.exe 2092 7zFM.exe -
Suspicious use of SendNotifyMessage 32 IoCs
pid Process 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe 2476 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2468 2092 7zFM.exe 31 PID 2092 wrote to memory of 2468 2092 7zFM.exe 31 PID 2092 wrote to memory of 2468 2092 7zFM.exe 31 PID 2092 wrote to memory of 2468 2092 7zFM.exe 31 PID 2476 wrote to memory of 2760 2476 chrome.exe 33 PID 2476 wrote to memory of 2760 2476 chrome.exe 33 PID 2476 wrote to memory of 2760 2476 chrome.exe 33 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 1708 2476 chrome.exe 35 PID 2476 wrote to memory of 2648 2476 chrome.exe 36 PID 2476 wrote to memory of 2648 2476 chrome.exe 36 PID 2476 wrote to memory of 2648 2476 chrome.exe 36 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37 PID 2476 wrote to memory of 2668 2476 chrome.exe 37
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Botstrap-Release-x64.zip"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Users\Admin\AppData\Local\Temp\7zOC286D027\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\7zOC286D027\Bootstrapper.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2468
-
-
C:\Users\Admin\AppData\Local\Temp\7zOC2877D17\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\7zOC2877D17\Bootstrapper.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2352
-
-
C:\Windows\notepad.exe"C:\Windows\notepad.exe" "C:\Users\Admin\AppData\Local\Temp\7zOC28C3D67\Bootstrapper.exe"2⤵
- Opens file in notepad (likely ransom note)
PID:788
-
-
C:\Users\Admin\AppData\Local\Temp\7zOC286E8E7\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\7zOC286E8E7\Bootstrapper.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2912
-
-
C:\Users\Admin\AppData\Local\Temp\7zOC28298C7\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\7zOC28298C7\Bootstrapper.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2008
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68c9758,0x7fef68c9768,0x7fef68c97782⤵PID:2760
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1148 --field-trial-handle=1280,i,2742331183569902568,12380324449761139568,131072 /prefetch:22⤵PID:1708
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1280,i,2742331183569902568,12380324449761139568,131072 /prefetch:82⤵PID:2648
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1560 --field-trial-handle=1280,i,2742331183569902568,12380324449761139568,131072 /prefetch:82⤵PID:2668
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2300 --field-trial-handle=1280,i,2742331183569902568,12380324449761139568,131072 /prefetch:12⤵PID:1980
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2308 --field-trial-handle=1280,i,2742331183569902568,12380324449761139568,131072 /prefetch:12⤵PID:1512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1324 --field-trial-handle=1280,i,2742331183569902568,12380324449761139568,131072 /prefetch:22⤵PID:2948
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3196 --field-trial-handle=1280,i,2742331183569902568,12380324449761139568,131072 /prefetch:12⤵PID:2240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1280,i,2742331183569902568,12380324449761139568,131072 /prefetch:82⤵PID:1772
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:1692
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2924
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4e41⤵PID:1388
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://appdata/1⤵PID:884
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:22⤵PID:468
-
-
C:\Windows\system32\verclsid.exe"C:\Windows\system32\verclsid.exe" /S /C {0B2C9183-C9FA-4C53-AE21-C900B0C39965} /I {0C733A8A-2A1C-11CE-ADE5-00AA0044773D} /X 0x4011⤵
- System Binary Proxy Execution: Verclsid
PID:2868
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\d95b362b-0fa3-4e59-bfea-2b2c70be3657.tmp1⤵PID:2928
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16B
MD5aefd77f47fb84fae5ea194496b44c67a
SHA1dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA2564166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1KB
MD5aa5abc466beb9bec4ffdcb57fb916d86
SHA1e190de7854fd6095d8477d21c797ad436d79d173
SHA2569de9e7e6edc57bd8a06427cdce339e2a5a5e2445d45e16d20118c8a4a7d38e17
SHA5125ac296efeeceb5ada22931171a4c269ab40f9e4d850309625f31051040a494be9f59cd6eaebfa23a62a0cf70113d0656fd425d5bdc81f1129fcc830003613b4a
-
Filesize
932B
MD523383e23390db87b70a1e7fbd0341da8
SHA1222f8c538d13ca3a153c2d622db47e929d447c3f
SHA256b2b0980a1e5398383ba10b801466bfa34ebc2a81e5ab3340a61d097054ba0ea8
SHA512eb0c089ce4e8566768731edb5cf5e84f3c26191bfb65a234978a949898f47dcbeb3f5ea9a3df20250018140f42628f2a4157864c2222c5e936ce759cf049167f
-
Filesize
5KB
MD5960bc76d1a3b57243067a8bf9f111b27
SHA1b2753d64420648025506fdf657c7c9350d71d111
SHA256d010f89ec1400f42795e57c23a17c4e36c9e3bd3f5e5e1d7126d1e9c7c7268cb
SHA512b0bb45ecb34921b06ec48b5ea0372d1b0e4677b2bd7d52964a61b37ead754e5144663b4a750b0289355fa4c23baa5d49ce8de678ecc135c77b9dc298b0b16316
-
Filesize
5KB
MD5f2b32b1b16bf1b31ba36aed153c325bd
SHA1b54f55343b70693b0b3cf893aa8727eb5dbe68ca
SHA2561e7ca211c97d5238bd8155c368ca1d15ba25d747ed65ab4967639fe05e53ebfc
SHA51209440f217efa315452e1e141ef5ef5a7bbad5c1027f6162d4079315b8ad442adbca3d23ab507773f74b2139425bc2dd4e954cd5b3a1bd2615915383bff60e44e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp
Filesize16B
MD518e723571b00fb1694a3bad6c78e4054
SHA1afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA2568af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA51243bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2
-
Filesize
14B
MD59eae63c7a967fc314dd311d9f46a45b7
SHA1caba9c2c93acfe0b9ceb9ab19b992b0fc19c71cf
SHA2564288925b0cf871c7458c22c46936efb0e903802feb991a0e1803be94ca6c251d
SHA512bed924bff236bf5b6ce1df1db82e86c935e5830a20d9d24697efd82ca331e30604db8d04b0d692ec8541ec6deb2225bcc7d805b79f2db5726642198ecf6348b8
-
Filesize
355KB
MD5fb0ecd302ef451d42c82418790717b5a
SHA16650462b527015205e4dabf0f97d080ff0f1af7c
SHA2561d73fbd402ac0e178c3d8f7db4dacd700c986279f84902363abc20d165ee1502
SHA5129c2a57330a136f68db468f0c171b71091770fc6c3a1f5ef9fada43c48ce46d99ab7b2da717364aa7bf97779c35b7bfaaaefc6080e2c4f7bf617c38522603d70d
-
Filesize
291KB
MD5fb185a1361635ca795d86fa13878616a
SHA1b499bc957824a811322e2ce468e836ec919247d6
SHA256eb56044897cc22d38a09b176457d31db37f629015891ee12f2f93a36fc607c0a
SHA5127b3f1e2977758fa3415230419923a9ce9d35cba1be543ed8e7621b24deb3f0907efa07b802a80d162fed32e7d0fc77bb59fea33c224690e261e108a05d918b84
-
Filesize
685B
MD5f75d099f26e0dc33afb838e04fdb592e
SHA12b8b82d5845a311eda3d8a076119dd29ae34a99a
SHA256a83e2e51fce49ba347b3dd7cce6cdde873f57940a2c9e8755c189164793dacbe
SHA512eb5cb3f7aacfb21454ab64152f0b85f9dd725055c4a6563f55129eb3b26b6862d7fd61ee61a7548542185421446b6f3bbd6700e3cac66db3abb1a57aa2badda8