lumma | 3c7f1a128de9afaf53eb1bc04944eceddc0e8dbfca6dac520e51c7da7d925848

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-01-2025 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SoftwareApp.exe
Size

1.1MB
MD5

79027a797eeeed90f0f914f229750eae
SHA1

8e0576501a2a5b873754c6a7f0739bd79510164c
SHA256

30338f9c85111cfde8e68398db0427f89a549427e0598384744f4a27d9d836d1
SHA512

20d77e4c1dac67e5aeab3ec7c61bb5a5aecc10dd6f799ea99f9b8ac5ceb63b6a52d7f6d1089eb7c4c865cd081dc2ce4a2f886d56a159d1b8a41db9461b2c87e3
SSDEEP

24576:ZXOMDyej0BM8I7oRCL7piz5nWXjeZW7nw5X319kSY07C7L:VPWe01RRGwn4jeZW7w13kSYZ

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://powerful-avoids.sbs/api

https://motion-treesz.sbs/api

https://disobey-curly.sbs/api

https://leg-sate-boat.sbs/api

https://story-tense-faz.sbs/api

https://blade-govern.sbs/api

https://occupy-blushi.sbs/api

https://frogs-severz.sbs/api

https://curved-goose.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1640	Amendments.com

Loads dropped DLL 1 IoCs

pid	Process
2040	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2756	tasklist.exe
2660	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\BeveragesJungle	SoftwareApp.exe
File opened for modification	C:\Windows\ZoloftSterling	SoftwareApp.exe
File opened for modification	C:\Windows\MsgstrConfirm	SoftwareApp.exe
File opened for modification	C:\Windows\FinReported	SoftwareApp.exe
File opened for modification	C:\Windows\CrackCongo	SoftwareApp.exe
File opened for modification	C:\Windows\LosChurches	SoftwareApp.exe
File opened for modification	C:\Windows\MessageDelayed	SoftwareApp.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SoftwareApp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amendments.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Amendments.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Amendments.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Amendments.com

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1640	Amendments.com
1640	Amendments.com
1640	Amendments.com
1108	chrome.exe
1108	chrome.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	tasklist.exe
Token: SeDebugPrivilege	2660	tasklist.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe
Token: SeShutdownPrivilege	1108	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
1640	Amendments.com
1640	Amendments.com
1640	Amendments.com
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1640	Amendments.com
1640	Amendments.com
1640	Amendments.com
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe
1108	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1892 wrote to memory of 2040	1892	SoftwareApp.exe	30
PID 1892 wrote to memory of 2040	1892	SoftwareApp.exe	30
PID 1892 wrote to memory of 2040	1892	SoftwareApp.exe	30
PID 1892 wrote to memory of 2040	1892	SoftwareApp.exe	30
PID 2040 wrote to memory of 2756	2040	cmd.exe	32
PID 2040 wrote to memory of 2756	2040	cmd.exe	32
PID 2040 wrote to memory of 2756	2040	cmd.exe	32
PID 2040 wrote to memory of 2756	2040	cmd.exe	32
PID 2040 wrote to memory of 2708	2040	cmd.exe	33
PID 2040 wrote to memory of 2708	2040	cmd.exe	33
PID 2040 wrote to memory of 2708	2040	cmd.exe	33
PID 2040 wrote to memory of 2708	2040	cmd.exe	33
PID 2040 wrote to memory of 2660	2040	cmd.exe	35
PID 2040 wrote to memory of 2660	2040	cmd.exe	35
PID 2040 wrote to memory of 2660	2040	cmd.exe	35
PID 2040 wrote to memory of 2660	2040	cmd.exe	35
PID 2040 wrote to memory of 2788	2040	cmd.exe	36
PID 2040 wrote to memory of 2788	2040	cmd.exe	36
PID 2040 wrote to memory of 2788	2040	cmd.exe	36
PID 2040 wrote to memory of 2788	2040	cmd.exe	36
PID 2040 wrote to memory of 2676	2040	cmd.exe	37
PID 2040 wrote to memory of 2676	2040	cmd.exe	37
PID 2040 wrote to memory of 2676	2040	cmd.exe	37
PID 2040 wrote to memory of 2676	2040	cmd.exe	37
PID 2040 wrote to memory of 1056	2040	cmd.exe	38
PID 2040 wrote to memory of 1056	2040	cmd.exe	38
PID 2040 wrote to memory of 1056	2040	cmd.exe	38
PID 2040 wrote to memory of 1056	2040	cmd.exe	38
PID 2040 wrote to memory of 1640	2040	cmd.exe	39
PID 2040 wrote to memory of 1640	2040	cmd.exe	39
PID 2040 wrote to memory of 1640	2040	cmd.exe	39
PID 2040 wrote to memory of 1640	2040	cmd.exe	39
PID 2040 wrote to memory of 2952	2040	cmd.exe	40
PID 2040 wrote to memory of 2952	2040	cmd.exe	40
PID 2040 wrote to memory of 2952	2040	cmd.exe	40
PID 2040 wrote to memory of 2952	2040	cmd.exe	40
PID 1108 wrote to memory of 1968	1108	chrome.exe	43
PID 1108 wrote to memory of 1968	1108	chrome.exe	43
PID 1108 wrote to memory of 1968	1108	chrome.exe	43
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44
PID 1108 wrote to memory of 2264	1108	chrome.exe	44

