lumma | hxxps://www[.]mediafire[.]com/file/o50xaz6wgtazqnx/fix[.]zip/file

Analysis

max time kernel
72s
max time network
73s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/o50xaz6wgtazqnx/fix.zip/file

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://froytnewqowv.shop/api

https://locatedblsoqp.shop/api

https://traineiwnqo.shop/api

https://condedqpwqm.shop/api

https://millyscroqwp.shop/api

https://stagedchheiqwo.shop/api

https://stamppreewntnq.shop/api

https://caffegclasiqwp.shop/api

https://tenntysjuxmz.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 3 IoCs

pid	Process
2888	x86_64-w64-ranlib.exe
5712	x86_64-w64-ranlib.exe
5044	x86_64-w64-ranlib.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2888 set thread context of 1928	2888	x86_64-w64-ranlib.exe	122
PID 5712 set thread context of 5832	5712	x86_64-w64-ranlib.exe	125
PID 5044 set thread context of 5928	5044	x86_64-w64-ranlib.exe	128

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x86_64-w64-ranlib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x86_64-w64-ranlib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	x86_64-w64-ranlib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133691461746884362"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeRestorePrivilege	5768	7zG.exe
Token: 35	5768	7zG.exe
Token: SeSecurityPrivilege	5768	7zG.exe
Token: SeSecurityPrivilege	5768	7zG.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe
Token: SeShutdownPrivilege	3888	chrome.exe
Token: SeCreatePagefilePrivilege	3888	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
5768	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe
3888	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 548	3888	chrome.exe	84
PID 3888 wrote to memory of 548	3888	chrome.exe	84
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3936	3888	chrome.exe	85
PID 3888 wrote to memory of 3132	3888	chrome.exe	86
PID 3888 wrote to memory of 3132	3888	chrome.exe	86
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87
PID 3888 wrote to memory of 4020	3888	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file/o50xaz6wgtazqnx/fix.zip/file
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff82fbfcc40,0x7ff82fbfcc4c,0x7ff82fbfcc58
  2⤵
  PID:548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1916,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2404 /prefetch:8
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4692,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4492,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4856,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5000,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5348,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5660,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5344,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  PID:2580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5512,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6400,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:4396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5804,i,8899745531832711722,5963521370299670793,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:3752

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5640

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\fix\" -spe -an -ai#7zMap1040:68:7zEvent29206
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5768

C:\Users\Admin\Downloads\fix\x86_64-w64-ranlib.exe
"C:\Users\Admin\Downloads\fix\x86_64-w64-ranlib.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928

C:\Users\Admin\Downloads\fix\x86_64-w64-ranlib.exe
"C:\Users\Admin\Downloads\fix\x86_64-w64-ranlib.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5832

C:\Users\Admin\Downloads\fix\x86_64-w64-ranlib.exe
"C:\Users\Admin\Downloads\fix\x86_64-w64-ranlib.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
af2ac817e91cbbc9f636481382b93e59

SHA1
894ef7346e32f322bb069e7b352e501bdfe9d60b

SHA256
a792c41e8f33b310d4702758b37ab67a8ee262d24a8d1c85121f4a00ccbc0b6a

SHA512
d8a5a59f87ac493f187a0609972e1e5b05ce579c1879df5172f24c66429d58d7f587b5dc440c3fea3a7b568ff1455f8aa73e8524ebf4d03b537c63b8850dd932

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
066bb154d62b6efe11f2ca9dd43c7b3d

SHA1
8f0d48b6b81c54cf9c7dc8d9bfe320f0d6db304b

SHA256
e5a4d0c28b4199f448bf8308306ffd4aafcacd8b515981f42df099908ea40ac1

SHA512
eb599f40cb0b7b2a5bb4df2ec11e0e4222b1660f078d35dbff56775e32b9db87f659fa59b41525046c128107d932b7016209e359223d1812c9e5896999481969

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

Filesize
54KB

MD5
01ad880ee50b786f74a5e4fae9ba3d71

SHA1
111387dbe885b7f3af44cdbbeea17eeb04bbf803

SHA256
9368f2d586a1d2727921605892048bf5201ef8caa044f2e939ef431aa881d83e

SHA512
d8dc47e5d55e6598988281539205936c56b716eb02b4e643fc917a68ba4407ece36a9d4115d5d0e32ac630d44eadb94ad2607330de082629fea82a9bd35fb83c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00001a

