lumma | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqa1N4aG5nVEg4cW8waE4yT3h4WmRUNnhEeXF1UXxBQ3Jtc0ttSUEwb0RualJPME9VVWdRMnNJQzJRX0M2VG9TUF9zVTd4YmNiQ1JtanE5djBYQkpuZk03ZUZGbGw3WWR5QXZUZThHTDdYZVJCSE4yb2t3b1VoTjJJTDlvSnYtaXF4Ym5wWmJRRi0xWUllRm5udHNlcw&q=https%3A%2F%2Fecheloncheats[.]pro%2F&v=95MPl350oP0

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa1N4aG5nVEg4cW8waE4yT3h4WmRUNnhEeXF1UXxBQ3Jtc0ttSUEwb0RualJPME9VVWdRMnNJQzJRX0M2VG9TUF9zVTd4YmNiQ1JtanE5djBYQkpuZk03ZUZGbGw3WWR5QXZUZThHTDdYZVJCSE4yb2t3b1VoTjJJTDlvSnYtaXF4Ym5wWmJRRi0xWUllRm5udHNlcw&q=https%3A%2F%2Fecheloncheats.pro%2F&v=95MPl350oP0

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 6 IoCs

pid	Process
1092	Echelon.exe
4828	Echelon.exe
4900	Echelon.exe
2724	Echelon.exe
4552	Echelon.exe
4508	Echelon.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echelon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echelon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echelon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echelon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Echelon.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133806368974182962"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-493223053-2004649691-1575712786-1000\{BF38400E-04C4-4777-98D3-A4E91784B00B}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
548	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3920	chrome.exe
3920	chrome.exe
1092	Echelon.exe
1092	Echelon.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
3668	chrome.exe
4828	Echelon.exe
4828	Echelon.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe
Token: SeShutdownPrivilege	3920	chrome.exe
Token: SeCreatePagefilePrivilege	3920	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe
3920	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 2344	3920	chrome.exe	83
PID 3920 wrote to memory of 2344	3920	chrome.exe	83
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 5036	3920	chrome.exe	84
PID 3920 wrote to memory of 960	3920	chrome.exe	85
PID 3920 wrote to memory of 960	3920	chrome.exe	85
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86
PID 3920 wrote to memory of 1176	3920	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqa1N4aG5nVEg4cW8waE4yT3h4WmRUNnhEeXF1UXxBQ3Jtc0ttSUEwb0RualJPME9VVWdRMnNJQzJRX0M2VG9TUF9zVTd4YmNiQ1JtanE5djBYQkpuZk03ZUZGbGw3WWR5QXZUZThHTDdYZVJCSE4yb2t3b1VoTjJJTDlvSnYtaXF4Ym5wWmJRRi0xWUllRm5udHNlcw&q=https%3A%2F%2Fecheloncheats.pro%2F&v=95MPl350oP0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc3759cc40,0x7ffc3759cc4c,0x7ffc3759cc58
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2104 /prefetch:3
  2⤵
  PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4596,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:8
  2⤵
  PID:1168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3860,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4640 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3684,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=3156,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4388,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5100,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3508,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5696,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  PID:1228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5688,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Modifies registry class
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4916,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4480,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:2584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4784,i,9992509604413136672,12584563177503401139,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4404

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap26521:76:7zEvent20987
1⤵
PID:4328

C:\Users\Admin\Downloads\EcheIon\Echelon.exe
"C:\Users\Admin\Downloads\EcheIon\Echelon.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1092

C:\Users\Admin\Downloads\EcheIon\Echelon.exe
"C:\Users\Admin\Downloads\EcheIon\Echelon.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4828

C:\Users\Admin\Downloads\EcheIon\Echelon.exe
"C:\Users\Admin\Downloads\EcheIon\Echelon.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4900

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\EcheIon\HowUse.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:548

C:\Users\Admin\Downloads\EcheIon\Echelon.exe
"C:\Users\Admin\Downloads\EcheIon\Echelon.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724

