lumma | a3758d74b179a3b9451c592c873cb6c452f466424d31a3146490659eb8871340

Analysis

max time kernel
144s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2025, 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Instll.exe
Size

956KB
MD5

5d1f29374f9a4d974f228932a5124e0e
SHA1

58a617ffb55a865e1a75e10a18f4f6ade2bd82e8
SHA256

a3758d74b179a3b9451c592c873cb6c452f466424d31a3146490659eb8871340
SHA512

2cdba9d5d5686669ebd92d1304758998d10d57001ad963e08bf63683a2a4cd7cb50dc5e58d585f5a58d5a8203fa0ce9fe3d006be6b90861b4ff8d8917485cfe9
SSDEEP

12288:fwUwBIZ+x5TmTDaF+baUNGZQ64TcoekVLo/Va8apJUOtaPccTrpFjUy/pS47SETy:fwlIExtUXbaVQfcZe1wOScy1VMwShxY

Score

10^/10

lumma discovery spyware stealer

Malware Config

Extracted

Family

lumma

https://clarmodq.top/qoxo

https://soursopsf.run/gsoiao

https://changeaie.top/geps

https://qeasyupgw.live/eosz

https://liftally.top/xasj

https://wupmodini.digital/gokk

https://bsalaccgfa.top/gsooz

https://zestmodp.top/zeda

https://xcelmodo.run/nahd

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3468 set thread context of 3116	3468	Instll.exe	94

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133887756926747013"	chrome.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
1568	WINWORD.EXE
1568	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3116	MSBuild.exe
3116	MSBuild.exe
3116	MSBuild.exe
3116	MSBuild.exe
3116	MSBuild.exe
3116	MSBuild.exe
3116	MSBuild.exe
3116	MSBuild.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeImpersonatePrivilege	3116	MSBuild.exe
Token: SeImpersonatePrivilege	3116	MSBuild.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe
Token: SeShutdownPrivilege	1936	chrome.exe
Token: SeCreatePagefilePrivilege	1936	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe
1936	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1568	WINWORD.EXE
1568	WINWORD.EXE
1568	WINWORD.EXE
1568	WINWORD.EXE
1568	WINWORD.EXE
1568	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3468 wrote to memory of 3116	3468	Instll.exe	94
PID 3468 wrote to memory of 3116	3468	Instll.exe	94
PID 3468 wrote to memory of 3116	3468	Instll.exe	94
PID 3468 wrote to memory of 3116	3468	Instll.exe	94
PID 3468 wrote to memory of 3116	3468	Instll.exe	94
PID 3468 wrote to memory of 3116	3468	Instll.exe	94
PID 3468 wrote to memory of 3116	3468	Instll.exe	94
PID 3468 wrote to memory of 3116	3468	Instll.exe	94
PID 3468 wrote to memory of 3116	3468	Instll.exe	94
PID 1936 wrote to memory of 5288	1936	chrome.exe	107
PID 1936 wrote to memory of 5288	1936	chrome.exe	107
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 2924	1936	chrome.exe	109
PID 1936 wrote to memory of 2924	1936	chrome.exe	109
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 6028	1936	chrome.exe	108
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111
PID 1936 wrote to memory of 4280	1936	chrome.exe	111

C:\Users\Admin\AppData\Local\Temp\Instll.exe
"C:\Users\Admin\AppData\Local\Temp\Instll.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3116

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1840

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n /f "C:\Users\Admin\Downloads\StepHide.dotm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffe51eedcf8,0x7ffe51eedd04,0x7ffe51eedd10
  2⤵
  PID:5288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1984,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2056,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2404,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3212,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3364,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4372,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4388 /prefetch:2
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4728,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5428,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5440 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5504,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:4936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5724,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5596 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5440,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5752,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:1832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5780,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5500,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5652,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3220 /prefetch:8
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5508,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3580,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3888 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=3552,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5452,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=4420,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --field-trial-handle=4516,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4164 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --field-trial-handle=4392,i,4631435790583174349,3417474318109190167,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4496 /prefetch:2
  2⤵
  PID:4724

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5224

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2b1aca51c452a4104f9e5d8f1cf252ac

SHA1
dce41e12c171af98b49e2a99a16c91a4ed93ddf3

SHA256
06a8e67ee781ca45f93d1c5c65a4fde747f18d18057de04525c9aba16cb12d17

SHA512
f25ca7203c53cc5560b53f8249a8a86d224f7ded088f2a165733a8b14d5633fa396f78b33ea2290896dd26e6d6e0ff9c31a2b8e067bec8f9734065e0bc2645f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000004

Filesize
216KB

MD5
50a7159ff34dea151d624f07e6cb1664

SHA1
e13fe30db96dcee328efda5cc78757b6e5b9339c

SHA256
e990d9d31c4c7d57dd4795e43baea05501fb6ea8b7760f89001be660425dd01b

SHA512
a7768dd7e315b07754a305080e0fc023765e5a224b2c3824e8e10f29286df63bbdefef379e069941fd8cd9c7c3befce976779ae2efdfb6e7da697b09d7f07250