Filesize
28KB

MD5
13d4f13cd34f37afc507ac239d82ddbd

SHA1
6d500935a441d438ed052e90de0443bccc8c6d17

SHA256
76464e77d22532976bbe5d1829e97854d5c37ed5a46ff300ad9680876ec81d01

SHA512
152e6449d09a7b544cf6f986c9695ae07c330f4b13068cca028ab56ffdad6ff2467f371ea4385ad71da023f3beb83fe0ba1d6d413f1ddde14372efe82ae36b6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\13fe510d2a9c1602_0

Filesize
269B

MD5
fe3b8893e73e1057e247f8cdb8229d4b

SHA1
180d7123b6bce668b20a52a17320db8cd6d41e84

SHA256
453e7058f8119be0668ad053e751abb5e471a6d2fb03f9de2de3f72a66d21cd8

SHA512
95527a94b8fed08a373c4a6f330850eb1165ef144e46b63f4b40828924b4585be98056e94fa7c3b82047c1169ab6e77ff44e069ec4f260694bc1e1526d1684f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\474f4ddf2170e23b_0

Filesize
279B

MD5
404c3308a7ed601fdf8607cabf782830

SHA1
e9dfebe1c09942eeb21a03fa044f7fc23198cdcf

SHA256
ec225f2b9214d926e6102990a168f9ed9de8d435d94155d5c33c3523dae049ea

SHA512
1575a45508e59790467b013c526b039e46d2956f8844adec89d7a09198fb0a85994b8afdaf2b727beb1af68d61e61b0d9c8b8468dbb9069d4c0096f7b90cc49b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\ba54e1020e22b9f5_0

Filesize
157KB

MD5
da03c38421dd3462efa35d9f0e8830e2

SHA1
814b659d7cfaddfc273be7fbcf06cba1f63b4dff

SHA256
860ab9fba8c72e6bfe936e674ea1557a4a1d9df99d4ffc49e9fec4fab19f836f

SHA512
04cba3972ee1a021bb1b76611ed54066075dde3e28931594cba3b78a37de991d277f24c712bc06b149988686d438b7f8f4dd6738bc0d50283b8b0d50be62fff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\bf15e95252273036_0

Filesize
1KB

MD5
183ccd9177774374dc7946a3a1a2e76f

SHA1
b5016997ff3a3b3692df6c34f1da451ea030eceb

SHA256
b1c855693632c0672a723077c1de374d85fd21a9486e72e6c9ae356acc274213

SHA512
2640cecca92831ab47d22b9e1b1c4f7bdef1896b6ae4e17b15328a04c138f351aafe47a0dd6471782d5fc7cab1957eaeeb46768940299ab41ff5db0faab9f98e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\c7d0b2862114bbd9_0

Filesize
52KB

MD5
fc6739573df00727d2a001a1b1d294a4

SHA1
e15ed303393b16efa93a4abb389a8564985572eb

SHA256
f884a04cfc20128405f564b5e959a81f3a0a89e15d2f217f9d11fbe3e55f099b

SHA512
20d274a62f3256cee3f81bfc5549cfac0bda3ac003e9ba04ddfc5ebd2ffe9c846d1ae1daa8e5f351b3a458c4e5b1f437d05f55d85838f0de34c7dc9d51c0019e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\da019b0e58482a9a_0

Filesize
13KB

MD5
26f4faec277b7eb185eb19abcb4c080c

SHA1
53b0fb9c3aefbd14b3e80ddddf1dae9499c1b4f6

SHA256
c2e4ba995cdc5e00b2cdd1e6ec51d0db597a1b9a2b514d0f6fedb43614e6dcfc

SHA512
717b591d0515ac9dbccc5ac970a723a3a0102064b4a61dac8aa7776f3ce26af28db616f39c07722ff9aa7dcb15545db6432d19c110f38554c9fc968cf6c607d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\e5b999651d48bcdc_0

Filesize
274B

MD5
cf66f602cc1d8b63b2775180fb94eb3e

SHA1
38d3d9474f59fa7febf81d77875baeaeb4a2a718

SHA256
d4af0e801409e7c1064f78fe6d79b51d5bb5b01c9540bc5207f6de8b5b230bce

SHA512
1b75aa48bb008e267673df5dd31a8cb3d338ca71d18d4185f5e4a894642a80e6f2160ca4daecf83837abda5f9113e49466451bbd918f335fe0b2f494084b41bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\fb544fdf7f91a9e7_0

