lumma | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqbWtiVFJWLXpfTUQyUExMLWJfR3Z1WGg0OWd6d3xBQ3Jtc0tubFJ3SE8yN1N5eElZSW8xNUoyakVfYnJ5U0lBcGNTdFBpdUlhMjhVdlJtTWEtVkx4WFUzRzVTUGU3Uy1HNXRQbDJMRldIRzVzZFotenJoRThBVTNNaTc1UWloUEkxNFZWM0tuRmJHamxKRnk2VXg2WQ&q=https%3A%2F%2Fsites[.]google[.]com%2Fview%2Fzensoft&v=PbmUZG7hHcA

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbWtiVFJWLXpfTUQyUExMLWJfR3Z1WGg0OWd6d3xBQ3Jtc0tubFJ3SE8yN1N5eElZSW8xNUoyakVfYnJ5U0lBcGNTdFBpdUlhMjhVdlJtTWEtVkx4WFUzRzVTUGU3Uy1HNXRQbDJMRldIRzVzZFotenJoRThBVTNNaTc1UWloUEkxNFZWM0tuRmJHamxKRnk2VXg2WQ&q=https%3A%2F%2Fsites.google.com%2Fview%2Fzensoft&v=PbmUZG7hHcA

Score

10^/10

lumma zgrat rat stealer

Malware Config

Extracted

Family

lumma

C2

https://hearthingdirecwi.shop/api

https://productivelookewr.shop/api

https://tolerateilusidjukl.shop/api

https://shatterbreathepsw.shop/api

https://shortsvelventysjo.shop/api

https://incredibleextedwj.shop/api

https://alcojoldwograpciw.shop/api

https://liabilitynighstjsko.shop/api

https://demonstationfukewko.shop/api

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Adobe Activator\Adobe_Activator.exe	family_zgrat_v1
behavioral1/memory/5224-377-0x00000000008A0000-0x0000000000BE4000-memory.dmp	family_zgrat_v1

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Executes dropped EXE 4 IoCs

Processes:

Adobe_Activator.exeAdobe_Activator.exeAdobe_Activator.exeAdobe_Activator.exe

pid process

5224 Adobe_Activator.exe
2492 Adobe_Activator.exe
1948 Adobe_Activator.exe
6060 Adobe_Activator.exe
Loads dropped DLL 4 IoCs

Processes:

Adobe_Activator.exeAdobe_Activator.exeAdobe_Activator.exeAdobe_Activator.exe

pid process

2492 Adobe_Activator.exe
5224 Adobe_Activator.exe
1948 Adobe_Activator.exe
6060 Adobe_Activator.exe

pid	process
5224	Adobe_Activator.exe
2492	Adobe_Activator.exe
1948	Adobe_Activator.exe
6060	Adobe_Activator.exe

pid	process
2492	Adobe_Activator.exe
5224	Adobe_Activator.exe
1948	Adobe_Activator.exe
6060	Adobe_Activator.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

Processes:

flow	ioc
1344	sites.google.com
86	sites.google.com
1129	sites.google.com
891	sites.google.com
1130	sites.google.com
1249	sites.google.com
82	sites.google.com
85	sites.google.com
87	sites.google.com
157	sites.google.com
1406	sites.google.com
81	sites.google.com
83	sites.google.com
1133	sites.google.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

Adobe_Activator.exeAdobe_Activator.exeAdobe_Activator.exeAdobe_Activator.exe

description	pid	process	target process
PID 1948 set thread context of 3380	1948	Adobe_Activator.exe	MsBuild.exe
PID 2492 set thread context of 1860	2492	Adobe_Activator.exe	MsBuild.exe
PID 5224 set thread context of 5392	5224	Adobe_Activator.exe	MsBuild.exe
PID 6060 set thread context of 4104	6060	Adobe_Activator.exe	MsBuild.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

7zFM.exe

pid process

1052 7zFM.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7zFM.exe

description pid process

Token: SeRestorePrivilege 1052 7zFM.exe
Token: 35 1052 7zFM.exe
Token: SeSecurityPrivilege 1052 7zFM.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

7zFM.exe

pid process

1052 7zFM.exe
1052 7zFM.exe

pid	process
1052	7zFM.exe

description	pid	process
Token: SeRestorePrivilege	1052	7zFM.exe
Token: 35	1052	7zFM.exe
Token: SeSecurityPrivilege	1052	7zFM.exe

pid	process
1052	7zFM.exe
1052	7zFM.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

