type,value,description,confidence sha256,eff51f995cd6463cd9b3a2ea4a14cc85e3cc5c1b5b71db6d90765b3df175abba,LummaC2 carrier (74 MB padded delivery),high sha256,c466795354007a604fa1805b6d97b6f3e43179c85544594fe365f22ede8fe0a6,LummaC2 carrier (overlay-stripped derivative),high sha1,23f0f30e2bc4fb1308c01328e951b1681f439d46,LummaC2 carrier (delivered),high md5,a3be0b0ebbf9428015cacc27cf5d51a7,LummaC2 carrier (delivered),high domain,abruptyopsn.shop,LummaC2 C2 candidate (.shop rotator),medium domain,cegu.shop,LummaC2 C2 candidate,medium domain,cloudewahsj.shop,LummaC2 C2 candidate,medium domain,framekgirus.shop,LummaC2 C2 candidate,medium domain,klipgonuh.shop,LummaC2 C2 — observed in this engagement,high domain,nearycrepso.shop,LummaC2 C2 candidate,medium domain,noisycuttej.shop,LummaC2 C2 candidate,medium domain,rabidcowse.shop,LummaC2 C2 candidate,medium domain,regularlavhis.click,LummaC2 .click rotator,medium domain,tirepublicerj.shop,LummaC2 C2 candidate,medium domain,wholersorie.shop,LummaC2 C2 candidate,medium domain,yuriy-gagarin.com,LummaC2 C2 candidate — observed,high domain,lv.queniujq.cn,LummaC2 C2 candidate,medium domain,www.gstatic.cn,LummaC2 C2 candidate (typosquat of gstatic.com),medium domain,steamcommunity.com,Dead-drop resolver (legitimate but abused),high ip,104.21.82.94,Cloudflare front for yuriy-gagarin.com,medium ip,172.67.199.224,Cloudflare front for yuriy-gagarin.com,medium ip,172.67.162.153,Cloudflare front for klipgonuh.shop,medium ip,64.233.181.94,Suspicious — observed in engagement,medium ip,20.99.186.246,Suspicious — observed in engagement,medium ip,52.185.73.156,Suspicious — observed in engagement,medium ip,23.49.140.110,Suspicious — observed in engagement (HTTP),medium ip,185.160.247.17,LummaC2 panel exfil egress (CH) — from System.txt panel dump,high ja3,a0e9f5d64349fb13191bc781f81f42e1,Lumma carrier TLS to steamcommunity.com,medium ja3s,b677083c9768d0548331fca998152a10,Server response for Lumma Steam dead-drop call,medium file_path,%LocalAppData%\Google\Chrome\User Data\Default\Code Cache\js\47aa920d2b1e1d49_0,Initial cache hit (Chrome) — drive-by malvertising,medium file_path,%LocalAppData%\Google\Chrome\User Data\Default\Cache\Cache_Data\data_4,Dropped sample (Chrome cache),medium string,"D:\Projects\MultiCommander\BuildOutput\Output\Win32\Release v143\MultiUpdate\MultiUpdate.pdb",Inherited PDB path from carrier source,high string,"name=""Microsoft.Windows.AutoUpdate""",Manifest assemblyIdentity in carrier,high string,"MultiUpdate",Manifest description tag in carrier,high string,"LummaC2, Build Oct 9 2023",LummaC2 panel banner from companion System.txt,high