lumma | hxxps://drive[.]google[.]com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view

Analysis

max time kernel
212s
max time network
207s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-07-2024 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://flyyedreplacodp.shop/api

https://horizonvxjis.shop/api

https://effectivedoxzj.shop/api

https://parntorpkxzlp.shop/api

https://stimultaionsppzv.shop/api

https://grassytaisol.shop/api

https://broccoltisop.shop/api

https://shellfyyousdjz.shop/api

https://bravedreacisopm.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com
3	drive.google.com
4	drive.google.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2036	chrome.exe
2036	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 1956	2036	chrome.exe	30
PID 2036 wrote to memory of 1956	2036	chrome.exe	30
PID 2036 wrote to memory of 1956	2036	chrome.exe	30
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 2828	2036	chrome.exe	32
PID 2036 wrote to memory of 1908	2036	chrome.exe	33
PID 2036 wrote to memory of 1908	2036	chrome.exe	33
PID 2036 wrote to memory of 1908	2036	chrome.exe	33
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34
PID 2036 wrote to memory of 2904	2036	chrome.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef7de9758,0x7fef7de9768,0x7fef7de9778
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:2
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1460 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:8
  2⤵
  PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2272 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2280 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1600 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:2
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3528 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3796 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3920 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2036 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:1
  2⤵
  PID:2000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2560 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=2016 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2688 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2272 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2516 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4396 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2244 --field-trial-handle=1008,i,17553527540608653659,188335853373456102,131072 /prefetch:1
  2⤵
  PID:2312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1472

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\install.rar
1⤵
- Modifies registry class
PID:2448
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Downloads\install.rar
  2⤵
  - Modifies registry class
  PID:2532

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\install\" -spe -an -ai#7zMap30912:76:7zEvent6239
1⤵
PID:2204

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\PopMerge.xht
1⤵
PID:2136
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2136 CREDAT:275457 /prefetch:2
  2⤵
  PID:2128

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\install.rar"
1⤵
PID:2536
- C:\Users\Admin\AppData\Local\Temp\7zO8E93D6E8\main.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO8E93D6E8\main.exe"
  2⤵
  PID:1796

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\install\" -spe -an -ai#7zMap735:76:7zEvent16115
1⤵
PID:2520

C:\Users\Admin\Downloads\install\main.exe
"C:\Users\Admin\Downloads\install\main.exe"
1⤵
PID:1596

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:2580

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:2788
- C:\Users\Admin\Downloads\install\main.exe
  main.exe
  2⤵
  PID:348

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:1772

C:\Users\Admin\Downloads\install\main.exe
"C:\Users\Admin\Downloads\install\main.exe"
1⤵
PID:2208

C:\Users\Admin\Downloads\install\main.exe
"C:\Users\Admin\Downloads\install\main.exe"
1⤵
PID:2908

C:\Users\Admin\Downloads\install\main.exe
"C:\Users\Admin\Downloads\install\main.exe"
1⤵
PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85d62184ce7767f0f7e7b9501abe7d2d

SHA1
329a25f2ff7c4b421a2c1e47621a23ddfb2d6bc6

SHA256
1bdfd2868d330512d3d566b3333dbc5df9967ad8fee8a80476a7b928b016b1e8

SHA512
0bb9fb5697ab671aa1392d507091ebeb5adcdd509eebcaa10cad07d410d5589448024658cf4bfb8157e0fe616687cf96436e4f5d056a1f0b80b4108f84a53739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82307b652184cf82ab195b1042127b3d

SHA1
f8edfd9166132a2a12adc6a825581ca31befad70

SHA256
4e17365fec87397afa49fdbd70f1adcc95406e48c0bc2984c807f70caafc6059

SHA512
eaf121dd0dd7c4923894c5d745e122d83c0d475d1cfdbd4003c520324555f53612cc41451290d54e4a67730d5485bea811f9e4ebeda11f4406b4331a8c911a51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ea4a6e86148c327ee92a44a94dc4de5

SHA1
a4bbe38be03fbcf32966d93a229121df37f4efe4

SHA256
cda694aece8561e87c3ba3a8c1d099f7841f43bd0eff9614b6c8e0e3045eb705

SHA512
a59f6f16ca4faa7caf50c8b8b53b76a1464e63b69024210bb6c1e4d68fe0b4655643b4ce3a119241ad02dcf00f84941b0c6bfae9257c5bfd54d94485aec37bec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3f34ec79daf881afbd306d7ab3568c7