C:\Users\Admin\Downloads\EcheIon\Echelon.exe
"C:\Users\Admin\Downloads\EcheIon\Echelon.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4552

C:\Users\Admin\Downloads\EcheIon\Echelon.exe
"C:\Users\Admin\Downloads\EcheIon\Echelon.exe"
1⤵
- Executes dropped EXE
PID:4508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\83b289be-da1f-45de-90fe-0804a731d775.tmp

Filesize
116KB

MD5
1133ea2c5b4f339e05cfc6e7bda7702a

SHA1
0fe4f6751a23666fb49facf1f5eae1d0db8cffc9

SHA256
6bb3803ed600a7d43af4a2ff1103d4922c48a27b73584caf1119b0a4d59c05c0

SHA512
9b02c98ff9e5dcdbdcc553cd7877e868b798e3b037dab1ced1517b5f5fd19ce70ee2b60729b1c5a7fa2098852da2426666a15a5bbdc941fad505f1089d480a2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
5138e45c1d355912bde5affa3f1fdf5d

SHA1
60244727f13281208cfbb42f79b948565c584f08

SHA256
8c94888ed955aa5aca0dab010e315d6ebef4daaa10392d055a8c37ebb5ae388f

SHA512
813085d3e18fde690ca4de03de560d9f31b6e160da3b6b046206ee855048ef79b40abe3b46a2d2a2e2259e39b2016bf1d3bab9cebb601b1981a2447fda754273

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
556d8cd32b9ad8ad56d67409d5c33919

SHA1
5f981e987ff793e0482aba8141a1b7e5fab66d15

SHA256
374ae7820877f31c9a6e01f8c6aa65ab35eb72b64dfc7ab0b08d197bf78aaec1

SHA512
7614b65e6b1ca3d39a5eda6accd1cc75321a3a373cb5acadbe2c579885821b3d7d36800097050341d6afda70147f7f53131f40a5b88611fbba1f8bb985b5e355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
b8e9330f9715f8ec8057007f231db633

SHA1
32a50e6066e0125acf4a8cfbb5b59777d8cebe62

SHA256
aa69ecb710a5ef2beafdd08dc0117648d76b35603360eb477f73bde855999c7b

SHA512
e850925a1a733ba56e87024bb6ec5564a6f827362a9516836c11497fbb4a1c0819e0a4ac7943ba56ee647bec206896e2415919e1acb87590bd88d8b0fe6fc754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
bf9fb70d5b3fcd1e7998a7ca1f703fdc

SHA1
e2299fc42069d5d997142c62165316e86821f587

SHA256
90e3ca7dfb338adb1375ff2f8f8bcb234ff5faab955a801c2a8f74269541ec87

SHA512
5800a609b5a0fb213638e583187bc03f8667493414804b8accdc36abc87ec90874e62cb3c050581f41707b3ca18b38cb5aad5deb2b618895f2eb491c58cfa04e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
9225b0fa70f3d739bdedf34a409e60c9

SHA1
a5dd9663ef4896b8cf1ec80970bbe4a94e81bef9

SHA256
0dba697dce691a48e27560b1051b365dc48e399f97eb092fadff90768531e991

SHA512
f2c30763eed8f7a45f0d5bae6fd15ad10ea8499b5bc7aa8187cf6ff474790feca3013f4c0277a12d888569950a21b0bc21a2a83352131255d7b55bf37b1c9b33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
45befab6442a64d9aaaa099f69e44be8

SHA1
0d396d0c4e7f54c6d7ace8acd124687b64ad5752

SHA256
f203396105d18c1edf505c72543168c8ca2bcba9efeec73613e532dd6f727766

SHA512
e43a7e48a529a18167fcce49a9f743e01145b1b45874a26396447602035c765fa84447172e6fea4dff449c7c5da4ef731597533de057057f4221584c93fd0e87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
23964f117c137a063810333f4c9b973a

SHA1
10706eace7533dee104c7132829b7d8643e1a739

SHA256
0377470421088e8e89b36266be1ed1f577f39a9f9d68dd2b7715eb6ae455a64e

SHA512
0289cb7c142eea3a1d6c8998102fc1b45002407abab4adf3b8b66cbe354f2f27d0959115a6c96fb41d2d61bcc24b6aefa3770e883b35b1e5b7cd2c59ef4bc629

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9c9b3e3ce449e2503096211ef87bb4d9

SHA1
5d9e3273eee871ba0d95e61c1ddfc9eee11f4556

SHA256
d0d823a7d1d882a2e9c91bb2c43d4d76780560c2d4c0a063509297471dc50d51

SHA512
f113f78b999aef44036614d210570ee8ee90f0bd83d3db79547a12288ed82b85672e67215539cb87c59449d25ec162e5aa58246d6f8f7605008a6190b6251511

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
bd14ea6699c92259f21895a92e1d89e8

SHA1
3df4f4d70160d28c814efe221a204f1b06240d22

SHA256
47b6dd90469e21537060699f1610411dad5ca70e32cd1651492e4bccec2e6185

SHA512
4a5f8557ae7574b6ab886196277265e6f65de8224411db2a2893cf7e6397e8613505ae843c12b3364cac88a16337bcc41cbb88330596d4eea73408eaf963f44d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e9e3d8a86404f61513c2291533ce37d8

SHA1
9be72ff99a7648bbefe517420e7bc8ab1b99fab2

SHA256
d288c352afbf261616d362f93b69847eff41f511ef060cccad71a6ab59830ea3

SHA512
ea9d2bbf3a85c34b0fc93ffd2fc3e5e260326e90a1c3d47c622ead34c5a09c378bbc376b5eeb27bb2b3a80c518c89139ffb05ffeea8591ba91506b8424c1bf00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
da1d5f2269a6005e7df490cbba00757f

SHA1
c8a8c24e6eee415392c9bd56663bef95a634c444

SHA256
351992c5b7073574b0a78c3b96aada344beb8ccc052bbde86b61255faed6752b

SHA512
d1d097b295a18a98f335af041dbbdf3a5de6435730f770f563d35fc04b1a64941b5049f52767fb0f8b6428fbb40c5d748d8e0f515f8588ddcd23a25f51fbae1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
a8279bbf89acf304af8e02ef997b262d

SHA1
53dccc3b1c52c01da9307790afced50653cdf3fe

SHA256
3d3038719fee6f5e0c3e8a7b9b16cecdf5e215bce961c05015b081366dd6b87d

SHA512
e353e6967fb2130e27ac5c43bac81a57eaca6af73c47e5149f51f4b878273210dd076ae8fd185b0f569c31d70f4be866512523c1cfb88ac995bcc872c1067987

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f6c185df0ab5a484ea6787637c0dd483

SHA1
2abad4b83149d1306dd58a90f0d06bc087b60865

SHA256
3ab13e0597029d679628dee285977aacf2ff781e96bfad5d8a1c8f7977e8cf23

SHA512
725f3d0a37270998b9203bd68418ab32349982215ff1a6f000a230fca738c6b59be920b556125844c82acf9bdc1ff1a7a84ea457bc66f53dbbf2fafeaf70cb4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fbb0c7efe576045b1667ef2e7482753a

SHA1
6d55905e7d4f1353354c39c351141fd899c55c74

SHA256
e99ead6cac113336ecc8fe62d30f40e286d3a8742e00964275b8a57f5d435c4e

SHA512
b30d950c25c5a46365ce9a537e11a51452d92090695aca20c6aba16d064c6f8f0457c836b200b5e6a851a282e7586ab527b33254ecddc748df93fbff3a2e21e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
461e43022f36c48ed4b25aae056e060d

