lumma | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbTFGOGpFZU9QRFVWMHpkM0lUbmlsX3Y4N25KQXxBQ3Jtc0tub0Qyc3FXUnNwNEFZbGJ6S0NIdFpUYW5RYlhwNzFpbWZWYXNIenJ3Q2U5SkZKemp6bXhlbDZKNUtDUXJXVkVMdHQ0VU15Yi1KbkJfN29Ya3V3VkU2YTFrVk1IX0x0dXNWZER4MEFKck1YUDJ6QWVDVQ&q=https%3A%2F%2Fapp[.]mediafire[.]com%2Fnqf65u1vbguey&v=bapt5CE-4u8

Resubmissions

24-06-2024 07:25

240624-h83ngs1ane 10

24-06-2024 07:22

240624-h7ha6azhrg 1

Analysis

max time kernel
74s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
24-06-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbTFGOGpFZU9QRFVWMHpkM0lUbmlsX3Y4N25KQXxBQ3Jtc0tub0Qyc3FXUnNwNEFZbGJ6S0NIdFpUYW5RYlhwNzFpbWZWYXNIenJ3Q2U5SkZKemp6bXhlbDZKNUtDUXJXVkVMdHQ0VU15Yi1KbkJfN29Ya3V3VkU2YTFrVk1IX0x0dXNWZER4MEFKck1YUDJ6QWVDVQ&q=https%3A%2F%2Fapp.mediafire.com%2Fnqf65u1vbguey&v=bapt5CE-4u8

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://spludgemercydowwerw.shop/api

https://publicitycharetew.shop/api

https://computerexcudesp.shop/api

https://leafcalfconflcitw.shop/api

https://injurypiggyoewirog.shop/api

https://bargainnygroandjwk.shop/api

https://disappointcredisotw.shop/api

https://doughtdrillyksow.shop/api

https://facilitycoursedw.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 2 IoCs

Processes:

FortniteHack.exeFortniteHack.exe

pid process

5652 FortniteHack.exe
5896 FortniteHack.exe
Loads dropped DLL 2 IoCs

Processes:

FortniteHack.exeFortniteHack.exe

pid process

5652 FortniteHack.exe
5896 FortniteHack.exe
Suspicious use of SetThreadContext 2 IoCs

Processes:

FortniteHack.exeFortniteHack.exe

description pid process target process

PID 5652 set thread context of 5768 5652 FortniteHack.exe aspnet_regiis.exe
PID 5896 set thread context of 5988 5896 FortniteHack.exe aspnet_regiis.exe

pid	process
5652	FortniteHack.exe
5896	FortniteHack.exe

pid	process
5652	FortniteHack.exe
5896	FortniteHack.exe

description	pid	process	target process
PID 5652 set thread context of 5768	5652	FortniteHack.exe	aspnet_regiis.exe
PID 5896 set thread context of 5988	5896	FortniteHack.exe	aspnet_regiis.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133636875375308244"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings chrome.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

2120 chrome.exe
2120 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1420 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe
2120 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	chrome.exe

pid	process
1420	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zFM.exe

description	pid	process
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe
Token: SeRestorePrivilege	1420	7zFM.exe
Token: 35	1420	7zFM.exe
Token: SeShutdownPrivilege	2120	chrome.exe
Token: SeCreatePagefilePrivilege	2120	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
1420	7zFM.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
1420	7zFM.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe
2120	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2120 wrote to memory of 4972	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 4972	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 1124	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 656	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 656	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe
PID 2120 wrote to memory of 3688	2120	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbTFGOGpFZU9QRFVWMHpkM0lUbmlsX3Y4N25KQXxBQ3Jtc0tub0Qyc3FXUnNwNEFZbGJ6S0NIdFpUYW5RYlhwNzFpbWZWYXNIenJ3Q2U5SkZKemp6bXhlbDZKNUtDUXJXVkVMdHQ0VU15Yi1KbkJfN29Ya3V3VkU2YTFrVk1IX0x0dXNWZER4MEFKck1YUDJ6QWVDVQ&q=https%3A%2F%2Fapp.mediafire.com%2Fnqf65u1vbguey&v=bapt5CE-4u8
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97bee9758,0x7ff97bee9768,0x7ff97bee9778
2⤵
PID:4972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1680 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:2
2⤵
PID:1124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:8
2⤵
PID:656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2268 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:8
2⤵
PID:3688

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:1
2⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2996 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:1
2⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4800 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:8
2⤵
PID:3972

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:8
2⤵
PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=4844 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:1
2⤵
PID:3720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:8
2⤵
PID:4940

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\FortniteHack.rar"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5884 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:1
2⤵
PID:3436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5808 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:1
2⤵
PID:1872

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5348 --field-trial-handle=1896,i,6342720526407709454,13686226945010292809,131072 /prefetch:1
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1048 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
1⤵
PID:5360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5580

C:\Users\Admin\Desktop\FortniteHack\FortniteHack.exe
"C:\Users\Admin\Desktop\FortniteHack\FortniteHack.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:5652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:5768

C:\Users\Admin\Desktop\FortniteHack\FortniteHack.exe
"C:\Users\Admin\Desktop\FortniteHack\FortniteHack.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
PID:5896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:5988

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
984B

MD5
844e2706a6742c9183e477a2be503974

SHA1
3119261d3edcb0e9ca17334ec41a6dcdb05836aa

SHA256
903afef1fc51db45ab47d9e528a1ea7a30f287f0f561a0909417d735697d39fc

SHA512
57ef19da01f26484c8a435d029aa0254b4c1b735b707b5b8935da835fb276f462a713da320e6374264e3a9ba19c3bbe705f0fb267cc53bf6ce3e8396a654ef59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
70880d3fbdb700d61903949a908736b8

