lumma | hxxps://mega[.]nz/file/4qsyVAYY#blvx1Ud_k14scSlDcU_INfxt69eiOpw_G8PXbnaT3g4

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/4qsyVAYY#blvx1Ud_k14scSlDcU_INfxt69eiOpw_G8PXbnaT3g4

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://spicywind.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 5 IoCs

pid	Process
3228	Setup.exe
4888	Setup.exe
2920	Setup.exe
4364	Setup.exe
4888	Setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766186016113159"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
3228	Setup.exe
3228	Setup.exe
4888	Setup.exe
4888	Setup.exe
2920	Setup.exe
2920	Setup.exe
4364	Setup.exe
4364	Setup.exe
4888	Setup.exe
4888	Setup.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe
2052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: 33	3848	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3848	AUDIODG.EXE
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeRestorePrivilege	2824	7zG.exe
Token: 35	2824	7zG.exe
Token: SeSecurityPrivilege	2824	7zG.exe
Token: SeSecurityPrivilege	2824	7zG.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeRestorePrivilege	1700	7zG.exe
Token: 35	1700	7zG.exe
Token: SeSecurityPrivilege	1700	7zG.exe
Token: SeSecurityPrivilege	1700	7zG.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe
Token: SeShutdownPrivilege	1616	chrome.exe
Token: SeCreatePagefilePrivilege	1616	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
2824	7zG.exe
1700	7zG.exe
396	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe
1616	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
212	OpenWith.exe
212	OpenWith.exe
212	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 3548	1616	chrome.exe	83
PID 1616 wrote to memory of 3548	1616	chrome.exe	83
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 4676	1616	chrome.exe	84
PID 1616 wrote to memory of 3068	1616	chrome.exe	85
PID 1616 wrote to memory of 3068	1616	chrome.exe	85
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86
PID 1616 wrote to memory of 3400	1616	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/4qsyVAYY#blvx1Ud_k14scSlDcU_INfxt69eiOpw_G8PXbnaT3g4
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe4855cc40,0x7ffe4855cc4c,0x7ffe4855cc58
  2⤵
  PID:3548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,15404556108889886921,868533165422698941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2176,i,15404556108889886921,868533165422698941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2264,i,15404556108889886921,868533165422698941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2288 /prefetch:8
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,15404556108889886921,868533165422698941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3164,i,15404556108889886921,868533165422698941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,15404556108889886921,868533165422698941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4372 /prefetch:8
  2⤵
  PID:1880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4932,i,15404556108889886921,868533165422698941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4376 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5096,i,15404556108889886921,868533165422698941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5424,i,15404556108889886921,868533165422698941,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2052

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2232

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3196

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d8 0x514
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3848

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1408

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\" -spe -an -ai#7zMap1958:126:7zEvent2085
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2824

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\" -an -ai#7zMap25584:192:7zEvent8341
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1700

C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\Setup.exe
"C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3228

C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\Setup.exe
"C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4888

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:212

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\" -spe -an -ai#7zMap18256:192:7zEvent14210
1⤵
- Suspicious use of FindShellTrayWindow
PID:396

C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\Setup.exe
"C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2920

C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\Setup.exe
"C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4364

C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\Setup.exe
"C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
898b65aea2d1fded7d2bf91b7d777cdf

SHA1
274ed5ff3f63cc101c92c1b29e0d7deeebfceba5

SHA256
bb5707c455cae5a9b42b865ed21550e86018325bd5f10ce784eefd2b00cbf681

SHA512
e08d752e9d4c5be3859351ea2b4d60da80c570b915ba164b0dd1cc13169dad7ddf711c7a2900ae360c46bda1d18f9d680ba059c708b1deb3b483bd4a1072ba35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
9fadcec5c9c6aeb318b16abbfe62f73c

SHA1
e757ac7f42559b5e02ab3fff1e33c327da14708b

SHA256
a8d3e46eb98647c07b082d440a6755656e767c3a42afe3a67da047c57e3e806f

SHA512
8caae52058d302ef5ec889b28e3da9885a99802fd0de80227c1606fb0678583f8656e2bbf76696c641b793c2b779a828d94d34b3015562f6411542f2227f9936

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aa9c3fff95bb26e8fed47c308bdcc3cb

SHA1
cade52bdfbd7dec17778e02bf00afe270fa84b08

SHA256
b8aadc723ae6e05836751287039f770b206828410b3f18309f577e7c9043d64c

SHA512
fc43eb9fa13fc05dcc3d88fb200937d6045e95c34d1c41f8ee25450cab1f66f09ee8bdf49eb716d620efcf88d571977252a25d5605db5485e72980641f181abb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
63ea94f57c7f20bd7633fa181e1a1c3e

SHA1
ea559fe9adb6d119b4697f501f6f408ca56373b5

SHA256
96bd8640496e1071d0db9b28361d910a5cbd714d1aba8a6669fbed137c5374a5

SHA512
5762d0c8c111c117978fa0aa28a667b0dc4732ad153079aa8df5630d97fb0a4c8af7bca52490b5115bbf72d8a82a8b2bf261521886a508fecfa538646f6f6f3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5c7ba14200b57b933e73c40d292bf734

SHA1
87b97eaabb6eadb0599e257aaa5165dd70fae1a4

SHA256
d76ad81c58c32978c837911234ac228efbc422f7174ab1b060c030781f779ef0

SHA512
dd380b671ca3c1e8b7d48c1ef08cac0f883c2fc7483d6bb8b996d686586b44a6079b11d51b0799c833c8375e45ecc8e3262990089cdd2d33f7414e5d0b28bb53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3324e6bff199a3a4972fd3c3f504416a

SHA1
1b656119718c818bf51f748505112a5bd193cc6f

SHA256
92212910da37b87f29c0913b17c09d2013f2543154f3672620d487df0412c826

SHA512
76876446d333ff14134d4e621007f6ad16a20008fc2c0e9332a2b5f99e9f531334a9e56256e4f4463b96aa3efbfbd29d40693276e9f61fe660dcb1dd69d23fc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d70572809da32d287dacfedea289a6e4

SHA1
dab2c562476f7c9aa06efbae4a5076ae8d37813e

SHA256
0e7fce6ed6a2438588d692b44626e837ef00b782305c87ce6b72846cdb3864af

SHA512
35dad4a04d54dbed76bafbcfcb4e196e5c99fa8130b9d5f54694648143e88ae9b56273a9f175cb56b1b2b8f43c122bab1a11a97e058553ee7e2afe1d9c8ae6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
39ccc566db4ee869bda755617bd50a40

SHA1
0a1f2e9a9f4ec07e6734de9f2def39466e2b7ea4

SHA256
309e5d658e0140537b81235581808a3a296bc56be397cf9f5e847d5869b02e9f

SHA512
cb6daf610db963c025ff7f87dfd11538f80d00ec13dafb8b0585d5678c6fc3c991c942fd0c49905e59e603e7f3c7a96ad63d99b47ac8d936ed998401cfbbc9ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
98a44532018ac4c345efbbbbee34a0c1

SHA1
b2eb88cb03bdaabd9585f4715f0a4183ad5fb741

SHA256
db1b6645cd2756a80329856ba458eb8079852eee717427941647d657d9cd120e

SHA512
2d3cfcdd9d6b81012a3d71b5a20a61461225a5175a9d4292895122233e6719b3231725841dc86b3ccd75f89ebb054b92c7c321e58409249aee99c69bf4b0e5c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
05f8fa5d88a0da9a09cd84b2c8964025

SHA1
f8d6bdede77a6ab8459becf7825a8f37f8717650

SHA256
bb56aff0ccd8d6011893b7a14ef110dc1d00d834b8ecbe09b3128fc4b5519eff

SHA512
bff7304650ba5ec73eda548a0c34af24e8cb9fe921b869c198268e41428604ff087a508916aaf76d638f5cea7366854f58346232d2b25e792527ba4274a709fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3ecf8ab67dd0653c68ce584c30c776b6

SHA1
24f183beeca00cd52dad236cc9f192ea1886c2ca

SHA256
fe87cb2c20cabdfe356e85263dbc851091f7053bf4bd3baa688b10e45de8d962

SHA512
8afa12be1178775ba12bfbc977d0b1f069c38f668e51960f891f63f789dc8b9cd68ab0e7d5a31677e2f241db4c51a94dd76096504806ef1b1516af1329d99a35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
17d00d6d5d3f0e5b221345129f76e3f0

SHA1
43f03b62e24d774e357ee1072185bb03ce078cba

SHA256
9c4ff08441f16476afc943301f0e5cdd1b73360a075b84f674c289444c784b7e

SHA512
65f831cfadc4e58d140af4cb9afa3632aac7565de395f47c49ec987bd9d1dc564830a843218581bb38b65ff48c48ee4b25027629195713063b45a2ea732ae48d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1a94e5dde469f6c6aee48c4103408265

SHA1
6196d419be6a4e792f1473e7d694e386fdc5aefb

SHA256
50acd4351c462f86a1da7eda6e8f90ecd64699de5879e429085c11d6e23a2f1f

SHA512
11dcfc01668f9f53e37c43f1bb5d5207ed07e22b21cd0a7051855ae9c2ebaa378391e017b1a625a4047e923bec338951a5c7064e7a1f357eca7b5590c3a1f42b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce06d90fc82abd154c64084a065f1a98

SHA1
c55b4a1b2492f2e0ec3eb00871dc29046e36e33d

SHA256
6a3e6018945559e6034088ce2913e86aa525d78cfdc19d2b3809767b8de09891

SHA512
f4525a12a54a40fda190f1a946b7267612797b6289f001bc5be0bb1201f6a9a0b203054e4ef8d333954489eedd06dab42a501b1abb4f93c2fc8243752d212b7c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
8ce726e40d435863eafd9f822d34f511

SHA1
6d4e2a1348fcade2f5ccf3c11692555538d6542e

SHA256
167d34d84cf0efa8305bb7a1f246d7e608eebe91431be67a9af4765876a155bb

SHA512
d3ce68111c13b843a2441f429fdcf20e900144deda17090ce421a0fbc4344b17caeb870ca49e3b2856173dcc7b2d8764701540e73a42e706ed38aeb97d7fc66c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
8f67e0a3ce6ad62d9b09e52d35a4d065

SHA1
b4c06992e11a32dff9c8329af368851d5e89253f

SHA256
753307d459032eccde0e430b560193d63ef4e4d80ca32622a2e9e1142e4b0145

SHA512
6e4e18da2b9721a1ee65889d7936369dce680422f40b6e1b20f349ce34358920871b72cce59a1ced1a25280bb687f82dee3db4f465b9b5d033b876bab64d44cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
cf99237bfa5f41a14d8d19d39874f819

SHA1
aa72f7f62ac72beb2fa79e4ad7277eb25f5be49b

SHA256
57c59218242fb72c7e5e4029d4047e615c1f332c22d4e8bdf80ca8772e67ba4e

SHA512
efbb7fdcc990c9ac84985998384aa863204be416926357d456ea219a97bc7ff8f54e81eb03fb3f8350b3afc84762241b1c628ce7080b590eaa2e2d69a05e5ef8

Download Submit
C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#.zip

Filesize
1.7MB

MD5
f0571a930c104124056af77d80997b93

SHA1
bc41a7b9bc662b111eaf9a84b79c5648a95518ea

SHA256
438646f7b81e6b7e04f0cb8c445a57d1298d96b8ff49c0e2f3165c9ea8084e88

SHA512
5a3db55ebe3caa7940bc018f1f6c039d8e157e190353e5b48cdbbfa0538234abc9fb8793b830f95bee530171c357590044e191014bd8f9f0be967cfe77bf0ed2

Download Submit
C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#.rar

Filesize
1.7MB

MD5
2b4c2b6e0b5fdbc1e2868994fcde7f8a

SHA1
4e6d540f34dcd9bde9171331f48ae29e2c1f841d

SHA256
06e2593947183b27881a3c5c773fefd6c9eaf463eb107a137120dd6c0a461c87

SHA512
3574476f3c6e97c690f23e1480d8d432472278b2a64758f65db7ae0b03db23b148962d5f73b28e4e2be3854c8204c05be1919114bf890173f1ae0f689047eea2

Download Submit
C:\Users\Admin\Downloads\#!!Se-tUp_9535_Pa$worDs#!_0Pen~#\Setup.exe

Filesize
7.5MB

MD5
400366be0eeff4adbfce0ced13d2283b

SHA1
052ff17a25fd127276466f09d79151b633dde5c3

SHA256
f6e09562ee6168423dda0a5a832567b2d11f6bc749cdbeada87e69a9bb97f479

SHA512
b67f3a22ca0845ff57d50b19cd78d4786b87fccf3195422462fd05638b6ed002373035a025ee2436931f24eaada2fa8a41224f85a5c60063f061e95f72c3eb90

Download Submit
memory/3228-228-0x0000000001440000-0x0000000001492000-memory.dmp

Filesize
328KB

Download