SHA1
5503a13ce1d2d6b418290ace73a8d101c92f4513

SHA256
23db9c3739d91b75a7bf8324fbf571bbd7b35ea15f3ada94227b53ad4d76a28c

SHA512
b727e8109bdb477a53282dead799dd706d36401ab353bc06edf0042dabf68673ed0954bac8920b79e48975689017a8feb3029cf8d31bdf763fe34e275d36d52c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
af240e2eed206663b0579c08690e4d45

SHA1
a811758fa1d65bf717d01c054239b50597437dd0

SHA256
cb5db7c07097052949e80a481e5f120742430aef125d58ab0f2eb525de824675

SHA512
42a657d239bbcc93855ea718b8a8ed2bc474d02fc87e301a3e353466ec6dd02e7a2cf54e85e10bd132bcc46e37dac812512642ac23b8c7c11a6ae0d4e094cfc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
83B

MD5
988a42d4d74f320f15b53ed55b6813ee

SHA1
0b9b9e094b5d2fb89aa9876b20b026c18543de14

SHA256
4ff783409d9a2307dca9e702ff38f2d32244714847e6790d0ab24ee9faa2514e

SHA512
b8f37b084929d51cf0dc8d6f086ebd76c69fd93d227154ebaefdfcc9afa7fca1f594b01216d7fd41cefd451772fe9adff2a336cefc667c44a4c66c8ca706c3e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe57a20c.TMP

Filesize
147B

MD5
ac409a36eaa5b9e8aed401444c4070ff

SHA1
f4310b3b33e1ed33625eca4c0c92c4670c119602

SHA256
77c412835a50b212f23c4ee922a5642f9565beaf961f27da4567f2fe86d25916

SHA512
74a3704f206bb8cb87310c180d77455fc6548fd3846579991e5e385f0946c2797c47c107bd726f16d7e032ce0896a1ef260203e68a0f5720b908c3f22f0cb229

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
61aa4d89e72090ed8394d11773243d5c

SHA1
695ff2700764fc3dc49b1c7fb3aee647feea8dce

SHA256
3e7d7692abe6a31fb6e8dfb3898635fef27631c04e2ea579ffa1c5dc532b4a5b

SHA512
d4c45ef9203deb72a90f96cb9da383ec66c1040ef310885922badb8a31e73a042a4df88f41cc62d855205aa818ce72367274f3869848d73bcc8dec518c0a35c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
2d1848a45654acf19191abe22ac4fe08

SHA1
aef7de1ee9a1bbd10858f06a2e8bbb4ed48ee7e9

SHA256
a92e92344c7547d246a658a6c3bc490344a4210744c54048a0ff4fbf823d95e3

SHA512
7ff007c3d5973b51a37ee539f7b0f59df64425b356d93af393ba0432437fd5198cf3a0709e21e1b72cf6686f30f212cd059b86791c26164f7975f68021208748

Download Submit
C:\Users\Admin\Downloads\EcheIon\Echelon.exe

Filesize
2.8MB

MD5
744d976d5410b66062c88e5f91c957c7

SHA1
28475d40bdc8522f23d7e20c156f87db0ca6ac1c

SHA256
9826dac19113485c882821fe767407955dc8eec684a362f56e05133dd1047c53

SHA512
8d1d8e4cb92e6383510f44db1c79ee5d68d936397025685925c6a9418eb9b7518e5473f908c3ce8de4f0e8e672dabc21da6c1d089b402aa570216ae0eca2a380

Download Submit
memory/1092-280-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/1092-281-0x0000000000AF0000-0x0000000000B49000-memory.dmp

Filesize
356KB

Download
memory/1092-266-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/1092-296-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/1092-277-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/2724-321-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/2724-337-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/4552-338-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/4828-323-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/4828-301-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/4828-283-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/4828-278-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/4900-324-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/4900-302-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/4900-284-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download
memory/4900-340-0x0000000000400000-0x00000000006D1000-memory.dmp

Filesize
2.8MB

Download