Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 15:57
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
lumma
https://controlopposedcallyo.shop/api
https://technologyenterdo.shop/api
https://detectordiscusser.shop/api
https://turkeyunlikelyofw.shop/api
https://associationokeo.shop/api
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
Setup_Full-Free.exeSetup_Full-Free.exepid process 5232 Setup_Full-Free.exe 3724 Setup_Full-Free.exe -
Loads dropped DLL 24 IoCs
Processes:
Setup_Full-Free.exeSetup_Full-Free.exefm.exefm.exepid process 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 2068 fm.exe 3612 fm.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Setup_Full-Free.exeSetup_Full-Free.exedescription pid process target process PID 5232 set thread context of 2328 5232 Setup_Full-Free.exe netsh.exe PID 3724 set thread context of 5360 3724 Setup_Full-Free.exe netsh.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings msedge.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exeSetup_Full-Free.exenetsh.exeSetup_Full-Free.exenetsh.exepid process 2588 msedge.exe 2588 msedge.exe 4144 msedge.exe 4144 msedge.exe 3320 identity_helper.exe 3320 identity_helper.exe 5964 msedge.exe 5964 msedge.exe 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 5232 Setup_Full-Free.exe 2328 netsh.exe 2328 netsh.exe 2328 netsh.exe 2328 netsh.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 3724 Setup_Full-Free.exe 5360 netsh.exe 5360 netsh.exe 5360 netsh.exe 5360 netsh.exe -
Suspicious behavior: LoadsDriver 6 IoCs
Processes:
pid 4 4 4 4 4 648 -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
Setup_Full-Free.exenetsh.exeSetup_Full-Free.exenetsh.exepid process 5232 Setup_Full-Free.exe 2328 netsh.exe 3724 Setup_Full-Free.exe 5360 netsh.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
AUDIODG.EXE7zG.exe7zG.exedescription pid process Token: 33 2832 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2832 AUDIODG.EXE Token: SeRestorePrivilege 5472 7zG.exe Token: 35 5472 7zG.exe Token: SeSecurityPrivilege 5472 7zG.exe Token: SeSecurityPrivilege 5472 7zG.exe Token: SeRestorePrivilege 4824 7zG.exe Token: 35 4824 7zG.exe Token: SeSecurityPrivilege 4824 7zG.exe Token: SeSecurityPrivilege 4824 7zG.exe -
Suspicious use of FindShellTrayWindow 36 IoCs
Processes:
msedge.exe7zG.exe7zG.exepid process 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 5472 7zG.exe 4824 7zG.exe 4144 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe 4144 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4144 wrote to memory of 3216 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 3216 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 4176 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 2588 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 2588 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe PID 4144 wrote to memory of 5060 4144 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://tinyurl.com/yc35cnsb1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd515946f8,0x7ffd51594708,0x7ffd515947182⤵PID:3216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:22⤵PID:4176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:82⤵PID:5060