SHA1
5bc1b6e98c93ca44f3bf78811158d5062edcc34e

SHA256
00a3381beb985bf29cb135dd705b8f0b263b669b05df9e0d69dc1406b6982c08

SHA512
bc0fa483433fb3ace3d7f5c8ce71bc4aa7382c59877a6353281cce7535376c201632b88949dd10c8c59130215c7adffb566ebd1c6e4b0a503c1d0ec3b3509b06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4207f533e3f459d98c49c710a51a8c8

SHA1
16fdbc9eb9da6d2c4fbf6f14fa928af7003ff823

SHA256
0c3c8a95f47fb5ca0310d1c9b46836c147dd7d587698e21ed36a9f55c8ab7487

SHA512
5d1f3b3b10a256d1e58faf63cd05465f27549cf98839bd85f6bc76ea8417e703bd8580777f866ce7f1923ece0c3a58d2ee02c611d15871632ddbeeca903c48c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73879bfddf6492d4c94118fae02d447d

SHA1
716bdbc37a4b9fe810f8a0e741d8b34d1a20d524

SHA256
71c1de8750697feb2cc5c1028a523aac47965761d79c2cfc6f59d34200896b96

SHA512
70a058df8edffe242c82a19e3b9b6f6c3a3731da49821da58840569200b2e6b32da3f119f4d2cea8996a9485b085eccc47b565bee09321b84442c28bb50f40b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
59dd550edcc01956dd828c9c27896232

SHA1
bd9540f4f67cad2d13f977eea6921065adabaaf8

SHA256
84b118f70a6ed74860c31df442d45f2b4975a3cdb2f9ca1bf7f64cec291d98bd

SHA512
6048f7d8f63bfc63af874cab5bc47f343d2b4edfcc78cd50c2c633fcd520cc5dd3242010e4511d3fe6bbca3bfa7385d1df6cf8ad4186a2c34a93cd17c69c1974

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
11faa27800afe5160e857b534fb5ae23

SHA1
ea2398ae63f3f742decf4e2bd098923225250f2e

SHA256
c1808b77a55ad44841090feeb06eef0dfdef2bef0347a4e71417a083e842b788

SHA512
7d3037805c91c103b19b47dc9e7508c6d1a625194749c8e7e0381bd598be7861563577305801563e02569e6045499b1104a4201f54952bc25fb71265a91828f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
cb7f50417d7687266e629a43f1ff355e

SHA1
ee179bef18c717c46c51b14aa66352eabccdc601

SHA256
ecd4780b77e8c8480f515f01909bc6b5a7294549cc852fa3376fe7cb1b79eb60

SHA512
528435ee06d62e6871d6ee591deddbb4b2b2b9506cb129fa9faab35f77a6c436933ba5d9221601b3e3e37db8b5bf053636d3912793b2a838359becf8d772b023

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1017B

MD5
830f142e0fc36998be35ca5842b919ff

SHA1
5b5d1673ef5e3ef6cb6b145c30d194a022c78ae4

SHA256
f58ea9d61c4c13d374d051cd4096567fd485fa6fdec79ae7b5bf7cd4db19b30c

SHA512
049b762da811e0231a8432972269267ea2687720b7e1d67201e07f935bbe67de823dd715db19a81e7fc4060141fe06547d7a3c9a54e1b4f124712933017bb831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8c3d073e061abb3ebb110195c3126b6e

SHA1
a3d653c991a112776148592386bc48b9d6b1efa8

SHA256
87357eaf2eade0a3f79911a9de1546892d669b9f7999c880ef09fdde255d4d37

SHA512
d69103bfd65e3efcd9e638af1914885dc11e9cf00af37dd50731066190256535fc83f6512f7edf57cdeb833977bbb3e41fe672ce30d250b87a8a914be108ba44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5bf9e596876bee504547e5b42b51a813

SHA1
7afe9aed328adaecfa1c3fb36ce307e69212e0ab

SHA256
e827f28ceab728187c1933dfac63daaf1dfec0289196de799b10a89acad65f5d

SHA512
769483fee4cbd722e9c2cce2e1de1dbabb1f91958e08fbbcacbf9b34e2385f26c96aa1f5c57ccd47900edd56d3890218d268791a1cc9942b76456eb65d88e127