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dd714acaf3982f8ce96e07f690addf1d

SHA1
108b1821c3131c575b872e16680cd8857a5dcefd

SHA256
28e4b66162dcfce8f4eb8e7fa70a5c5ca997c84f8ef00a2f53f6ad2e4ac043dc

SHA512
52d3a86f40c24f05076bab0c6e3d7651b98a58f5b5742815564e2d7fbbe7cb7a34543732b549711b23fa042af8ed928b99717d9110fa6cc82193c52f6168c931

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
e1c70f99ea6cf593ca739af63324aab5

SHA1
e00e935dda0bba8bb2401d13000b0aa0378f2660

SHA256
1698dcb0fbaa47b3dcedf4901104ecb5b22d462a2d712456dbe49d3c859b8d09

SHA512
9921e2e927d1d4e4a49041ce0a2784f1344481d9fa626291cd08808948631e37b019c840af815cbe01d5d0ce30fbeddc6f6ee7aa9854575c92eec6a8ccfc39ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.90.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
7KB

MD5
3e701f5a676b753538bf664099190c60

SHA1
bd6ad88a13e213d9b08c168935996a550e4c3bc4

SHA256
cd751b45afd8eb9e6f227b69fc8ece73de7af5961a94c735e04cb394236518d9

SHA512
ca6ad66eb1533966071dab9de459b5ad7a4cc7d01f626ee527cf7ab08664585a9f42cb03d9c76acb4c3e923faa16ebb9e0a9debcd10ddee9da4084ca3579fe6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
1a78fa3b54a88734e7faacce5e909820

SHA1
629094ac7736d0fc5aeff5327f50a3daa6c8c448

SHA256
ae4ffb2114aeee58b283e37799136f586a1c84ddf4ca937537f8f42ccb04145a

SHA512
e484cecc22c16158a5e2c45d2d1c345bb758fb621da86932174c6c5a885544dec94144b89d2850be06127e12d51a172a0630fe967320518bbbc4241fe5cb0c34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
478eede1473899fb1bcf5fdfd9d6ee4d

SHA1
ef39ad1b757fce55414381e17aaa75b21e0243b1

SHA256
83d12ba5c4b5c635a2215332534285a2e96c3e84b08b8ad11ad813b423dddc47

SHA512
25fc0f1bc851c329d564873fefedd8b49980b7a376ad814328ddc79bd0f53c303bb5baae7420473646bac71a0c1ec7e92bc2a7ddf74a486f603736043addf2f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b8deca35811bfecfd7970843cd79064b

SHA1
7c78cc05408931de539894e0683d8ef8bf572ef5

SHA256
9614691dcb12526fbc26b01185c40dc12b95ebdd12610f3ba5024bbd6aed5f09

SHA512
2d1f899d8a78e659e63cb31fd6fd6a5e267b2bf56cb46b65213c9efd33b1e1fdfb2103b0ae3a733aeeaf81227956f946089bc1d6ad592170418328eaf2560d8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
4f099fec343f62793e83257af568286e

SHA1
6a3c19e0d193bd64c07a5e9a6f0fdc29a4527100

SHA256
52b3d1d15cbb578493fa8d3170f2ba8ae0f1cb30e2b44eab420aab527afc1724

SHA512
ffda3e078c892cb493736c4cef179d70e0a0795511e5d2d32a5949abce96496182c43e29c904cba8740d51aca36495c153fcdfddedd06dfb0276b4288a20f2f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
18KB

MD5
6f9633884f004afaccb14c2e5cda93e8

SHA1
9c732bfeedacfd1f0d9d791fd670619db5c325a7

SHA256
177a7e2c6edfbf56ac2337be607a44ab2c18c8a7e10953eadd528c7963926a34

SHA512
e4bfe98c408d95fb264fbd5b0912fa1e1d6b55489357d2fd5cfbbedacdd2797fd838f99e8edea1d157e04858c996438309e946870461c12bd7bc6496f9e98ea8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0310d6886207da18fe000515b4a3fe59

SHA1
5edab6c7f8178786f11f7283be851e4667efbed9

SHA256
927219afad2f7524a4986b4f7e3a36ac951b76b047ebd9cf1ea05ca8fc09aeb0

SHA512
9873315cd149c667d8e1fb93d91b2d87d30154f6b4f8e6c1c55509fb148c4eae3bc05224ca4c3212d8d8eaa02baaaae8339cbd08ec0c92604094cdbaeb024654

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
192B

MD5
a0bfde0fd1c37e0f966dcc48fe8af98a

SHA1
5490441f3631384b6b1a49ada4b68275b2186066

SHA256
703fee7dbfd99f881855f393c329536548124f4f2895bfca6f1341919e4e12a2

SHA512
5dd7bf6299854129f769998eaf48d33e37e544e6b75a5fd60d91bf81f3358f5f02c8ef4d1c975565b7ae6fb91c411d77d366e5c19ca69ef7abab189b51e01775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
37b869cf7f6b8a1dfa9cf20a07cea841

