lumma | hxxps://www[.]mediafire[.]com/folder/6q6psz38mqj7b

Analysis

max time kernel
205s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28/06/2024, 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/6q6psz38mqj7b

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5596 set thread context of 6004	5596	Aura.exe	124
PID 5500 set thread context of 1912	5500	Aura.exe	130
PID 5792 set thread context of 5808	5792	Aura.exe	136

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1576	5596	WerFault.exe	121
4768	5500	WerFault.exe	128
5932	5792	WerFault.exe	134

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Aura.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5924	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	firefox.exe
Token: SeDebugPrivilege	2024	firefox.exe
Token: SeDebugPrivilege	2024	firefox.exe
Token: SeDebugPrivilege	2024	firefox.exe
Token: SeDebugPrivilege	2024	firefox.exe
Token: SeDebugPrivilege	2024	firefox.exe
Token: SeBackupPrivilege	3596	svchost.exe
Token: SeRestorePrivilege	3596	svchost.exe
Token: SeSecurityPrivilege	3596	svchost.exe
Token: SeTakeOwnershipPrivilege	3596	svchost.exe
Token: 35	3596	svchost.exe
Token: SeDebugPrivilege	5924	taskmgr.exe
Token: SeSystemProfilePrivilege	5924	taskmgr.exe
Token: SeCreateGlobalPrivilege	5924	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2024	firefox.exe
2024	firefox.exe
2024	firefox.exe
2024	firefox.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
2052	notepad.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2024	firefox.exe
2024	firefox.exe
2024	firefox.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe
5924	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2024	firefox.exe
2024	firefox.exe
2024	firefox.exe
2024	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 2024	3960	firefox.exe	84
PID 3960 wrote to memory of 2024	3960	firefox.exe	84
PID 3960 wrote to memory of 2024	3960	firefox.exe	84
PID 3960 wrote to memory of 2024	3960	firefox.exe	84
PID 3960 wrote to memory of 2024	3960	firefox.exe	84
PID 3960 wrote to memory of 2024	3960	firefox.exe	84
PID 3960 wrote to memory of 2024	3960	firefox.exe	84
PID 3960 wrote to memory of 2024	3960	firefox.exe	84
PID 3960 wrote to memory of 2024	3960	firefox.exe	84
PID 3960 wrote to memory of 2024	3960	firefox.exe	84
PID 3960 wrote to memory of 2024	3960	firefox.exe	84
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 4372	2024	firefox.exe	85
PID 2024 wrote to memory of 536	2024	firefox.exe	86
PID 2024 wrote to memory of 536	2024	firefox.exe	86
PID 2024 wrote to memory of 536	2024	firefox.exe	86
PID 2024 wrote to memory of 536	2024	firefox.exe	86
PID 2024 wrote to memory of 536	2024	firefox.exe	86
PID 2024 wrote to memory of 536	2024	firefox.exe	86
PID 2024 wrote to memory of 536	2024	firefox.exe	86
PID 2024 wrote to memory of 536	2024	firefox.exe	86
PID 2024 wrote to memory of 536	2024	firefox.exe	86
PID 2024 wrote to memory of 536	2024	firefox.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://www.mediafire.com/folder/6q6psz38mqj7b"
1⤵
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://www.mediafire.com/folder/6q6psz38mqj7b
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.0.810343370\461159661" -parentBuildID 20230214051806 -prefsHandle 1764 -prefMapHandle 1756 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9ef60e97-ef0e-4efa-a735-76ca420a57d6} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 1856 2989270d458 gpu
    3⤵
    PID:4372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.1.1088291930\2103191107" -parentBuildID 20230214051806 -prefsHandle 2460 -prefMapHandle 2456 -prefsLen 22927 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f733c0ef-3ce1-4e3b-bd10-cd711ca2ef0c} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 2488 29891523b58 socket
    3⤵
    PID:536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.2.864362179\1612226719" -childID 1 -isForBrowser -prefsHandle 3036 -prefMapHandle 3032 -prefsLen 22965 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7367a410-d3ce-412e-9eb8-ce055e399891} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 3064 29895554758 tab
    3⤵
    PID:2352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.3.2048905458\376988016" -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 1060 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2270a09-bdb4-4cce-9d0e-e4f13676b4d0} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 1044 2989747e258 tab
    3⤵
    PID:1212
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.4.1860146204\1070040916" -childID 3 -isForBrowser -prefsHandle 5128 -prefMapHandle 4628 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb8ae8fe-e677-4d83-af5c-99ff12b4aa11} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 4840 29899573e58 tab
    3⤵
    PID:4284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.5.145805965\2145180898" -childID 4 -isForBrowser -prefsHandle 5408 -prefMapHandle 5336 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e83d622-9d7c-415f-902b-e287cadeae6b} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 5316 29899572358 tab
    3⤵
    PID:2208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.6.925680364\537717165" -childID 5 -isForBrowser -prefsHandle 5624 -prefMapHandle 5620 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f13a62c9-b55d-4a5d-81f7-e4cdc25aeb58} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 5632 29899749858 tab
    3⤵
    PID:4332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2024.7.853579077\1230147552" -childID 6 -isForBrowser -prefsHandle 9356 -prefMapHandle 9360 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 960 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97e79a68-7dee-4b97-aab0-ff8c624a7416} 2024 "\\.\pipe\gecko-crash-server-pipe.2024" 9384 2989a0f1558 tab
    3⤵
    PID:6060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3596

