Analysis
-
max time kernel
301s -
max time network
295s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
22-02-2024 19:18
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
lumma
https://gemcreedarticulateod.shop/api
https://secretionsuitcasenioise.shop/api
https://claimconcessionrebe.shop/api
https://liabilityarrangemenyit.shop/api
Signatures
-
Executes dropped EXE 10 IoCs
Processes:
Loader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exeLoader.exepid Process 3776 Loader.exe 748 Loader.exe 3912 Loader.exe 4936 Loader.exe 2076 Loader.exe 3192 Loader.exe 2968 Loader.exe 1196 Loader.exe 4552 Loader.exe 4352 Loader.exe -
Program crash 18 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target Process procid_target 1188 3776 WerFault.exe 109 4520 748 WerFault.exe 112 4392 748 WerFault.exe 112 764 3912 WerFault.exe 121 5020 3912 WerFault.exe 121 2760 4936 WerFault.exe 129 1192 4936 WerFault.exe 129 1472 2076 WerFault.exe 135 1728 2076 WerFault.exe 135 2388 3192 WerFault.exe 141 960 3192 WerFault.exe 141 1772 2968 WerFault.exe 147 2356 1196 WerFault.exe 149 3200 1196 WerFault.exe 149 3096 2968 WerFault.exe 147 3128 4552 WerFault.exe 159 4728 4352 WerFault.exe 161 2216 4352 WerFault.exe 161 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133531031056740817" chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exechrome.exetaskmgr.exepid Process 2512 chrome.exe 2512 chrome.exe 4268 chrome.exe 4268 chrome.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
taskmgr.exepid Process 372 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid Process 2512 chrome.exe 2512 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exedescription pid Process Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe Token: SeShutdownPrivilege 2512 chrome.exe Token: SeCreatePagefilePrivilege 2512 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exe7zG.exe7zG.exe7zG.exetaskmgr.exepid Process 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 3700 7zG.exe 4132 7zG.exe 3116 7zG.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exetaskmgr.exepid Process 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 2512 chrome.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe 372 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid Process procid_target PID 2512 wrote to memory of 4756 2512 chrome.exe 68 PID 2512 wrote to memory of 4756 2512 chrome.exe 68 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 1476 2512 chrome.exe 89 PID 2512 wrote to memory of 2800 2512 chrome.exe 90 PID 2512 wrote to memory of 2800 2512 chrome.exe 90 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91 PID 2512 wrote to memory of 4480 2512 chrome.exe 91
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/expl0int/EulenCH3ats/tree/main1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ffff0fe9758,0x7ffff0fe9768,0x7ffff0fe97782⤵PID:4756
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1852,i,4021130000245523740,11068883078035991950,131072 /prefetch:22⤵PID:1476
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 --field-trial-handle=1852,i,4021130000245523740,11068883078035991950,131072 /prefetch:82⤵PID:2800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2180 --field-trial-handle=1852,i,4021130000245523740,11068883078035991950,131072 /prefetch:82⤵PID:4480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1852,i,4021130000245523740,11068883078035991950,131072 /prefetch:12⤵PID:1560
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1852,i,4021130000245523740,11068883078035991950,131072 /prefetch:12⤵PID:3540
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 --field-trial-handle=1852,i,4021130000245523740,11068883078035991950,131072 /prefetch:82⤵PID:2596
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3940 --field-trial-handle=1852,i,4021130000245523740,11068883078035991950,131072 /prefetch:82⤵PID:1896
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 --field-trial-handle=1852,i,4021130000245523740,11068883078035991950,131072 /prefetch:82⤵PID:2076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=744 --field-trial-handle=1852,i,4021130000245523740,11068883078035991950,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:4268
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:4172
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4496
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap17653:94:7zEvent145811⤵