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:12⤵PID:404
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:12⤵PID:1012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:12⤵PID:3556
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵PID:796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3320
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4212 /prefetch:82⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:12⤵PID:5172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:12⤵PID:5164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:12⤵PID:5636
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:12⤵PID:5644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:12⤵PID:5952
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6204 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:5964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,11944328973189388698,15803109792804449625,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5936 /prefetch:82⤵PID:5944
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1564
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1980
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x510 0x50c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2832
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2116
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!Files-PAsw0rds__1619\#!Files-PAsw0rds__1619\" -spe -an -ai#7zMap20113:152:7zEvent44141⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5472
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!Files-PAsw0rds__1619\#!Files-PAsw0rds__1619\equilibrator\" -spe -an -ai#7zMap3550:178:7zEvent224941⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4824
-
C:\Users\Admin\Downloads\#!Files-PAsw0rds__1619\#!Files-PAsw0rds__1619\Setup_Full-Free.exe"C:\Users\Admin\Downloads\#!Files-PAsw0rds__1619\#!Files-PAsw0rds__1619\Setup_Full-Free.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5232 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2328 -
C:\Users\Admin\AppData\Local\Temp\fm.exeC:\Users\Admin\AppData\Local\Temp\fm.exe3⤵
- Loads dropped DLL
PID:2068
-
-
-
C:\Users\Admin\Downloads\#!Files-PAsw0rds__1619\#!Files-PAsw0rds__1619\Setup_Full-Free.exe"C:\Users\Admin\Downloads\#!Files-PAsw0rds__1619\#!Files-PAsw0rds__1619\Setup_Full-Free.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3724 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5360 -
C:\Users\Admin\AppData\Local\Temp\fm.exeC:\Users\Admin\AppData\Local\Temp\fm.exe3⤵
- Loads dropped DLL
PID:3612
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD53bde7b7b0c0c9c66bdd8e3f712bd71eb
SHA1266bd462e249f029df05311255a15c8f42719acc
SHA2562ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a
SHA5125fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818
-
Filesize
152B
MD59cafa4c8eee7ab605ab279aafd19cc14
SHA1e362e5d37d1a79e7b4a8642b068934e4571a55f1
SHA256d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166