SHA1
6f5f1b41915c621044e4ff99062c1f7231b9a523

SHA256
2d96bdf7c1aef7cf49041499c3e6ba59d295d532f17e2d07f0a74b117b204433

SHA512
022c94ab9c0b208f11113bf00c5867403ba68c0f67bc2d1e49a0d8fdf3f80a9fb0569a1f075b430c2af74c56455aa4835b0bec983be3b9f5be0a411c0a717361

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
1d344069fec33d33d1c50885022acdc7

SHA1
df3385e7a46a35ac1961d251c09f67a31f66ccb9

SHA256
40f82742b605c90a99be21424aebe9a4f26dbc9be5c471fe468d9899e1fef25b

SHA512
d7fab0cd319e17b451e7950cf4741c3d0b369ed6edd48b03ef0cb6f33ea86d50c96cfc763b257ad817568a295d8405e72c42086d4df2cbc185fde3a332d04292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
81e38f3fc1f8a87c4bb2a30a964fdd96

SHA1
1cf9641d224eeca67f50d5e0cbae2969a1fd1b73

SHA256
2335a4c56359de943478f7a245309163e2e4497e210167749d70d5dd493bbdb3

SHA512
9273d106878a3e9d2905a832dcf73d7af24e059f32260583c2d0662f395e866305323e1af066cd76aa5611ccd961761356a9ffa05732959b472168428af06ea6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
3d3335ae1ebbf57873fcce91829df270

SHA1
07f03c874665a7e4adbe648d9e7e9de17cc1735a

SHA256
5551730c676867bfdc4694c77a8f4fb84ce812ab47966afd41344434525b64cc

SHA512
3ea3a77a24ef4292df04b197ca68824f0512a90cccdd5cad699209b1b2441ddf0185e3227dd01d572bb92946d7a8476d33caa7bc64a3edfa5c180fd960c96119

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
14191faa5ff11a8497b8ba59c7b6dc4a

SHA1
4df43194850cc395fadacc2138994fa66bf1cbbb

SHA256
045d82a0acc74a66ae986b4b130643db4514a70a4edac316d624117796774dea

SHA512
660280c3cff76bd948a6d792b857bea088b0341961529f2fc9c92c98e4eb534b923ba681db7397114a68cbb642b96cdc8ba87be08916b137192d1668a357755b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
4ddde84f674499cabb9aaa634f395ac2

SHA1
e894e2c13dcdd1aab068f02c072002e9f1fb3d42

SHA256
24f488c4ecbcc605c4a4da1a1090afe32ab23592c41c6c913a8591adae6fd9da

SHA512
1461275d9daf8e44e28d051d3e8040c93f967172f7b1c72368037e72f21106a4e1ea81f1c5f37d8046f891068671149ec38ffb99b268cd26b946cde661c0799d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
128KB

MD5
72d0b0f6686f0d73a646f15c8f9fe35a

SHA1
311504b8b3c26ce24e04881039b58f4e04bc5f63

SHA256
65553777cfa2031a81e214ac83903eeffee697e515ea41d3bf8809499f78a6a5

SHA512
3f27937deeb716d923bfbaf48bd12d5c8d28df45781a7c19cf170526677d577e48d8b279a6a5210441d326e1248c9e492ecc51abf2ba767913e9b4df63cb94be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FortniteHack.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll
Filesize
418KB

MD5
00aef366a9776b7ef2d6732eb4f1fa4d

SHA1
f53d80e3f9a5dfd10f4467d6f1ec09d4d8afa085

SHA256
b3ccdb649751b662169bc3e971a2fa9c2a5dddd86c816ab35aaeff0da955b6c9

SHA512
134fd065a023800fefee31fc3c65bc1f978cd8e0b0e1dda6f4b074450443d223fc00ab4a8302da100a8e454a71edc99e0013e4f6ff4169d729ecbbb9a283bf94

Download Submit
C:\Users\Admin\Desktop\FortniteHack\FortniteHack.exe
Filesize
1.5MB

MD5
6f2a090cc3f53cce287a53f94e54a7a7

SHA1
0efb3d8b3caff43761e9b7fbea726b110ec8582f

SHA256
7f459971567449eeda760230040cb351ee6cc8a3bb4379684f4f5d1330b324d9

SHA512
4f445469efb93522d898186dc8a6a3b1baa5facdd4819a32d69c512de9c5aec08d99dfbf23a85cef1efd07c5d84705ff87a0140aef131b6e7d35fb520322671c

Download Submit
C:\Users\Admin\Downloads\FortniteHack.rar
Filesize
1.4MB

MD5
bd4e90ee5fb12327df9d4803e2a00b25

SHA1
d6fa49c648a2f91fd1e622191b8fdfa116ed7005

SHA256
c4da711cc2a96575a22996d204eb01ea414d2704f9ecfabb305477da95d34ed7

SHA512
82cf6994874fb99085be4f8579a67f970a172e4c907647ebed1765781656fb2e3c68214927ca0e9e934c9cb49712f26eca102c87904a64ed7f0988d527d0fb3e

Download Submit
\??\pipe\crashpad_2120_JWAXNITRJWLDABEO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5652-215-0x0000000000820000-0x00000000009B0000-memory.dmp

Filesize
1.6MB

Download
memory/5768-222-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/5768-223-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download