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5a2c0a61f9fe137ab8cfed5481fef62c

SHA1
c40b513da8d4d371364bb4d4a5288a149e0887b5

SHA256
23b4de74970b28d21173f4edac940b25a056111cc997b689b965b56c444dcf7a

SHA512
91aadb8f4e55e13baed4be63f52a98af11a4cb69cfa2fcd072a853265c64a830dd0ff219477c01e58dbf33636e382dc4662b1bd9431091b2a7684babcd3ec03a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1819180859f7e00ab835708d51b227b0

SHA1
989693c992bc06dd978bf3649cd20209773c7e9f

SHA256
0240dba4aae362bb319e345a63225b86dbd6550618c7f09f31fdad573da8b2ad

SHA512
a710551805bc67ef71568563d8719161f4833229c88f94de7ec3a89ecfa86d31c10f2b1de32c71611ef8bbad8affe9b315558e230b715020b9a595f2773b4afb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8555dd46fad4c8c6edbfe53ee9a7518a

SHA1
61a9ecff5424927d4842a4f30eee7c71d9e825de

SHA256
050c7de46be56aef14aca4b4ef279bb88d597a2ac9748c21f44801c83d0baa2b

SHA512
acdd7b885e500bd1143d2564bd9f3f3211cd47d373eabcfdddb855fba22704d4eb124782590248fd3b2dad8f10a23e82ac42fc46ba99d67236cf9dfede6034ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
742b73f745d1e383c33211e76e7eedcd

SHA1
efc78bfd2f257229651eed149c0db225faa97e83

SHA256
9c7b3203513f095f0c6dba146b50eac0cdd76c5c0f68b37315129ba19c7755a4

SHA512
59de2efcbbb8b405884a86e32e275521baa3e013270c250a078e49e55ef7ee5aa86b659ae2d35cde8213737d10e7e386419fe90d2fe9f0f77bb49805ca6f70a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
154KB

MD5
1abac0d8873524ac79f596b97043f41f

SHA1
1bda1da2ecbc482adfd9648f4142021f1cc530d3

SHA256
491acc12d6d020ec2680f35d584e816f6f05fe7d8575d64353268de85f740a73

SHA512
a51a585a6d34a35f128c7b220ae5cdc79d477506fc4a092b7b7ef7d495aceae7bd0c157afd1786a045f023a88adfaffba25d0a61da94f5274facfac119de97da

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC7B4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC7C7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Downloads\install.rar.crdownload

Filesize
448KB

MD5
4564a9a35d9e7e7883faa2ed3361e0e4

SHA1
79a611b96bc0cdab0bea30423814b4ad7245800c

SHA256
06ce088beb65731be6268934f89d44a00d386e517ad88f8e28a8968c0a43b7e0

SHA512
efcec8c64edc5e23a7d24610c4a7e7facd3c682eb42875bc0b19e95ffc3479749d044a78f274cbdabd4252a07ef3da567aabe995abf2f5790da139203075fa51

Download Submit
memory/596-999-0x0000000001390000-0x000000000139D000-memory.dmp

Filesize
52KB

Download
memory/596-1000-0x0000000074EC0000-0x0000000075024000-memory.dmp

Filesize
1.4MB

Download
memory/1596-979-0x0000000074EC0000-0x0000000075024000-memory.dmp

Filesize
1.4MB

Download
memory/1596-971-0x0000000001390000-0x000000000139D000-memory.dmp

Filesize
52KB

Download
memory/1596-972-0x0000000074EC0000-0x0000000075024000-memory.dmp

Filesize
1.4MB

Download
memory/1596-973-0x00000000002F0000-0x0000000000345000-memory.dmp

Filesize
340KB

Download
memory/1596-974-0x00000000002F0000-0x0000000000345000-memory.dmp

Filesize
340KB

Download
memory/1772-985-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1772-988-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1796-946-0x00000000008D0000-0x00000000008DD000-memory.dmp

Filesize
52KB

Download
memory/2208-996-0x0000000074EC0000-0x0000000075024000-memory.dmp

Filesize
1.4MB

Download
memory/2580-970-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2580-969-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download