C:\Users\Admin\AppData\Local\Temp\SoftwareApp.exe
"C:\Users\Admin\AppData\Local\Temp\SoftwareApp.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1892
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Pf Pf.cmd && Pf.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "wrsa opssvc"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2708
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2660
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 620516
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Bird + ..\Updated + ..\Inner + ..\Ba + ..\Sc + ..\Spring + ..\Publication I
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1056
- - C:\Users\Admin\AppData\Local\Temp\620516\Amendments.com
    Amendments.com I
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1640
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6da9758,0x7fef6da9768,0x7fef6da9778
  2⤵
  PID:1968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1196 --field-trial-handle=1384,i,4228793275495042917,9711476227793934452,131072 /prefetch:2
  2⤵
  PID:2264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1516 --field-trial-handle=1384,i,4228793275495042917,9711476227793934452,131072 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1384,i,4228793275495042917,9711476227793934452,131072 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1384,i,4228793275495042917,9711476227793934452,131072 /prefetch:1
  2⤵
  PID:1876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1384,i,4228793275495042917,9711476227793934452,131072 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1396 --field-trial-handle=1384,i,4228793275495042917,9711476227793934452,131072 /prefetch:2
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2964 --field-trial-handle=1384,i,4228793275495042917,9711476227793934452,131072 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 --field-trial-handle=1384,i,4228793275495042917,9711476227793934452,131072 /prefetch:8
  2⤵
  PID:1840

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\8077824c-92f2-4a26-a614-449dc6f780b7.tmp

Filesize
344KB

MD5
02a0503fb4ae3db9db73a71ef7dffce2

SHA1
caeba2861802f7fe9170aa21bac3adf4b5703ed7

SHA256
92f640e1052297ae48bcafeb5a091bf828d8552412b80ad3321fb9e354bd1de7

SHA512
242471989e762bd49b2ffaddf1b5563c3266b3317e00856dd491229e909968e30c0bc61da617db0089b978668811f3ac64b1452882ffbd13c5caeea1657eefd4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cdf60f22bf3dff6c2729c8e0cffb36a6

SHA1
847a3460973ee5fee069e25ccb56ee5d2f5fad4f

SHA256
686ae9e4232750afe63a9f619a48c2142760226a1012a3b48461bcaf8c00fe89

SHA512
1f71cbd5ebece3396739f1568ed46b8dac86080e7159168944d962231e82499052da6708317ff9edf77c524274f2dbce3c0d5ac2c1f5c75ba9bcb295ea9d1fa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
344KB

MD5
f500961897a86a6b4c0633ab8bd46ef1

SHA1
4c3e2b377e9ed42a35305c9a8f88b840e7aea174

SHA256
00166c0cdcbfccf9065d99a06b5e3301e8f7ecf830c22b5e91cb9f17cbabe0ca

SHA512
0a29321fdb39b4c995cc2d343f0056d0524a0f7926d6a591634ee526b305c2df41838e3387a793a1b32199e023b96213955a1257f75c41d96290d3898d26e78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\620516\I

Filesize
466KB

MD5
ba169007ce0879be978ac73959fead79

SHA1
70360c5b73b51c2df523b4e8355ca30c25889c52

SHA256
3f6c265712e7aa53ea6fd14289093e4767f875df8a73c10bf34b1ff260114ad9

SHA512
11da7ef892a050a4f8b7172c841a89eef23a23e9e39e5d5afa309a066819449fb6d9d3caabb3eb265a5535e4df020c61e1989b7d14e1e30ae5f1f3a94bc7b14e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ba

Filesize
59KB

MD5
31ceab7961bf0b6c333fa8ebb28af3eb

SHA1
8e655c50d8b08979d1c3618b874e58047a7e2ed6

SHA256
df222d67dfff592caa344786d56f8bf2b5ba884b7564c942e37ca66965aa8354

SHA512
c6e7d1b1c3e5ad2cadb72eee195562286c41fb409c0f617a2cf4cbca9153a581282221686ed4019898c5c1a572c94cba29bf0bf009d0025a0b9ea70ccf09ee0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bird

