lumma | ba824398ef5c128a71f5beafbbeab2f151c7aa781ab4e712cf750f1ba94101b2

Analysis

max time kernel
77s
max time network
84s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
21-01-2025 21:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

ValorantExternalCheat-main.zip
Size

276KB
MD5

3553419f94186e4de8152cf0194f8f37
SHA1

23da3d0cac76bd7a458fa25bba716a866a304ace
SHA256

ba824398ef5c128a71f5beafbbeab2f151c7aa781ab4e712cf750f1ba94101b2
SHA512

e2c211f879c16f062c724cedeca672e7dfadeeea13c976bafc6b7c15936a3d01cef168545e251841ed378c059d06c6eeb95ea1ad381b9be9dc894eebfcae4ced
SSDEEP

6144:BfBvW03SUNn/H1VEmtpjDqErPdAaihE2/pI8qj7ZaLP5TkPMB:Bpp3J1OODqIPdAdq2/q97ALRTvB

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://undesirabkel.click/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
4976	Loader.exe
2704	Loader.exe

Loads dropped DLL 2 IoCs

pid	Process
4976	Loader.exe
2704	Loader.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4976 set thread context of 748	4976	Loader.exe	102
PID 2704 set thread context of 4812	2704	Loader.exe	105

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "228"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133819671264412854"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3968	7zFM.exe
3968	7zFM.exe
3968	7zFM.exe
3968	7zFM.exe
3968	7zFM.exe
3968	7zFM.exe
3968	7zFM.exe
3968	7zFM.exe
3968	7zFM.exe
3968	7zFM.exe
3968	7zFM.exe
3968	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3968	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3968	7zFM.exe
Token: 35	3968	7zFM.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeSecurityPrivilege	3968	7zFM.exe
Token: SeShutdownPrivilege	3000	chrome.exe
Token: SeCreatePagefilePrivilege	3000	chrome.exe
Token: SeShutdownPrivilege	3000	chrome.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3968	7zFM.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3968	7zFM.exe
3968	7zFM.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe
3000	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
908	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 4480	3000	chrome.exe	81
PID 3000 wrote to memory of 4480	3000	chrome.exe	81
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 4212	3000	chrome.exe	82
PID 3000 wrote to memory of 1380	3000	chrome.exe	83
PID 3000 wrote to memory of 1380	3000	chrome.exe	83
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84
PID 3000 wrote to memory of 1392	3000	chrome.exe	84

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ValorantExternalCheat-main.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3968
- C:\Users\Admin\AppData\Local\Temp\7zO08FD8788\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO08FD8788\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:748
- C:\Users\Admin\AppData\Local\Temp\7zO08FDBFF8\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO08FDBFF8\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb99aecc40,0x7ffb99aecc4c,0x7ffb99aecc58
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1808,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  PID:4212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2120 /prefetch:3
  2⤵
  PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2184 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3524,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4952,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5060,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5036 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5196,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5208,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5348,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5516 /prefetch:2
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5656,i,11411126225348193416,8501451860006180526,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:1896

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3168

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a16855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
96eefdfcb0064427be9dddb94cea6e4c

SHA1
dd07f697677744f99fe0d54ed5d2cedaac2933f2

SHA256
be68bb50364380694369e81175dca3c7e4e9094f9c8d1c4d3fe39494dec2fbdd

SHA512
ceb7cc9471631ec7e187e21e75e31f261a813cad15b722149264b30a1073ad11b88e9bfd9fbd63b94c95e0fc8ec027295e8c85a93c1ea8fac1da5f022c49502c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
ba7adc122e5120b4384fd7c64f452b9c

SHA1
89b85fa74e7de6c270a21e09a5097f2d41650f38

SHA256
15afc6effc67e560bf54ab851f1c53451e0b1db104631dfe0fa1d8846fca72f8

SHA512
68d913b564703c5cff5ba5daa987f840be08e64c04f3f46eeadaa3531166091b00db929e76fecd339506aa5f8b6ae2ab7bc1fb41745053029a44c1e1e8a3a33b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
162333cf0449ac05c97dda497fd83744

SHA1
9ce7132e1d90401de2416c1bdc9bd67195b5ee3e

SHA256
fe650c82494fa3a2fde1e07eb994d64f7b0944f73189fefe1db4ec2c27bc5483

SHA512
e4ba3279c25be30cd3c3989cfd4ad64d7091f47dc358009639ed6f08a1ab9b5f17805ab47f65a8ce3ff02f592c19b163912d45448ecd1ef968d0dcfe5c165786

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
746049b2f7db6d03f056aa6316b3e047

SHA1
d198a06a31e7f011c6247457a8e58211cd49e60d

SHA256
484e72747ee25dd7c27602f837e6bd8ac455b4ffb3bd4264db006a8da7e8c527

SHA512
509f1f4e667a5fce21b5ad9d80166202da87f95194d7830c6c706c687a1fb511edd90c1e21164875028e833111e3d0b5ae92b4c896b3684dadb6da60c961ec6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
20409a34ad302ebbad72ad818cf9a29d

SHA1
e88acbd1bbaaa1e42848ed4540213d467d13508a

SHA256
34c99c5c8d7bd6ccb1b84ac105b96f56568bc33e18a5178c81b2bffd93803f90

SHA512
5c11d1b4faae36674e01903123ea5678f3e52a8ab066d1f0a294c1a210b93cf2aa48501800c1c4ddbc3d61c3312aa87b8b2bbfe4c908ca8f5459d4d54f9ae9df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a88f635e326207e53f0612122eb7de0

SHA1
591cfd0f222342566f3ab3f0501f44688226cb31

SHA256
8322e71db55c6651229becc657d24c562f33e9e15f2deb8b1a0a54636b61cde4

SHA512
f9ba3607cbef75bff7fe5374b8a63040f0dae9b4dd9652671b13f513f97909f7b2c4a851d53325468801d523fab68491b41a5b491b235f6864b7b014d94aee91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e2ffd78bc88951fac7873c111d11543e

SHA1
98172913cb23116f1ff3707fa4f26e86fbda0971

SHA256
0d327987f0cb28047e3de93c65d1acf599d095bc5cd4dce629d4b574b60c3466

SHA512
964310d446e2bb6fd28dca4dc5f0ea498b6cee8b03feb5515dc9bcd82da4a0724f9d0d707804db2c98631ea02a53ad239da807307b07e11cfcbb1761d0de1c20

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ab7561bea8c5e9c19d0cace507783e5d

SHA1
b78a86a395e83fb9315dc53e2351f626bcaf5b82

SHA256
3a9fa7b09dfdb18a4246c141fbed28c3ebc56d913bcedb80be5c4f163f90ee86

SHA512
1d76e67e20bde187ffb73373bf343bec4918c1dd41c0238c0662ffce56eaceffea07f4b5b03ee71718ee295423146856faaad3c7179673b21f59f152da8626ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
7fdc46f0b5c9a2aa371a9de80ecc734d

SHA1
07af6235b26fd34f64a885ea6edb752907bfe7f1

SHA256
66f71925adae6607483b485c3e232a98fa4033491d46e79d918f28d25c93ccba

SHA512
ef09218dfdc3e74cd0e96ce2185dd4118e7306579fc5cb8bf1275d46fe77e08cf65f5e0dffa66b2937de405d10c08f8dc24b9a4e1d3c511c86b587a835b0526e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
850ff95e903bd10ef904bd2ce1dba83c

SHA1
de26ba80c10c44599e023bd307e91bcf376e5bf3

SHA256
83cbfffbf3ac530e6ce1521aeac80a1a5fcb08a83ed36d790f80b72c5fdf3a61

SHA512
3b5f4887cc2bfc00cebb7fca894e22e920acc1aa90aaf7f3caaeae4f0f1f4df91c20eac5387e0d85c24b57b3de91a2a4b8bdbf19ea5db0afc330715b6918cb6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
20d15637c3fabd76a07b21797e5182d8

SHA1
962179ad1322814fd59711f69032f175cb279548

SHA256
ba86b00af248291819c4c14503612b2ef95e94a238d02245f284fe2d89577557

SHA512
8469343a0927cff5895703a674d91ed470e9a211607303a2cc66709e176ca8f5eed0ae0e87d85905791e7f9c50c0c838bf02c442a8ff12f883b3fd2553180da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\49abe770-6946-4067-83ac-fa7089baecbb.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO08FD8788\Loader.exe

Filesize
489KB

MD5
d685ae29670dbc00b6665b5511bda6cb

SHA1
2f49b83a6d7a5f9e5151c6f7f1b3fa9e6f4b25a9

SHA256
0518c095cc948ab003cd4d12a1f95f0579c52c17f9102976b5799cd0bd85e6a2

SHA512
d7705fcd8751a49cc17962ac9b6e228f55ef74aab066cabdd5de74518686feaea951487a042683ea3e055ce04e0b971b528572aac920f325fcf64d34167450de

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3000_2129689741\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
428KB

MD5
36c0b5018242a87d99e2b5000dfc29ad

SHA1
d46f1ba661e3d18c8b1e7895920368e9bddbc7ae

SHA256
94cc3d303105493943c6cce20473c82eff3942515bfd73df976e802d97be78b4

SHA512
8f10af3f519e2c52539fb79ec16cd82470f25c0863b622030ed4bd59f437c9109caf46d151c18889c4939a44672339d75029c8f757cf7118e759b90355317f0a

Download Submit
memory/748-517-0x0000000000FA0000-0x000000000100B000-memory.dmp

Filesize
428KB

Download
memory/748-520-0x0000000000FA0000-0x000000000100B000-memory.dmp

Filesize
428KB

Download
memory/748-515-0x0000000000FA0000-0x000000000100B000-memory.dmp

Filesize
428KB

Download
memory/4812-542-0x00000000004F0000-0x000000000055B000-memory.dmp

Filesize
428KB

Download
memory/4812-545-0x00000000004F0000-0x000000000055B000-memory.dmp

Filesize
428KB

Download
memory/4976-508-0x0000000000DA0000-0x0000000000E20000-memory.dmp

Filesize
512KB

Download