C:\Users\Admin\Downloads\Aura\Aura\Aura.exe
"C:\Users\Admin\Downloads\Aura\Aura\Aura.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:6004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5596 -s 140
  2⤵
  - Program crash
  PID:1576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5596 -ip 5596
1⤵
PID:5236

C:\Users\Admin\Downloads\Aura\Aura\Aura.exe
"C:\Users\Admin\Downloads\Aura\Aura\Aura.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1912
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5500 -s 280
  2⤵
  - Program crash
  PID:4768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5500 -ip 5500
1⤵
PID:3548

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5924

C:\Users\Admin\Downloads\Aura\Aura\Aura.exe
"C:\Users\Admin\Downloads\Aura\Aura\Aura.exe"
1⤵
- Suspicious use of SetThreadContext
PID:5792
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:5808
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5792 -s 244
  2⤵
  - Program crash
  PID:5932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 5792 -ip 5792
1⤵
PID:5720

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\activity-stream.discovery_stream.json.tmp

Filesize
30KB

MD5
0ee9544f8c7d8f85c5ca5e7c3dd9c66f

SHA1
78e2d7972ab0b87ab7d733503c6c94d7b35d1fb9

SHA256
ee7b840d361084069989a9db7831cc5134d81bca639a008a437e1eacb5264fd9

SHA512
2282a243ab01769efe2a08e5c0b9257fe3f33cc44556421f1e11973b3c1a2779a77f589f984c0427363e5947cd43cb7e9a01efc24e6d36e58993e346bb3f10a0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\cache2\doomed\25623

Filesize
10KB

MD5
f18329463c17c3048d8adfa66b506029

SHA1
0ff9840da53b4d02b774212590a500acf5ed728f

SHA256
a0623dbb334f81a03bffe9faa4f67dd54d4a8e09f2eff8c4cd53b78998005c34

SHA512
aabf478b243513af30d69054632d85e2ffc5fbe9f83d17b4e05ebd4c6721e8aae091391cbbad83c290686e18c1061525f9df38e906ac37a2418477372cb4d7bd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\cache2\doomed\2934

Filesize
10KB

MD5
4cf8cce683c88aa3168ed5f6fd12ee80

SHA1
08f2966f4024ad65f255b635f068beed89f95ae2

SHA256
ef0c07ecb6c58c3afdb338f5d4cc3ffd5053bf45c368565dd3cf8fed739f590a

SHA512
98f6e4bedb42cd4b5f2a8ab417923575c665a3993debade6f2d2027ee5d43dec83db4482eb06f3ba9609f95e034bf96a0e063895dbf937a8645be8defefeb605

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\jhlyxaos.default-release\cache2\doomed\30172

Filesize
13KB

MD5
6ab43bf69e483e71f134934818a76274

SHA1
073f8dbc6325f75e057919e7fd61fe9ebe3c7063

SHA256
24c8d6f61d4918b4126c3ea3542dd4d85727be741f8f2abf89416aae1d04aed5

SHA512
9ff39a539d1c7510a4522791028f04619fb7f8874a4b6dd7fb4d3b675d8c216f4c44031ed9b91644558e7a90f08967384baddcdf6a203516ba82fe48e8fc63aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs-1.js

Filesize
8KB

MD5
cd386577e2562b1b374944085c9acbbe

SHA1
54e8f4bf2d13909e44410845805e8fbdad20d4c3

SHA256
dc388d12d0cd34d68b67453eeec87cb01a75e2f468553e15dd16e07d8f2f99cb

SHA512
6a1ae8cdc51ce90b32a00f4a7817fbcc4582e9391925972b2ca7fbcf383593a2c1b551a536680f6cf6011398ab5b1ae56cb21f3a61145daa3ec438cd18800b4c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs-1.js