- Suspicious use of FindShellTrayWindow
PID:3700
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap10744:94:7zEvent99691⤵
- Suspicious use of FindShellTrayWindow
PID:4132
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\EulenCH3ats-main\" -spe -an -ai#7zMap30431:94:7zEvent70291⤵
- Suspicious use of FindShellTrayWindow
PID:3116
-
C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"1⤵
- Executes dropped EXE
PID:3776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3776 -s 11522⤵
- Program crash
PID:1188
-
-
C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"1⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 6362⤵
- Program crash
PID:4520
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 10682⤵
- Program crash
PID:4392
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3776 -ip 37761⤵PID:464
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 748 -ip 7481⤵PID:3780
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 748 -ip 7481⤵PID:2056
-
C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"1⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 10962⤵
- Program crash
PID:764
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3912 -s 10882⤵
- Program crash
PID:5020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3912 -ip 39121⤵PID:2968
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3912 -ip 39121⤵PID:4516
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:372
-
C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"1⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 10922⤵
- Program crash
PID:2760
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 11322⤵
- Program crash
PID:1192
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4936 -ip 49361⤵PID:4244
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4936 -ip 49361⤵PID:2160
-
C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"1⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 11602⤵
- Program crash
PID:1472
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2076 -s 10962⤵
- Program crash
PID:1728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2076 -ip 20761⤵PID:2564
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2076 -ip 20761⤵PID:1624
-
C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"1⤵
- Executes dropped EXE
PID:3192 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 11202⤵
- Program crash
PID:2388
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3192 -s 11002⤵
- Program crash
PID:960
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3192 -ip 31921⤵PID:1640
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3192 -ip 31921⤵PID:1896
-
C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"1⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 11202⤵
- Program crash
PID:1772
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2968 -s 6282⤵
- Program crash
PID:3096
-
-
C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"1⤵
- Executes dropped EXE
PID:1196 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 10682⤵
- Program crash
PID:2356
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1196 -s 7162⤵
- Program crash
PID:3200
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2968 -ip 29681⤵PID:4388
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1196 -ip 11961⤵PID:3468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1196 -ip 11961⤵PID:4000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 2968 -ip 29681⤵PID:2736
-
C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"1⤵
- Executes dropped EXE
PID:4552 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 11122⤵
- Program crash
PID:3128
-
-
C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"C:\Users\Admin\Downloads\EulenCH3ats-main\Loader.exe"1⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 11762⤵
- Program crash
PID:4728
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 6202⤵
- Program crash
PID:2216
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4552 -ip 45521⤵PID:4744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 4352 -ip 43521⤵PID:876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4352 -ip 43521⤵PID:3812
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d5bee06667e7aa655b359d52ec0d3301
SHA1efc1125f30c175ca7503a1ef1d92748e2f7bb93d
SHA2566b1cc0671bc672a81391f7f938374410c4b80db491a26ffcc28e46a08213c60e