SHA512eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6
-
Filesize
17KB
MD5950eca48e414acbe2c3b5d046dcb8521
SHA11731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA51227e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize72B
MD5e2cd4e05c07eeaac809cf87a8d749e2c
SHA1a014fb50c6961878e9aa3d0381e6798cbac8f947
SHA2565388588285444cfaf7eab250745126ac37a67fea4eed0000e8eb8e0594a7ff4a
SHA512c06257aebd1398d2a888263681e5315304522f3dba989d9d8f12e677b3a3639b000cf02679468c20a4a0648f6d00ac715f241fc24c6e4fc584af544df307e750
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
188B
MD5008114e1a1a614b35e8a7515da0f3783
SHA13c390d38126c7328a8d7e4a72d5848ac9f96549b
SHA2567301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18
SHA512a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b
-
Filesize
6KB
MD58d6b79b3996b02ee0e322f03e33685bc
SHA1c5443311bc70166b34dfb8ade7742a43380544b7
SHA25663e8b44e5555086e924ea9d5e323ce1597702d480798ac91a8e4af993548782a
SHA5125735b98a4d073c4564593eef14925b82983a3fc06ed87b77b6b48b77f44beaf678a850cce0cefe03975fae289f54a5ab293f72c51e673a01dbafc68c399c3e49
-
Filesize
6KB
MD5313f2a0463031ad678766d8437e51960
SHA1d8df95417a43f9b51ed448e7221e2a7fc20e6c3e
SHA25663f43e0523588be299ef742250ae1ff9c71a91d43b043a4785dd84250f6099e7
SHA512e665379f28b033e1d314b02b85d763d9120b3afff3b93b02eb24df502a74806ade83c4064021718ca31d4ded3ec68aea17d2a92ec1c31715f79e18a960597e05
-
Filesize
6KB
MD5ec41b15a33f969afe696b396fb619f21
SHA1f12a46d7124a3c1c480d05f9d1882d30c835c0c1
SHA25646d89229665b0acb56f1a6f8337a007d4becb34f13e361e297e3154aa7e11f5d
SHA5121ba0cb77ddbb51f9c17ef16b374630646150ae79f029f26d9f5b177e420f54890ca5b1f6790e89b1774c7ea7306d5b6d9713b9fabf7d1ca4e6a4707ea2f52854
-
Filesize
7KB
MD568dd0b7af6e45255971aa892dc42f6d4
SHA14abc7d8dc7728e992a7e29c7616ec3e7afc4ce70
SHA2563434ba099539265b467b124e96dab906eff87e85a5e9c95c8f28601ff777c9af
SHA512d9c1873ef7022b74c97869c99f1a708f2b7baa8d15d848685cd487d88f2a0fa3f31245535e64b5700d5b095971824ace8cbd98d0eb4816cb9b89c851b5aaf881
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize72B
MD559a9c734627aed84c18ae8e5ab661106
SHA1df968267626e1b12282d2e0ed41fea20a8d96c4c
SHA256fd0c39421d6e62fb65bb2abbf62954c13795fb59de3885d3deaf63a081e9c26b
SHA512e137583afb25e704e2e87be2b28366fd5ce6963dc5db8d5291c72991351da6eb483d798d346f86b1cee8f188f32031d2f8fa51cdbc758da75b6d1febc26ba44b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cc39.TMP
Filesize48B
MD5c532885adf332115a44c6754bbd40234
SHA1b9fe935b882379a956b05a955bc4aa650acf3f3e
SHA256506e2c4a55e8fe68262e71a38985202b8b2c02b5e5efbc00560a0d4e65c91d06
SHA5129e110806657ab70e85dd6b84c8d0a3b4f05e2e0ac8a45dfb623c9ca445d85eb4b0d1e6e8ae7a83a497716032707db35fdd18b0937e0adecc91677b5f97b9ab60
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5c9183a04ddc9297ace3ddf5c08e54b62
SHA10ac6e3fa6fe25a33d954df7cdb49e0de2b8ffe04
SHA2568295b3eee54cd696089d423de2a2a49351b2865a8db861ba788efe41acd130ad
SHA512e4882bc987b600929c8b71f84f740fe3b36834b0c5749552313c43c4d093702cf6163281aa2bcb47ac5f1141c76d17b08c19e2db56b1e01aadb521e2dcc2de46
-
Filesize
12KB
MD53af87e58c82ca3a65c4cb58252301bb2
SHA15569b75f5602c7ec052627b337ff7d5cd4ecad4e
SHA256673795d9ec9e152612d8a31e2c74f976bd338c5bdf142685a75fe65659132b4c
SHA512599dc225f7a104f8763305981e2cc2b8a9b295eb1854b99972982bf9f06b3b22b3602e668affdf64d5125b29dcbba1c2bb70d2af4bde26fb597e38fe6f8bd76e
-
Filesize
11KB
MD5eb9e4a2013cb39a8749d8ac24f41c4c7
SHA11a04c2a992f9abfd40f0ee970cefb4d392faff82
SHA2565ee4a7cddac7bce8eaada3f80c74f2608107f082e2073f51b67d73ac0ea3515c
SHA5127c77cbfc7f26665d4de0577fb7ff6944ba86cc6be5a293f6451dbeb7fbdad1bb209f6791cf0472e4b27b300fcf2eca41ddd6b95f335a9c1b924c19eb340862b0
-
Filesize
1.9MB
MD5d1752e893af14ff2e73f3526dfb29a50
SHA1624479ea89d979e915b1e1d125e14480ebbaaeaa
SHA256f6f00ede3f743ed4a332da75d1f520a195badd28f521f4bf801626caa104e4ac
SHA512663091a25bde494494d6db76b73136e4a9d2962e7c58b0f1964ddcd749b29079ac7da258ca01841af57c6dde7c240b0059382d5fe87a2f925710c42db41b0e72
-
Filesize
2.9MB
MD540be53838d71395d79dc45ffa6dfd30d
SHA1663273810612b04c3cdeffeaf923850113d545c9
SHA256d90a1f698c36bbb331df323ad7884fa53d8f3540917d0b6efc891a8fef3e2da0
SHA512868d52d3f72483855c4a9129cb30359bc734a81da3f0160b3a64352cdb6f1614b827f1e67a7735c2001eccfc54cafb3b826791531b855fc89f0529e4a24f377a
-
Filesize
1.1MB
MD5febb73d056e9d4c307de110f97ae61aa
SHA1eddc5b436d63464f0f0642481d5a76a92f6fcd6a
SHA256738ba599f2bca932903635f75fd1b9fda1c353f22198766c5e7f1c2853c73c69
SHA512b76e510967c3d937f7b2fd1f3f42444207e13f81b51d0a660ccd588f158032578d1aa27da83fa78b51c2797a161b4857197bce2ad1530d37d959cfce3cc90a3b
-
Filesize
320KB
MD57274263761c81665d7aea479b7d59d76
SHA148f3a97f48a5492f6ee38a7f619ec585487e5f2b
SHA25637d216076f22b98202e7f4f39015f5e1dd57eb8cfcd9769acc39d088a3218f0f
SHA512a6205e9bccc1bc7a51b1b5b2533c1c48ab2ebba2ea9e5b0acd9afd2978a9b0b31a813da462472ebfb2993f331a120665cacb1d158cafb868a8d90eb716977606
-
Filesize
3.3MB
MD555076afc8f8de2df8f91fb2742bcda61
SHA1c848bb01e859163b08ce4f58994b3d814dfdf700
SHA256e3cb1b8edb969533e9299c4169b12df17a01d7516df943b486a785c986ceda30
SHA51270bf3d76b86b28aa4209a51469a4b2161c4253313849217b5e1267cb17f6279235b9ed18cd975aa48227401b48887f594b3be149531750638091afc51a425d26
-
Filesize
84KB
MD5f07f53569c594f04b5b15ca6dbe4b455
SHA10cc33a3154349fad167f56f24d768177291383e2
SHA2566a052820e39dc91e9fbbd96f8b5b2180d63266bf156dd3d2dd94af98294c715a
SHA51275ff71afc83d2b499bcea82034691d1d9707c6a525e8ed24f7469934b7a1fbd607cc8e0a36dc1ebe58c97706dbc8cf7052a4aee49858caa5b18c04cb9486e2bf
-
Filesize
1.3MB
MD5f21fc930afdf87669e2a8e5f79eed0ca
SHA169f3743fda7f010f7a633aa799ccce43d77ca290
SHA2563b42676a9b8e9dd51d69ffecde0ac8038fc81acba32a7f0bfece8720add9da55
SHA512cf613f03af5fee8f5bed01593ee5b043369906192c37812b7b2fd4222f7bf3bf46068b0bc17a3b1dde950e51e57e9e998f67da7b577545b6568a6b0c9afdc4d5
-
Filesize
1.2MB
MD53cd9af46753f2a618d15157372d0d2bc
SHA1f2a1781b1a6d33338db4d9725b28f15d8a410903
SHA256497471497886f18ca16f7facab7d76dc9bfadd69deb9c6e4ea9bdc0869a15628
SHA512925097106554f6eac698ba933e32fb82c1405c7ccfe284b27f1558e9ab46139506b1e981721aeafaf2e0d595dbdfce3587c4056c6920fdffb0b2f2bdbdcdb38d
-
Filesize
20KB