Filesize
253KB

MD5
a97770aa505c8da4214603e43b82098c

SHA1
046839c431b12129cded80d92284ac7648860806

SHA256
22b3c5726e4ae5ba2a3682541e3091ed84d9b292a333048478895131d6097cec

SHA512
1877917da11d77173eef792afe9341a4bfd5d0ffddbed5aed0ac3beed4eaee83e23d032d9a85c1576f8880de1cfedab5b1be1ade77c463d44198fdcc5c1a2cc7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
89aa49ce4b952a16febb2f6c6735eeb3

SHA1
b438ad8af4571dbfe0ae49ba841a0ce896ff4e21

SHA256
0742086543527cb5dcfe30a00eab08b1a4d40ad06a0bdda79c46baddaca5b5cd

SHA512
079cc85b02ca805d44a44505f38823fac947b38564d1288472599abb7af0dc83914c1ce446d57a32bc1afd1325bedd659f0861c0b15da7b8635bff8a85579e1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6da11b9d306c7914ebaf3af7870b91bf

SHA1
f172532aa87c2103a29f9f3562fc7d3634d51f06

SHA256
c685b991dcc4e78f6931f587d32feaa0575af7d30524a5f8a90bc3427ccb5df1

SHA512
e6f5a3fa56b5645f2a573778bd8483f93fd56224ad5b2d274eae3f7ffcd5d7428d58e6eea10343bda91dd4b0a5c89b9ede29c22e8488e6b5a26db107c0860574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
20KB

MD5
28269b6f773c806c434f40dfddc52b5c

SHA1
ee5378da146da8b94c76a3fb3fc78f73a344c97c

SHA256
5bef766371083dffba6f03f9440f9b4f6c403d3465cfc953260a5037d2e7d013

SHA512
241511db71fc76fee65e720c1a867a16f2b990e63e15ade339283cf79e694275f4d8796596c6fd8b900c20688ac33b6849c2c148a4d78c7f2d0eb59024c703cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
3da40dc4e526d8799326f8f864361651

SHA1
461c31eba1ce51ff99c16d28df414701ce246dcf

SHA256
4b9b2c96c581ba1f7b4084766dcb1985baa928c01aec32d4ecec2f9b0a9419e6

SHA512
87ef3d4d1841f86f352cc6087e80a3c0d7f7ec98164d5a3bac56ec34b788d7faa511c492e20ebc87a2100a2c2c829ff0dfe231634d8c13f7824136fbbc032dec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
8c70c9495f6655108b7ba193a6e26f2a

SHA1
67637f73ef386fd2d62db1ebaf917c6f1656ff68

SHA256
b366f89384e8bfdc2073e73b78889af20b01f19a7bc0228f543ffb0dd3feddcb

SHA512
7063b45a34a81b8ada33d22782308543ee2a0ee583f6184c8d0ff80718a1c8267306a6bbdcef11bdffa1022fed1e076a20f3e91df5aa897fbefbeeb168530686

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
786037fdcd52ddfab274face96572117

SHA1
f87582af1d392a5217c02be9af2bbd3ed63d99d7

SHA256
a51c12d1b9b3ef118db8f79f8727641faaa377cb69594a5324eeac70f3d75868

SHA512
ef064a8206f15c3966c7fa0459ffa201d76a6fb3c4213f493a6b31062635cc71faac6949af1ae293412aa29ac6a7586c4dc4cb94cab5d63e08a6f2e1e0b63a52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
20d03a14bec56d582e1ba60b76c7d223

SHA1
fdb00ed37047a664045251bff1b8e0efe4b0776f

SHA256
b731685b283e4afdb6d029ab4d509518990a06d3a7f7e68e571fe7c6b38ce7bf

SHA512
57509f37b3776cf903aa44560443f1cb4e94256163018e4c8c792804fce95fec4e2942929d8077bb078410650b44d77ce0407e016ec3725ea27bf9c9ca75e436

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
900806d5dca5e2a30a5c88af058d3eff