SHA1
43da83cb853981673ed8276d28e0069ae7e49ae4

SHA256
b448c0fb788287b7bab52aa6c947dfe8c5f909517653de4118f1891233dbc8dc

SHA512
5c24785b6092c4feeca93fd1a24ef820b16b9678df5ab88645606c4b6434f769e4ac4a7db7abf7460b96d9fdea744ac567fbf798235ad5e40271925b62305bdc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58463b.TMP

Filesize
48B

MD5
b5087d0bc88317654c0ebfdfd62d1782

SHA1
f606b583862dee41468f914645cbc6532f3bc8e0

SHA256
282d144f8ecb032e8e7a73afec7ccd445f301ef20ad34dda6eb5c5bb83ecf312

SHA512
f6b87c89ca6d7a2d3ac812f3d7c8367ed42d03d22351d74a352ee8de3276717a657d644c553a95c4162bb8d011ef15b971c0354a0f94e18bf5ed5c9425c519f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
3f741b7be78c1878d563bfc721add4b1

SHA1
2b6c5ed1e40475066551d15ccd2495129258bcf3

SHA256
0d23f54589bdefad917aef44de65c7fc3a889709f2886b24683f9a0e95199e55

SHA512
faddfe5019939f313aae4455eedec87ddf9c044e4eb59f805fb58f608941070c3eba7f630d6208ceac2fb601eee6547a8a973c17f2e90291a44684d58e1c9953

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
52c1c57ed3e05f611a5829b47a53ef1a

SHA1
d127d4f24bce05d6f2936e111afa28227dceb0e1

SHA256
de70b073cab6eaa989cca0c8e243e6c1c68dc76ab56b1f06a27208fd12c0b6bf

SHA512
53c7ed0c9d5bebf1b95e3eac49d103158a824354072d66eeaac26b1aeda2583dd0b715d9e4fa16c90d4561f5c526266a596a68633251a35d8fa2457e015e3580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
b82f7323725f12b5adba9ddf8153ead9

SHA1
f338dac6d8cfa2cbb97a22420acb0d43847fbbfd

SHA256
e8ceaf87fa71b29a17d8bf14fe33d9ff6281fda5be046728a2c903217f109946

SHA512
f1a30c9acef1abdd1dac7a8675127d3b87ee4bfc7dfbf9cd3ef8c8de902fdfe2350df4d712253c6fb8e68ecccc53f627f97a990a3af0a3f44d1881b8a0a4de3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1936_227174406\9af7fa5d-0416-4d5b-ac3e-1df41a6b17b9.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\Downloads\42bdd3d5-84d4-4aa3-abc8-2d0c6da32b0f.tmp

Filesize
64KB

MD5
7cd4d00ae8e2ba7c633d16d2674ab3f6

SHA1
942a5c66bdca3845c3b449af928e6bf4f71ce810

SHA256
32f7713933e2be624478929c2bbc5e01d8638091e06c4ee44231d0db3dac4f16

SHA512
be0ae3e25e5a8e13a02304adcbd44ac7aa3ed9fb819ef744354080f216304510711870de3b9ed97bbeb2c81623248f9454df83c4792c1c77637a96fe0c18b2f5

Download Submit
memory/1568-19-0x00007FFE2EA50000-0x00007FFE2EA60000-memory.dmp

Filesize
64KB

Download
memory/1568-21-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-11-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-10-0x00007FFE30C10000-0x00007FFE30C20000-memory.dmp

Filesize
64KB

Download
memory/1568-56-0x00007FFE30C10000-0x00007FFE30C20000-memory.dmp

Filesize
64KB

Download
memory/1568-57-0x00007FFE30C10000-0x00007FFE30C20000-memory.dmp

Filesize
64KB

Download
memory/1568-58-0x00007FFE30C10000-0x00007FFE30C20000-memory.dmp

Filesize
64KB

Download
memory/1568-59-0x00007FFE30C10000-0x00007FFE30C20000-memory.dmp

Filesize
64KB

Download
memory/1568-60-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-20-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-22-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-24-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-26-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-25-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-23-0x00007FFE2EA50000-0x00007FFE2EA60000-memory.dmp

Filesize
64KB

Download
memory/1568-12-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-15-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-16-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-5-0x00007FFE30C10000-0x00007FFE30C20000-memory.dmp

Filesize
64KB

Download
memory/1568-17-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-18-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-14-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-13-0x00007FFE70B90000-0x00007FFE70D85000-memory.dmp

Filesize
2.0MB

Download
memory/1568-9-0x00007FFE30C10000-0x00007FFE30C20000-memory.dmp

Filesize
64KB

Download
memory/1568-7-0x00007FFE30C10000-0x00007FFE30C20000-memory.dmp

Filesize
64KB

Download
memory/1568-8-0x00007FFE30C10000-0x00007FFE30C20000-memory.dmp

Filesize
64KB

Download
memory/1568-6-0x00007FFE70C2D000-0x00007FFE70C2E000-memory.dmp

Filesize
4KB

Download
memory/3116-0-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3116-4-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3116-3-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3116-2-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download