Filesize
73KB

MD5
c66e93c50b9fd3ff5702f63c1fe96c56

SHA1
6a2a5dbfb14fc56ee7abba45f4e968dd23de8056

SHA256
862007889c62ae90528de1b1b43b94500c6987250ff1649c145f637454ce1e81

SHA512
cbc39b2c74fe4ccfb3e8a800d9217ee579af1e984316a7049b17b1b7e5477420af0381272f8cab765ddfb91c6deac836872e1547780fd9e3ef4611f91a711086

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF105.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Inner

Filesize
80KB

MD5
2f8a50211b9db10b743d2006c3203b2c

SHA1
2e7442dd65844297132a554b92777594fdccb455

SHA256
fb57488d1940c03cc4b986653ae5841f50215268b0439d8858a34d26fbdd770b

SHA512
542f03a24bb48ef99a4ca9ffea4ad63a298bbba84e66f8c44866c19a2a8ae96e197e3f233d200fb2d9436450a6f99d7ff8adbb7e72b0c466d926e58c5bdb46b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pf

Filesize
21KB

MD5
bf982ea83590e1e15117dbeb2aaab1b9

SHA1
2baa1e186ae742a87b43cb29c61dfd94ab42f792

SHA256
cf26eeeaa5df066c301c4f34509d187cbad2eeb594aa475c5aca3533bb1eb49a

SHA512
1cbacfeb492fac8c1050d0dda23b120069f2da359afd9d16f55fdc83e3291db9eff37000b69dd1effce840982e461154993f14433a2248f69a9c2ca74c3e3b0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pointing

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Publication

Filesize
14KB

MD5
f0a4aac3387813744b7265be1558b3c3

SHA1
a70462ab7fc1358cb1fd5cb59813e04a471e693d

SHA256
96800881a41c22f503e0ce7da8dfe2e7f03be16b48fc4ce64a77dbebc702aef6

SHA512
cf564fe1b46376c1057b907359639d67ed3744f702bf04ec950ed05741f7937bb085440a0e90f559a61afe09ffe2d56f001becf44f4c34e3a6a7176fbc8c3fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sc

Filesize
67KB

MD5
431416797d6b8071301b91118bdac1e8

SHA1
b048b520371e4268be95ca60e0012c97909aabe6

SHA256
627de6ea879484ae23b92da2746d397b1fde20e9192fe3d81f725e2f38bfa30c

SHA512
fb01a189fb8cf0483977e34e98dd768b69819b37c7d4ff3c810a68269ba21c1ece20e254b97f0862e7b78a2342144a712362ed859e45243a8f2a33745473eacd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Spring

Filesize
81KB

MD5
98d4ffdc03883da2ba9d41ad4e210747

SHA1
af2574f7cd2fc830e032819cab163d3afe0e166d

SHA256
5a7e7f49dfcedf551a76074b5a17c4a42c195434144391bf1fd5c222443674c1

SHA512
bbe8c0808c9da1025587f899061c06bfab858448e48c8328b1dc551fae92dccfa8a56fcd7800ef34358c2eb538d247bf0cbf73edeb2343560e9a906f7ce4ca19

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF127.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updated

Filesize
92KB

MD5
ed7f4ff5aa27bc1f1f2c40775d06c8c2

SHA1
00e4e8da18c99e09d785c7a5df448f9b5c86b1b4

SHA256
eb988e5bf0b2577a74f7fa0ce801f3dfbde3bc7314e73b9972016d4e07789c95

SHA512
d611e0b4b62181852cb0d81a7043a14abfd158ecac616ca726c3819b7f33a394cf6064722b0adde96b7540509abcdfdeafb45a5f5b850ceef73810560acd00ca

Download Submit
memory/1640-504-0x00000000034F0000-0x000000000354B000-memory.dmp

Filesize
364KB

Download
memory/1640-503-0x00000000034F0000-0x000000000354B000-memory.dmp

Filesize
364KB

Download
memory/1640-501-0x00000000034F0000-0x000000000354B000-memory.dmp

Filesize
364KB

Download
memory/1640-502-0x00000000034F0000-0x000000000354B000-memory.dmp

Filesize
364KB

Download
memory/1640-500-0x00000000034F0000-0x000000000354B000-memory.dmp

Filesize
364KB

Download
memory/1640-499-0x00000000034F0000-0x000000000354B000-memory.dmp

Filesize
364KB

Download