Adobe_Activator.exeAdobe_Activator.exeAdobe_Activator.exeAdobe_Activator.exe

description	pid	process	target process
PID 1948 wrote to memory of 3380	1948	Adobe_Activator.exe	MsBuild.exe
PID 1948 wrote to memory of 3380	1948	Adobe_Activator.exe	MsBuild.exe
PID 1948 wrote to memory of 3380	1948	Adobe_Activator.exe	MsBuild.exe
PID 1948 wrote to memory of 3380	1948	Adobe_Activator.exe	MsBuild.exe
PID 1948 wrote to memory of 3380	1948	Adobe_Activator.exe	MsBuild.exe
PID 1948 wrote to memory of 3380	1948	Adobe_Activator.exe	MsBuild.exe
PID 1948 wrote to memory of 3380	1948	Adobe_Activator.exe	MsBuild.exe
PID 1948 wrote to memory of 3380	1948	Adobe_Activator.exe	MsBuild.exe
PID 1948 wrote to memory of 3380	1948	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 4908	5224	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 4908	5224	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 4908	5224	Adobe_Activator.exe	MsBuild.exe
PID 2492 wrote to memory of 1860	2492	Adobe_Activator.exe	MsBuild.exe
PID 2492 wrote to memory of 1860	2492	Adobe_Activator.exe	MsBuild.exe
PID 2492 wrote to memory of 1860	2492	Adobe_Activator.exe	MsBuild.exe
PID 2492 wrote to memory of 1860	2492	Adobe_Activator.exe	MsBuild.exe
PID 2492 wrote to memory of 1860	2492	Adobe_Activator.exe	MsBuild.exe
PID 2492 wrote to memory of 1860	2492	Adobe_Activator.exe	MsBuild.exe
PID 2492 wrote to memory of 1860	2492	Adobe_Activator.exe	MsBuild.exe
PID 2492 wrote to memory of 1860	2492	Adobe_Activator.exe	MsBuild.exe
PID 2492 wrote to memory of 1860	2492	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 5392	5224	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 5392	5224	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 5392	5224	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 5392	5224	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 5392	5224	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 5392	5224	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 5392	5224	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 5392	5224	Adobe_Activator.exe	MsBuild.exe
PID 5224 wrote to memory of 5392	5224	Adobe_Activator.exe	MsBuild.exe
PID 6060 wrote to memory of 4104	6060	Adobe_Activator.exe	MsBuild.exe
PID 6060 wrote to memory of 4104	6060	Adobe_Activator.exe	MsBuild.exe
PID 6060 wrote to memory of 4104	6060	Adobe_Activator.exe	MsBuild.exe
PID 6060 wrote to memory of 4104	6060	Adobe_Activator.exe	MsBuild.exe
PID 6060 wrote to memory of 4104	6060	Adobe_Activator.exe	MsBuild.exe
PID 6060 wrote to memory of 4104	6060	Adobe_Activator.exe	MsBuild.exe
PID 6060 wrote to memory of 4104	6060	Adobe_Activator.exe	MsBuild.exe
PID 6060 wrote to memory of 4104	6060	Adobe_Activator.exe	MsBuild.exe
PID 6060 wrote to memory of 4104	6060	Adobe_Activator.exe	MsBuild.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbWtiVFJWLXpfTUQyUExMLWJfR3Z1WGg0OWd6d3xBQ3Jtc0tubFJ3SE8yN1N5eElZSW8xNUoyakVfYnJ5U0lBcGNTdFBpdUlhMjhVdlJtTWEtVkx4WFUzRzVTUGU3Uy1HNXRQbDJMRldIRzVzZFotenJoRThBVTNNaTc1UWloUEkxNFZWM0tuRmJHamxKRnk2VXg2WQ&q=https%3A%2F%2Fsites.google.com%2Fview%2Fzensoft&v=PbmUZG7hHcA
1⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=3768 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5328 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4880 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5588 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:3852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5748 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5876 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:3620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5620 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5716 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6000 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=6256 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=6408 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6660 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6824 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:4392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=6904 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=7200 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:1116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=7368 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=7496 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=7644 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=7776 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=7920 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=8048 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --mojo-platform-channel-handle=8176 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:3476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=8824 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:5512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=8876 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:5628

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x424
1⤵
PID:5708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --mojo-platform-channel-handle=9056 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --mojo-platform-channel-handle=9180 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:5756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --mojo-platform-channel-handle=9364 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --mojo-platform-channel-handle=9520 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:5968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --mojo-platform-channel-handle=9680 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:6056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --mojo-platform-channel-handle=9844 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:6116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --mojo-platform-channel-handle=9808 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:6132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --mojo-platform-channel-handle=10116 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:5464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --mojo-platform-channel-handle=9656 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --mojo-platform-channel-handle=10200 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:1
1⤵
PID:4168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6792 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:6000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4916 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:1744

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2060

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Adobe Activator.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1052

C:\Users\Admin\Desktop\Adobe Activator\Adobe_Activator.exe
"C:\Users\Admin\Desktop\Adobe Activator\Adobe_Activator.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:4908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:5392