SHA512a5798278bb20c00a7a6c86d6141b1b2d59eb93f0fc61616adac71bd5bfc8f1220e82b60449c9a20fc4dd7930a491b0bb6c2417689ec551c66af2cce50b08259f
-
Filesize
1KB
MD5a3b9ce5c61846ff24e80fbc8fa923c33
SHA1714509858668d3cbdc247197d6515e2bd3d7f25c
SHA2566f3b2e15f038aaadeae32aed2460ed97809b6f58bf2e2af9fc8f62ab95c06aa4
SHA51240b4c663eb2a2aa422f26416969e17fbab97da3e5d9e8f7ee268e371460b5ff7eef833bee71c5e38b569b34dba53e2d2e58bd9a37f78575dd9cacbfc095febf2
-
Filesize
1KB
MD5eff09f2dcd2368974ad31025571f58a3
SHA14db7b09e6574bd53059564ef7a9f26330fe307ee
SHA256d32500e14da67f98426808b4850d09333f8ba101698c670fe515497ee6967bc4
SHA5120de2e2ffa396cdd5882f47d652ec757fccef437dc5798d5b7d627a16f5983825aa85cbbe011cbface03894ba9820197acc30b4db4cb1fbd29d13cc4dd1b3c660
-
Filesize
1KB
MD5a95eb84344c7aca576fb16b1e2c003de
SHA188393452e0c6c5f5525ddccb91fb37e39ceea584
SHA256897dca5aaeb3e253684664b0077fbb1ae7c65d437dd897a104e2d894de4491c5
SHA512df30ab32bf6c3aafe52e40c5dc4c3a4cba91afcf78a65e928651cd6ddd376f1373f3df82075ffe2840c778864f801e0e3db768e08f6a8e89a53059a073482c8e
-
Filesize
1KB
MD5390a34f9ed12c28b518006befaa4bb24
SHA16bd6efcbf459c21aa6d0d426c4b7f803999581d8
SHA256e011966f189ddcb4c62d39dd5557a6f77dadf60b465f6da835dc5856efe06bc6
SHA512f1f9ae5929760c60d0ff3fbe2b77490028a568a4a7be06fd37b53218b2dd1cbbc31b734368e2605fa5b516007087441c8d628401beaa057f9a132f7b603a4719
-
Filesize
1KB
MD5101bc1995ff37a2ee7219bab0f52f53a
SHA12d43332564f10dadb98033779a76f809722b81c7
SHA25666c146916fbc9ddb87cb6f61aa7a0358069a6f77a4680f56cb2032534f154f1f
SHA5121d1418603031645f5d16ccc5772d16ea6d83fb39bf7ac6feb060c483f1c625758813c283ce7d2623e89c2de31978b649190fc4deea760a4d2a07126d22f7c3e9
-
Filesize
6KB
MD51d41eb9014d17f8df1b5971a9e95cdb1
SHA1388ae540f66ef313905b9d166d57ca8f10bc6781
SHA256009eeea7eafd69a6d0bfaf77b59238b17c1f4f36c2b54592dadf1322d9b7000e
SHA5123f7a1333a6f72c107be5535fd3c1279719528637dbfa40f5b6de4103fe52236b7e070848a4f7736427b6211baf70cda9417fb99c392643520bb48e4046ab175a
-
Filesize
6KB
MD59355e196cbacc31c93d9d2fbe97173d6
SHA163551a5b3bcc9e1bb624f7ca27b3bcd807538099
SHA256d5652151b7205cc0b5aca977c1f77f748920ea0d907caff5f2c7a6f9a427a0db
SHA51243211aac97147bdd1d7639914942b7b362c5ce0048b8c7c94832c1ce5d65ea8dc5dc47341cb7885e3a75fece940c6d24f6893eca2a8e2eccfad13409711621db
-
Filesize
6KB
MD53056aa9759a4cffa2d514d3dd195255b
SHA1bebb32331ccfdc65f65f9f0cb57bee9569a8909f
SHA2567ed8ae2c939ced4c9e339d7e7662a897bb538c24283afee857a9fcc616c6ca72
SHA512865932445c1a6ca9fd7f8b60864ed0f579f94de2009ff68697c2c823bbf993624e154179b42335e096577d676e51c4dba9c223b824412a6c0a081ea13c0d46c9
-
Filesize
130KB
MD58e0a3d48bbe9b38c9affd7e46140d9e6
SHA16cf2a637a61f21f4afb209c64caa94c3cda5f344
SHA2562e59ff55b5336d6f7e9a3b066acd40d737f0d45861527e1bb6a42736a1703864
SHA512b2aae26bb81c1138593cf36253404674b140afcbecfebe9b637fbb67cf35cd0750e2552d5e3049c62733084f50757af9c044a84f6f907b76d4a38c07eb9a750d
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
1012KB
MD5fd7d8264aedca99b0993640204c9508e
SHA17a6febefeb6a337a2f33e3a56ba08ad2a95de2ab
SHA256b87457606eba26db8ff83137a1a40d96f10d33fadd6728fdbcfdb248f6a03968
SHA512d48c41078a7cab04ea22a94f8ebae6eb6ab6c7e1a147fab344a977d860f02945331f6af049706ac6d2a667f36a8d95b8a4a676cc35e1a77afb6673021823896e
-
Filesize
516KB
MD560078848bb829962adaaad92b2117d27
SHA1e4cb1688eef1f97b85274dc0f7909fcc7e36498d
SHA2564a965fe0bb90182c9ab828610a278b4a2e9707fed38fc6e1a2c3ce086de8638e
SHA5128715ad5232bbd3e65db1f091b633c67c684803dea64fe5cf05f27746e645857ec7570a3294d7ba6a1a75b537892548fc64ff76fa491d0e071fa063d6939c0e1f
-
Filesize
690KB
MD59ed99bd8432a2265d1f5fb611213168b
SHA1e215f6bfcbc91ed8828ef54cb6840eae1dc72cd0
SHA256dde02744526968833651a9f70be666ceec221599b03272c9c5fc5d729667dd72
SHA512f75b9ad6823ae8c4e4f5c84202893ba60c9256853d8b3924d47d59a1668e979e485a920b43414b470c5e5fd02975ff81edea3c9a2ed3a16140c13170224f2f28
-
Filesize
645KB
MD54cd0f11f37b1c910b998e1c78d7fbc1a
SHA19b1cfea8434e44a7853d392ec99a532c8722e803
SHA256b54eac653edbbcee1b2d5fa082d618b0a582ed6f54aaa835e6509363aff6d106
SHA512823ce10362882fefda9a7dfa72ba98e9ade4fc64db512cfe40e71d12314cacdf6748df259ffa48338cc20e6819a00ad432b50de1334d7c81ca4767e6f75fba27
-
Filesize
779B
MD58dea87a2d66c58832a0d82b7b43540c8
SHA1d5151a05efe6978f634bf5d5e330ffce9694414d
SHA256baad6357cb00130d3d25c8077ecf053c50ea9860e712207ebc72bb4bf351b6c0
SHA5123dae0f7f7a967670fc59cc2b3b9688b5cbbf9f0f541e7503511cb95d59e871dd5b7517db7657aa56ae60dbf147a61ed8174e43d6cdfe53665bdf080f38cc7e4f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e