SHA1
d593284d2b039af2f44cfa53a8989684fcc183fc

SHA256
bacb160363bf38dfcd16de15baa0f7f08047f8c6e4ae6ad5ff691b79e3b258e8

SHA512
2aec7e4be9e139c84f282f148a1d3652afaeb3c4c3428df73fb79f621783e1fb6db8b9f7fe07644f505da37a2c4eda0a9a410ca6016bfd39a4384ada396e7b97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0c3c857297da6fb4c7a09d4f0fe40bcc

SHA1
45268f0a502c2d185e97636d3cb95e0d90807bf0

SHA256
3ce2fbe8ba303bc076b24d3a9fea04aeb3315d4844f6294c33740cf3e7adb9bc

SHA512
a7ebe5ec7e0746cc9937ff89eaa2e100a5e033ceccf64c464f8f24c94e503b9313d21367d2902acb89a7627558da8432c5d14835c04abcfbbf464dd9095a5bd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f628726e29d9fe7a8d546586f3851a59

SHA1
71d1a1b2cbd51d5b805b2bc0b28b887de8dbd623

SHA256
3912def136897d873f50dfb4c001f6fc6da18e0621e2e227e0ee5752527a6b8e

SHA512
3fdb883a8173c871b076707aa0e7169d34cf53ec0cf42d72ae43bba7ea12349c04abed283b8a5d71063656b225ae6ea70c99b1171b4f09734bc44415cf4d4585

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b24cadff8f49d04651044434451d9b94

SHA1
8108648245f5b5fbfc6a5f2663b82b27c79ac6df

SHA256
e0c856364e6655eecec457ea9f733c2c4bd64ce05cf1997a8b39de31dea0b165

SHA512
496b4b954569a78774d5639d6a76ace4effa0ac961f52ab17c9900776bc5cb2e9b28737d4f14ef6be52cc434ea19d66018d90b90085f033225a67f111863865f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
30cdd4a55d54be2ccc7a564f8423e87f

SHA1
ee355d76c3939c49bbbec73fa9658e43c6b99815

SHA256
9abc0f5e317a87c66b7a90a386f9c3975695db3864e3473fb09c18a3b8add7d3

SHA512
97cade62b6cbf091872e27660f48c5eff8d88344cb0177822c0df155f1b27b0a8d51850135660f978edda3c073dde69d5f6dc765667aeb7bca6cb8fa65bec7d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
fd96f6d65ffbdeff770513271a150cb3

SHA1
896ac937911dc9c1d835dafb677aee31057269bc

SHA256
8b5f32a40f560cfa4dce156c4445141834610d8a383cee1342bae538e75d2cce

SHA512
de3f94387b2cbe30e290fc685359b5743271084b73aec2ad79404067ff33e08fd060f40627e8b67c0dbaa6edc6dad5a201a7f8d4d8bcd95320f32808d1ff6f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\x86_64-w64-ranlib.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\Downloads\fix.zip

Filesize
288KB

MD5
70fe41f4e0ba092e841fad1aafa46400

SHA1
e21b9b9b981d788bfa8852154cc51c48b823b071

SHA256
b1f401a32d82597d042df138825c90dd0b673d71017e16cee0f458a78a85cac7

SHA512
e00dfd74dc50464ba7d49829eb13df61736174b03c15a2f8d882d2713719c02a5aba12380473d11dddc93990c9be459ad274757226705e5c3aa96cc950e843fc

Download Submit
C:\Users\Admin\Downloads\fix\x86_64-w64-ranlib.exe

Filesize
285KB

MD5
b58fe0a5a58266e2d16703e7725a6f77

SHA1
bbdfd57437aa760246c6cbfa7a97405344347633

SHA256
b127de888f09ce23937c12b7fccfa47a8f48312b0e43eb59b6243f665c6d366a

SHA512
593b6ee4955d760359afe2df9d59ae966dd393298ec67b0b8441568a3ff075a485fea199ae1434eeb2cff26b7075085e4dd42b2c40327dd45bd22e0e8f7cf8cf

Download Submit
memory/1928-359-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1928-361-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1928-357-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2888-354-0x00000000000E0000-0x000000000012E000-memory.dmp

Filesize
312KB

Download
memory/2888-353-0x000000007444E000-0x000000007444F000-memory.dmp

Filesize
4KB

Download