Filesize
7KB

MD5
b2db0d75af8db30ff3fb4a2db61453f2

SHA1
3fd9652f2ace0e5ed6a687862034d128edec894f

SHA256
d34485bec2216754b3af190006d71e1d19cabbf9a11e4a889ba470e970593ba6

SHA512
9549d521dfa558da2d03e2d886598fa310ad9bd68670336a0bcb5563e8ff1b754aba399c6f8db8aa9e71085c68490b9cb437ca7631f9cc518963486e3078191b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\prefs.js

Filesize
6KB

MD5
2f2595d12f85b61679441ead778d72ca

SHA1
14bce54814ac086707b70f9e9dfe745acd8d6ee2

SHA256
30aac971182f3d0c2c40f991a5ba302ae11067fb2356ce66ab3c6263ee911085

SHA512
a0729f1cf9db815599a5244fd683b1ac0caac6959ba8c78df8cec0a6e7ebd7fe9341d1d98a54e841fa7c60757eb26e72fd65acdc5649d9bf2dea827c1e50dec7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
1a2643c234687be48af93bfc4b157ff1

SHA1
eafe5ebb0e2ae8e6a31037c868bf1b77de3f9d3b

SHA256
11364eefbb9c8475274924ed0cdc94dfbbd86f2bd19b32d5a6db743947da756c

SHA512
0979d1e8be016089af19a500b57041730b9576c1362bcf079690862a171ed27bfb7b54c28b47e06a8acc39433c2d4c760bd2c24bebf56d4bf441a7a268833fbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
e6dcf537d1964d6f2fd77b40964cab07

SHA1
a39fdcb9f27b50f49fec222f63b116ab779c7e2e

SHA256
5b2c7b9650bed9eeb3830cf32ba5069d3850d80dff0be50da8c1be4497b91e6f

SHA512
8033a3c4dbcdfbd7330691ad26966598c4d02299f82ed6d9f5076552bf63bdee0d83ffac2743c32e13f2c6d1f77cf4f375d8121efdc514a64183a51cf342adb4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\jhlyxaos.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
11KB

MD5
5742c5bda7823a01d7067eccd6fb910c

SHA1
80cb10667dc803a60631cfb7d1df2a49b0a50a9c

SHA256
cbecb4966e037711d9f699b7c7014ef49e6237f76d55464f00f2cb93c89d1a78

SHA512
c00e55ad0c3f57c9ab3cb8cd7ec7923d6ee0334a951d30bea33ca09c2672ac04bb468b49aa57f868425fa26c3f9d783a89f48cd9c0894fd50ca3f1e4ccb2001f

Download Submit
C:\Users\Admin\Downloads\Aura.KFPyHGSf.zip.part

Filesize
64KB

MD5
55b52dc1fa416ab4f7af1b96befdcdb9

SHA1
16cc5371a004d7f479c35f84d8681def25442346

SHA256
0d5956465ce05e1ae54453e8625362b4b8574c71826871ec02a745b208cb8e44

SHA512
94afda59399da498c5613b30515349c48946eb16af374ff270ab7c600f82d2a28af07eb0fd7812765857fae794e3ee5dda6a38a1a580b2b8796bda01db05c863

Download Submit
memory/1912-2384-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5500-2381-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/5596-2376-0x0000000001490000-0x0000000001491000-memory.dmp

Filesize
4KB

Download
memory/5924-2395-0x0000025CF0260000-0x0000025CF0261000-memory.dmp

Filesize
4KB

Download
memory/5924-2385-0x0000025CF0260000-0x0000025CF0261000-memory.dmp

Filesize
4KB

Download
memory/5924-2387-0x0000025CF0260000-0x0000025CF0261000-memory.dmp

Filesize
4KB

Download
memory/5924-2386-0x0000025CF0260000-0x0000025CF0261000-memory.dmp

Filesize
4KB

Download
memory/5924-2397-0x0000025CF0260000-0x0000025CF0261000-memory.dmp

Filesize
4KB

Download
memory/5924-2396-0x0000025CF0260000-0x0000025CF0261000-memory.dmp

Filesize
4KB

Download
memory/5924-2394-0x0000025CF0260000-0x0000025CF0261000-memory.dmp

Filesize
4KB

Download
memory/5924-2393-0x0000025CF0260000-0x0000025CF0261000-memory.dmp

Filesize
4KB

Download
memory/5924-2392-0x0000025CF0260000-0x0000025CF0261000-memory.dmp

Filesize
4KB

Download
memory/5924-2391-0x0000025CF0260000-0x0000025CF0261000-memory.dmp

Filesize
4KB

Download
memory/6004-2379-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/6004-2375-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/6004-2378-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download