Overview
overview
10Static
static
9Release/Bo...er.exe
windows11-21h2-x64
10Release/au...in.dll
windows11-21h2-x64
3Release/lo...ng.dll
windows11-21h2-x64
1Release/lo...ng.dll
windows11-21h2-x64
1Release/lo...ng.dll
windows11-21h2-x64
1Release/ru...er.dll
windows11-21h2-x64
1Release/ru...er.dll
windows11-21h2-x64
1Release/ru...er.dll
windows11-21h2-x64
3Release/sc...Dex.js
windows11-21h2-x64
3Release/sc...eld.js
windows11-21h2-x64
3Release/sc...Env.js
windows11-21h2-x64
3Release/wo...re.dll
windows11-21h2-x64
1Release/wo...pet.js
windows11-21h2-x64
3Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-12-2024 14:07
Behavioral task
behavioral1
Sample
Release/Bootstrapper.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
Release/autoexec/bin.dll
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
Release/locales/resources/app.asar.unpacked/node_modules/btime/binding.dll
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
Release/locales/resources/app.asar.unpacked/node_modules/get-fonts/binding.dll
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Release/locales/resources/app.asar.unpacked/node_modules/vibrancy-win/binding.dll
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
Release/runtimes/win-arm64/native/WebView2Loader.dll
Resource
win11-20241007-en
Behavioral task
behavioral7
Sample
Release/runtimes/win-x64/native/WebView2Loader.dll
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
Release/runtimes/win-x86/native/WebView2Loader.dll
Resource
win11-20241023-en
Behavioral task
behavioral9
Sample
Release/scripts/Dex.js
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
Release/scripts/Infinite Yield.js
Resource
win11-20241007-en
Behavioral task
behavioral11
Sample
Release/scripts/UNCCheckEnv.js
Resource
win11-20241007-en
Behavioral task
behavioral12
Sample
Release/workspace/Xeno.exe.WebView2/EBWebView/Speech Recognition/1.15.0.1/Microsoft.CognitiveServices.Speech.core.dll
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
Release/workspace/Xeno.exe.WebView2/EBWebView/Subresource Filter/Unindexed Rules/10.34.0.57/adblock_snippet.js
Resource
win11-20241007-en
General
-
Target
Release/Bootstrapper.exe
-
Size
291KB
-
MD5
53e3187874406221daeffa391d32fdef
-
SHA1
285c215d6fd1e405b84ad49e73b43fb9a1c043a7
-
SHA256
c4b65e1b5260b6df862dcd1f7c8a42d7d39247bdee98c39af41e4ba268b23584
-
SHA512
0c2b5792caa881b1e50a80fc955d8675082cfbe0c4e8a6e2b765e4c1ea5ab0ac254c0d63a283d61c8ea3b96c19913e9c2cf59aad516feb5667ad0f7ab41935e4
-
SSDEEP
3072:IgY1p41bMUtxpkekFUPtroVmr1qxCE2+I7/rGdiXhcJ8nvGcW6wOmylg7zhISeWh:4p4JR+fmrMxDyRbg6F1C7znn
Malware Config
Extracted
lumma
https://sordid-snaked.cyou/api
https://awake-weaves.cyou/api
https://wrathful-jammy.cyou/api
https://debonairnukk.xyz/api
https://diffuculttan.xyz/api
https://effecterectz.xyz/api
https://deafeninggeh.biz/api
https://immureprech.biz/api
https://spellshagey.biz/api
Signatures
-
Lumma family
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5224 5032 WerFault.exe 76 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bootstrapper.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133791773440061643" chrome.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5032 Bootstrapper.exe 5032 Bootstrapper.exe 5032 Bootstrapper.exe 5032 Bootstrapper.exe 824 chrome.exe 824 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
pid Process 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe Token: SeShutdownPrivilege 824 chrome.exe Token: SeCreatePagefilePrivilege 824 chrome.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe 824 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 824 wrote to memory of 2020 824 chrome.exe 86 PID 824 wrote to memory of 2020 824 chrome.exe 86 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 2560 824 chrome.exe 87 PID 824 wrote to memory of 844 824 chrome.exe 88 PID 824 wrote to memory of 844 824 chrome.exe 88 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89 PID 824 wrote to memory of 5172 824 chrome.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe"C:\Users\Admin\AppData\Local\Temp\Release\Bootstrapper.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5032 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5032 -s 14002⤵
- Program crash
PID:5224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5032 -ip 50321⤵PID:6048
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3488
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa905fcc40,0x7ffa905fcc4c,0x7ffa905fcc582⤵PID:2020
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1772 /prefetch:22⤵PID:2560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2128 /prefetch:32⤵PID:844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2208 /prefetch:82⤵PID:5172
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:3160
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3304 /prefetch:12⤵PID:1588
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4464,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3540 /prefetch:12⤵PID:2360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4740 /prefetch:82⤵PID:2084
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4912,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:82⤵PID:5444
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4240,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4696 /prefetch:82⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5012,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5072 /prefetch:82⤵PID:3796
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5172,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5180 /prefetch:82⤵PID:1112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4920,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5000 /prefetch:82⤵PID:4412
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5348,i,9137728863889510555,17570625763699814434,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5392 /prefetch:22⤵PID:5788
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:5848
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\30d9768d-d932-4367-a9fc-c46e21fde748.tmp
Filesize9KB
MD5b48a864bf5645acef408c4e850c54ecd
SHA10f5420c322fc536ba9c0ff080adb5104b26656a9
SHA256fc71b4c50c4aac8b778b7d445efa2a25838987469495a99c70a9dd0272f0245c
SHA512d233f7a3f66007aae5cf0c5544e4770e9eb394886642db50bd80f5d2a618cd29e6e025be68610afab5fed60454ca99a3c1c02e9ebc24d037f28d0be4528928e3
-
Filesize
649B
MD5bd0d5e75060e86878855bb1d01bbb37c
SHA1adc0253d48d77f7243ae2efeb60626a502ec861e
SHA256b1d41a27b150a56fd510e781b0367643524f24677f9ad99760af2e4174be1a0c
SHA512660a101b872bb051e77bbb3a2b10b45db5a075291bb3afbe91ad0d6a8cea23ddfebd9878065934610d80090fda68254e3db32e0ccba9736f1d038410d78fc737
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json
Filesize851B
MD507ffbe5f24ca348723ff8c6c488abfb8
SHA16dc2851e39b2ee38f88cf5c35a90171dbea5b690
SHA2566895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c
SHA5127ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json
Filesize854B
MD54ec1df2da46182103d2ffc3b92d20ca5
SHA1fb9d1ba3710cf31a87165317c6edc110e98994ce
SHA2566c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6
SHA512939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d
-
Filesize
1KB
MD5c598079ad2c6c1bd034d936b7a9d5b52
SHA1508a55a29d4deef06418a03dc051f4a382ed1024
SHA25659b630a6eea99c107f39528e0fc28b0d0470ef47d0f36b74f9278d6a3cd27a6a
SHA512091e506d02f2a0dd00e93286daa42cf20c362e8022bc2023e51e08b1d7cd6799e970a47cad69433936148fb6d9ff9285eb62e7d53ee29118bfe7866e762f39dc
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
356B
MD5167231024fae1779c53c61c2f99ae661
SHA149a5e5efba64602e4d737f9da525a276f785fecf
SHA256b385653af2a8bcf211112e5a5ef932a69f64a28e05310b66f54ca00ee3aaf184
SHA5122dbd127948824182f041e3f42a4aa24845284ae830f5005829d23f78b6ae614d76c414f0ab6187217dd46439d56d14311d0c721dd09ab542412c50ca9bd430d1
-
Filesize
9KB
MD5c61947280ca440011bcc48e14e042d2a
SHA175c4bd2927158ec25037a9b0c5ddf39c8c0094fd
SHA25664eb58bc64c8bfa45795614aaf8f96af058edb9dcdc1f916cf8f09e05eadd31f
SHA51285c6764865385364e4b59cb1a0d778abe655adee88d08644c8d8e8dfc5e9b1d5af7ec0fa063d86caf5ffb10d1a35f2c0f44407409bcbc1df43c6fe03f80e23e6
-
Filesize
9KB
MD566e8e3271b0d4e1b7541079cd948c0b0
SHA1b8d079057048cdb862fd5356e307f5ea5f82fc10
SHA256b0b705c39301d3cf57a43f7b1467304fa32d9e02b861a976b9264ca526a63ac3
SHA512b8284b701e0e89ceebcc7d8bcbf5ec5dedfa67b8438b45ce4e216bd0619b05658b846f1628739d00e52b4033e77735619e6a4e4447ce4296806e09c500947d2c
-
Filesize
9KB
MD5b33a80663facb9b75ac29fa1025af510
SHA12438092f344fe983c05f02aa0257674ee561d6f7
SHA2565b6b25bec38e392bdb47b8b094eb57694785c32d966114f6569e7c11306e3914
SHA512ae025f56bae6e8920504cc1b87e154048ae5eabeac94fe4b997f40f393566b05b5b32d83d7da38ab719371a71d17aa4aa4425b3cd73dedae7283fce21752759b
-
Filesize
9KB
MD528271016e049a54724c62ad790aa0f68
SHA1712a051cf22aafc8f619dfa102c246d08640d4aa
SHA256d432616a172411a95f588c373fa46ce90ede016694f1c99dcf67eb5855172152
SHA512e2c206ad5fa8d486673658ca0ce966191208fa7c8e015778524e126e4a8101bb9beadaa88f3b95e87101605bb4b81752553fdfa36bffe0b642c3d3268e7fa009
-
Filesize
9KB
MD5ffeca04b727b2b577ba555c0a959fa40
SHA15074119c9dadd4d267fcc365b584bf4d39f4908f
SHA256c0912a9a09740ab2b9f7d1c934ef88a413d8f0b6043e7c5c7c409ad6093146f5
SHA5125fd890d4794c8b45237a334dc59a88329ea87be5700a8f0949264912c97481d1504d9987ddbbd779460a36b39290c8097ccfe5ffffa4bfe77bd61ff22dc1e4c3
-
Filesize
9KB
MD5c7a206417f16033d248784327dbc0ad2
SHA1b58dc66f6d4e2de5d7f1dc1a79ccc80cfa12b94f
SHA25619bc87b59716470f118e6620097dd007777ce971202ef03d25336adada9b40cf
SHA5128711d9a2b7af370c7502c897e2a8c145f1abfb24037c946254cc0787290d7304c8936f3b2d25170c2611c8db2f996e3f7ad284d5b08372749b45a189d5be4d2e
-
Filesize
15KB
MD533dc43d0d0a0961d06bc836916eb3c8e
SHA152b472f5e18b0ee99795d3b2d732b7df5d6fad08
SHA25608a6ad82f3d9e1429091d75aa5fd426d640d6245e6b5e3769477492c06da4319
SHA5129b58774824e2cf855101c97c1160979520a801b0923947110b39ae7aecd25a7a777e40afdefed76e125bce9264eb59bb5afa1ce2c9f04c489670443ea7e17d97
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD535897db37892ae2a0c8ca187cc91ccce
SHA1212d6eff1183880c27ed1cb26ce9632340822377
SHA2566a646e668d084482a5807a55a9d58f8b83aefede415e35f36f7f207720eda405
SHA512c830b9f6a47c5f2a33f1f1d73403f7c091571544bf73b1bf0ba0d76c3d66e02a8f6f045fc46b0529d0740192fcfbed94a0922bcf1bc6467a2df57e40862d90e6
-
Filesize
231KB
MD5dc98a4a14b7c3e00de72ca75dbcbaf21
SHA110f455a17d3d5e35ac56f58008cbb9cf988163e2
SHA2562d4c7a720c48504e8c51d81371ce00be366c3f2376c30365b3cf69c58bd0db7a
SHA512555d21048a3352632e93e849a13cd44b7fd5f8a549e7441a3b94043b76edfbbd5c457ea9bd443f050b7bc815aaccad0147a9871e8087065b60344a55f6d57ae3
-
Filesize
231KB
MD54020280ff019c6d34343800d07a91c76
SHA15d3b62b09ec69ecd027fb1413660804636d212a1
SHA256f1380c3fd2367b75dc6b091dbe39996be83d2e3ea78e82716dbbeb1a0a570a36
SHA512c162f161cf9fac024ca6dd46542170ae457a3a7f187bff7b51ed2812e13d8636c480f760e3e320c36352fb886c8147d9303c0de32829aa786ab14791fba0584e
-
Filesize
150KB
MD514937b985303ecce4196154a24fc369a
SHA1ecfe89e11a8d08ce0c8745ff5735d5edad683730
SHA25671006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff
SHA5121d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c
-
Filesize
711B
MD5558659936250e03cc14b60ebf648aa09
SHA132f1ce0361bbfdff11e2ffd53d3ae88a8b81a825
SHA2562445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b
SHA5121632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727