MD5b6f0655bed934503621fcf94ba449a19
SHA1f0a5d9eefff5f3bcd2e23b9db748c50cffc1c6e8
SHA2560da1f856d92d6b95f10ed8c3f629cd15468c906de9352fb4ae629139d1412eed
SHA51277a10ae1748e5d76288c59933f3f41d4dc7a690b1f2bc9bff0b761f9f2c5331f868dc0259ffe4c4672e1806c33f3f9d0fe0a8b09b10e06333d2590f623c5b284
-
Filesize
28KB
MD57d4f4d3bc6ab6c3ea2097a7ecd018728
SHA12434fbad089ac85eda43c0b0e911ab437b4dfe63
SHA2567705851ba047a8154402aca92621b60be0e0e9d9b52b19bf8be540305bd53dba
SHA512f9b64cbcd7c7c7b4e942c3da74fb280762d038f974fc23d1e0431b15787aefc87464cda121aa8fccf499af46e345dd65aa5fb5cfee1cb45dba6e5dd79b01a1d8
-
Filesize
17KB
MD5ed925bdab51f49813686b62eb82fb4a4
SHA1bc7c742b92a5b47089e0b400a8a80bb217e775fe
SHA256e1646c7778c24407a17881908037a49ecfcb5a980d155212d544302653a3ef62
SHA5125be99a6b0e2091fe37ff50d5a9c4fa789db27b5ba108801e4d18e99ae584ae1bc91ba3339916dff8a323155815e660f43ca54ffcc7c14c1e3f90600aedb54bd8
-
Filesize
114KB
MD5d35376c0d447108b2f9d64d4c40014f8
SHA1c68129e8bf6cdaaa318c5aad8974efbc2b7ce39a
SHA256c7544e1f9927afdf6e8cd7063020b572e60fe8f00af39227eb831d331df38225
SHA512c46af0bbd3bca6e12125750a5b1ca4f17f85f84729b1c1c01ee76de3704bcdb090212202cf449458833f8ee92e9a46c8758cbd069747de534e2984dccbe9f24d
-
Filesize
96KB
MD5e40b7acdd7654c071b0f2c17eb91fddd
SHA16f7f65cacb44a378169cb9066099dccf96f51426
SHA256b53329b607a4af6d59ce94c2ef79abad5bea6ff7045f53af721f5ca09e6f5840
SHA512dcdddf8601e733947e76c6c5dca0cd7ffd2eb373ef771e43d411da3ee6d3da40f0a8f34e7599a3b7a6399fb4ee26d501d86acb08b889acc07e95a9a1d6b17a4e
-
Filesize
132KB
MD5a4212be49e5ce8f3bf3950ca32c4bf14
SHA153f8e986e5fa3844eb73f063ed01772b53bc2504
SHA256394d2d862f2ddce71f28d9b933b21a7d6c621c80ef28652574f758f77f01f716
SHA51274520d3b3749d2b61e8a970c1fb29c588f98ce477eac4ced8837420153a6e739303aca15ed7d1e070125afa7f3ee32e452815ef1af135f8ed39ef2fce9d333ab
-
Filesize
25KB
MD5a3718d24f0e6eae9d6121a1219381ae9
SHA1a3377f64d8fb6162f6280d3d924626c1fc6a2fe7
SHA256cb220267fb0116b298bab6a09a764420d630c52026f7d750f8ffca4818389327
SHA51243f9c760be222490d43cbd9589b4afbc64759919993a1957a13a753cfcc9d94059dba0b5400a745c377c7bea1f02f4f8f6f952bee5b7ed33f6a49efaec62e9f6
-
Filesize
19KB
MD5557ed85a1d8a3308e552a77a9902e8cf
SHA1a9acf7a1db500a734e95038b29c0bd90f7af59e7
SHA256e102c9c5b22ceb60dc516ab4124bea8ec8e808b08eec48ea7ac674d13fca82ef
SHA512110acfc0b886a1ff77b5452e2f813213630ba2eb4610e06942a59da78e516e05893b049c0d1ddcc077ebabb3a9490cf84fb41f31b62822c9365b60a1b38fd4b8
-
Filesize
23KB
MD5ee6788d3d3750421e01519a27f86634e
SHA148f4c7dc7bd1208f07e4176e78f035d36682d687
SHA256b5acf358ff97127eac9ef4c664a980b937376b5295ef23d77ee338225de10d60
SHA51212ef0ac4cf9c8461044317e693bcfabdb4beb34a222b635ba50f6652b5a91b92ff20cb19e916ac60dca3e8314b7d8cec710a1c730374bb8f260b8d94f57c9775
-
Filesize
90KB
MD57e507af32ca219d2f832cf8d90ca805b
SHA14eb56c6f4184efc5a6bb5c7cab46547cfa769744
SHA2563668c6749db59a6cbc5293d0a4f904f76d6fb5048704449dd53894916f408a57
SHA512d19c6a0a0798db42490631aa9e30da4200e0b687250daa5ec8bcfe68ae2589a523adeacb6c77544488ddc7610fa84be7477a92c2a27605537a0caec2449c87f1
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e