C:\Users\Admin\Desktop\Adobe Activator\Adobe_Activator.exe
"C:\Users\Admin\Desktop\Adobe Activator\Adobe_Activator.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1676 --field-trial-handle=2252,i,16504368816373493055,9578615028378602855,262144 --variations-seed-version /prefetch:8
1⤵
PID:2060

C:\Users\Admin\Desktop\Adobe Activator\Adobe_Activator.exe
"C:\Users\Admin\Desktop\Adobe Activator\Adobe_Activator.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:3380

C:\Users\Admin\Desktop\Adobe Activator\Adobe_Activator.exe
"C:\Users\Admin\Desktop\Adobe Activator\Adobe_Activator.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:6060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
2⤵
PID:4104

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Adobe_Activator.exe.log
Filesize
522B

MD5
8334a471a4b492ece225b471b8ad2fc8

SHA1
1cb24640f32d23e8f7800bd0511b7b9c3011d992

SHA256
5612afe347d8549cc95a0c710602bcc7d7b224361b613c0a6ba362092300c169

SHA512
56ae2e83355c331b00d782797f5664c2f373eac240e811aab978732503ae05eb20b08730d2427ed90efa5a706d71b42b57153596a45a6b5592e3dd9128b81c36

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\Desktop\Adobe Activator\Adobe_Activator.exe
Filesize
3.3MB

MD5
8ded0a568e808b63422a05065514b7c4

SHA1
b754cc6476c2929216f7951bf2fecf9176ef0cae

SHA256
a0dd7b86f2723ebeee1e043352e6f7c3cc18e88299b320445977fa02d3a6a5d1

SHA512
3fa4852ca7e4691d423a1fd71f546bcae0a15bd5186ebed6025633bd7ea8c2903eb373fd284a43a5df232e67e382807d63c3359e8972a8255847469ea6b07b2c

Download Submit
memory/1860-435-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1860-464-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1948-423-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1948-382-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1948-448-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1948-422-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1948-424-0x0000000005A10000-0x0000000005B10000-memory.dmp

Filesize
1024KB

Download
memory/1948-388-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/1948-420-0x0000000005A10000-0x0000000005B10000-memory.dmp

Filesize
1024KB

Download
memory/1948-414-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1948-419-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1948-418-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/1948-417-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/2492-443-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/2492-380-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/2492-421-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/2492-402-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/2492-386-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/2492-404-0x0000000005B00000-0x0000000005B10000-memory.dmp

Filesize
64KB

Download
memory/2492-405-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/2492-446-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/2492-407-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/2492-396-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/2492-409-0x0000000005CD0000-0x0000000005DD0000-memory.dmp

Filesize
1024KB

Download
memory/2492-399-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/2492-411-0x0000000005CD0000-0x0000000005DD0000-memory.dmp

Filesize
1024KB

Download
memory/2492-432-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/3380-430-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3380-434-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3380-425-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/3380-466-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/4104-462-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5224-412-0x0000000005F10000-0x0000000006010000-memory.dmp

Filesize
1024KB

Download
memory/5224-433-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5224-397-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5224-387-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5224-416-0x0000000005F10000-0x0000000006010000-memory.dmp

Filesize
1024KB

Download
memory/5224-401-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5224-376-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/5224-413-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5224-400-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5224-403-0x0000000003020000-0x0000000003030000-memory.dmp

Filesize
64KB

Download
memory/5224-410-0x0000000005F10000-0x0000000006010000-memory.dmp

Filesize
1024KB

Download
memory/5224-384-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/5224-408-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5224-378-0x0000000005700000-0x000000000579C000-memory.dmp

Filesize
624KB

Download
memory/5224-444-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5224-389-0x0000000005A50000-0x0000000005BE2000-memory.dmp

Filesize
1.6MB

Download
memory/5224-406-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5224-447-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/5224-377-0x00000000008A0000-0x0000000000BE4000-memory.dmp

Filesize
3.3MB

Download
memory/5392-445-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/5392-465-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/6060-451-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/6060-453-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/6060-452-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/6060-454-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/6060-457-0x0000000005E80000-0x0000000005F80000-memory.dmp

Filesize
1024KB

Download
memory/6060-460-0x0000000005E80000-0x0000000005F80000-memory.dmp

Filesize
1024KB

Download
memory/6060-461-0x0000000005E80000-0x0000000005F80000-memory.dmp

Filesize
1024KB

Download
memory/6060-449-0x0000000005680000-0x0000000005690000-memory.dmp

Filesize
64KB

Download
memory/6060-463-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/6060-398-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download
memory/6060-385-0x0000000074B80000-0x0000000075330000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads