lumma | hxxps://mega[.]nz/file/uck20Y4S#Rn_I1Qp3RNho2yfzNN9W2QfF1mYtzI70_azArZndZi0

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/uck20Y4S#Rn_I1Qp3RNho2yfzNN9W2QfF1mYtzI70_azArZndZi0

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://dolly10dge.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
5564	Set-up.exe
5856	Set-up.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133767952651425367"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2096	chrome.exe
2096	chrome.exe
5564	Set-up.exe
5564	Set-up.exe
5856	Set-up.exe
5856	Set-up.exe
6116	chrome.exe
6116	chrome.exe
6116	chrome.exe
6116	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: 33	924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	924	AUDIODG.EXE
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe
Token: SeShutdownPrivilege	2096	chrome.exe
Token: SeCreatePagefilePrivilege	2096	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
232	7zG.exe
2096	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe
2096	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4604	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2588	2096	chrome.exe	82
PID 2096 wrote to memory of 2588	2096	chrome.exe	82
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 4904	2096	chrome.exe	83
PID 2096 wrote to memory of 2016	2096	chrome.exe	84
PID 2096 wrote to memory of 2016	2096	chrome.exe	84
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85
PID 2096 wrote to memory of 2260	2096	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/uck20Y4S#Rn_I1Qp3RNho2yfzNN9W2QfF1mYtzI70_azArZndZi0
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa202ecc40,0x7ffa202ecc4c,0x7ffa202ecc58
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2068,i,16127530344029507627,10523112880350031703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1852,i,16127530344029507627,10523112880350031703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,16127530344029507627,10523112880350031703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2348 /prefetch:8
  2⤵
  PID:2260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,16127530344029507627,10523112880350031703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,16127530344029507627,10523112880350031703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3860,i,16127530344029507627,10523112880350031703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4432,i,16127530344029507627,10523112880350031703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5188,i,16127530344029507627,10523112880350031703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5436,i,16127530344029507627,10523112880350031703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=208 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4836,i,16127530344029507627,10523112880350031703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5708,i,16127530344029507627,10523112880350031703,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:60

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1828

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:940

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_❈5⇂P-я-σ-g-я-α-м-@ss3ss✦C-0-d-ε--!@#--!❈=9192.zip\❈5⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\P@$$ 9192.txt
1⤵
PID:3128

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\" -ad -an -ai#7zMap31981:188:7zEvent2690
1⤵
- Suspicious use of FindShellTrayWindow
PID:232

C:\Users\Admin\Downloads\❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\Set-up.exe
"C:\Users\Admin\Downloads\❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5564

C:\Users\Admin\Downloads\❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\Set-up.exe
"C:\Users\Admin\Downloads\❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5856

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa396a055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\155ba6a3-6229-4693-9c51-4ccdc81867eb.tmp

Filesize
9KB

MD5
370594e89003c8012486ae05da1a4467

SHA1
69ed19c22104b77075156aafe9dfebcfa4f6091c

SHA256
2123a1b797396e98fb8cbfd1bbd7a70bf4331dbece33d7eb89586be4c1f36dc8

SHA512
47f49b030b9472928c1ae51674f983018c0988df594c8022b8472f98a4318adb72d203e246449dd215d5431b33e8c7b42026e1fec85038fdc400a96e55f833d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2b604db1aea4bcff160d7e4cf2ce24b8

SHA1
9ae2f95e6fd811a0ebbe7bde0713110b4c380a26

SHA256
b901ac3df83af3520500a93b9ca30fca71ad0a404e9034ae9c06defad4fd8bb5

SHA512
571b0399863a482013808e01bc89e0f08abda48d3ff808bb40a29d198ad79ae6e9e197cdc34f72b988485798c41ec5f59096539a5560dc70f111717854b9ef9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
3d3c9e335161eb40c7dfb983f12f156f

SHA1
32cb4810d1846000083fc28bc4c13f4c8c993113

SHA256
a5bcc29ae819a908366986f6f97e69f0fc69cf262a8309e807ca073981524728

SHA512
edaa844c2b2d42f0ec2806df720a45a00fcf04a1d8ccf87dce59e5380b9ea0f0207cc25244c7f89290b0de19736a7c32318606eb23700796e44882487e8c3cba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2ce4883838e246296fd796d3152c982a

SHA1
ebcb8eb407c941402668ce964c20f942ebf181c4

SHA256
2f01a17b80e2be63803d8136dc08b025a4ca755d35337384b45374ffe8bb2b5b

SHA512
f0b218a5061cf3c8c7d9d3873dfc423d8339be6c64c43bd16b8399590d08accea509ee9bcf17d45ccb2a04c09a84a64148b661c3f4e28d107da738bf41974ac9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8fd60c55b54f075717675a590ce84277

SHA1
f15c42a88f1bc6bad4a79a16871909c4ffb1da2a

SHA256
a091648105a108ea546092befed3b5d71577a86a58c9c532eed84c558a88d805

SHA512
607790b205ebc2927030754708dcdab631d46855e95433d1ca5df2dced8729f59e9a76224a434be235ad7b9e91db63d9c4a66caf52f5db7243ba6b61670371df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
4e009c53143105fa462c549af8632e8a

SHA1
983ca396594132bed759ffff3ceeb5ef31f6d2bf

SHA256
2e3369bbcc1d69b179d8bbe59de3cb65cedd282a90e016f80a58ed1b96b77971

SHA512
2596f5ac5f2cc028a5abde079600d2636c97a56da64a2daac48e031fc651df13e444de985ff925e4b49170f51f0fb2f3b94e671d4c29eedf6037908b424ce8cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
e4edf76ec770c647181d9892737a8420

SHA1
9ce90f47c1f9b53f0fd91b2e531c509b64d821b3

SHA256
1b53922c251ac9c72ec2f13cf5653e2374328cfa580e056751a456af72511f6c

SHA512
fb253c62ce5adbd7e2c5a88534409df6355efe70162cf9156c4a6919fc181a4d52515167363ad10b88f2df161098cace997e8e3d75e962966923ca6ee31e2fe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
96754ac2eb3bf74810ff7bf1208e7d37

SHA1
02376c32fafb089a014080c452a8cf6bb13b450b

SHA256
3103d92a622876a80b4fb9eb30af8fc88b918a9ca90dbac265bb27c3e051a977

SHA512
5ff8984cb667df9c517f774e7e5807e29c33ecb9ab79dcbcbea769e6a3664590ebfff2b79e3caeb1591352ca89fb1d98216c64f1a0323fa229e76757fc823235

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
36759560d244eaf43b49e0d20e063b94

SHA1
6a96149e97728d2c611d40a1c0b2702e3a2e6150

SHA256
14cdd3bb725d03018adacc76752f0bc314d827e9daf78c731c2201712b98eb77

SHA512
cc646947ee5212d9a091c30cec9cd2da3ca4a96c5bc93274bfe3536335425190f82b19ccd14177722dcbc7e722483fb76c1869e6b985df61d3b677610bf87cdf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e6af72463e455b9f346ea2ab4839447

SHA1
8664e5b6033538ebbab2308c8b99af439e09a169

SHA256
09f443da829f4b8ca6a7c65f42e56f36d3d3d6dd6e49def6378c5215c565bed9

SHA512
0b9909b63726d38ac1215ba91f21ee444a6ad96bc685e3c628801d54becca1a44ab624e9b98bd55de7300f536e98020ab78da4925e1735ada612ecbeeb31e664

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f69f462f6f666d66c5b6c5b33ca3df00

SHA1
f96a4c3b0de5591ba74bc42bff5d7dd3aefa2028

SHA256
9f4d94faaebeea2f203080d8a780c8a33a8f96ffb79ef9a19e36fd8b77bb3ae8

SHA512
dd18d6162f00d8ccc6feae46f810315c38dfdc80fcc8e8f3c3662c808f574290f322694eca75d2d9b9e160382ccbb75dde284a2aa9be915adcfa6da5e3e27b90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d5e538e521fa5fc1cf3c1fc600413b99

SHA1
b5ff23e2fb35285c20934a11cf7b1cae7126fc56

SHA256
9d8da4ff0ca69db12af97bed81393037247817278434f3f2f91fb477180a0f90

SHA512
b68adfd012e702fcdc0d46744b5813b34ae1374deda1840532a9e059afa50b2267ba957e74270c869befe0795fc2b33cf6196e7c25c034aefd2b20e1b910af43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
30297aa6aa5d27c97d4d9a32f4e6a436

SHA1
d75e6e58436405d7d455029143b86ad9bfb32b32

SHA256
32d7928c1a4fe49789e7e262a3e60486752b4df8890dff24e48ae597759b2949

SHA512
3ae21ca3b0854f48b294cb4e7d4be0191fc8bf0e8a0fba18c23417b1a3a72a5f4f2b17d8c0200da3ee77a6835216e37b46910563a932246d643f22a77cda1557

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
30a04ac056879d44479494706f28346b

SHA1
e0fbe1b765aaf3f53f3da69382989ab9fbac4db1

SHA256
4c10b42a9cd7d3d4aadc3ef749e1db0f29311c447b46b1d90808ac646b1929d6

SHA512
b4e286dc66dafc474034c3d33cc9b9cb61801b4c6dbb60beb65719a2a88a10012977507eafdb98d46a737ab0dfa9bbe35df7f51e8f63485a90f2146b5e58f363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d1313938c08054ee10605abea75f2e1

SHA1
b5bd9585e7b983a1c3ded1138e1657508cb331fc

SHA256
7cff2f3607e759d55f3114ef8fd4323e1db66f3815e183bea31ccc190f14fa47

SHA512
086e180157766d74ee531b837fcd9a785299584ee4783cd2c2d0bdf32f41f6ae5df56d73c7a50217d7e7ecfaeaa158967795b9d9a52057b13b1ad1e7476c44e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
176620a522d2a12bb9b8549fcab5dc6a

SHA1
d0bb5939fadde83635dcef407fbf9a8653eeec09

SHA256
9fcfdd1b935c26040d0a71fffea99c59f1cb4332436d6e7958cb07ebc40b905f

SHA512
cebbd8c46463405cc735b7d669ec7587be46af8df5188df41813ad620a3711edf8a1398c8959a5788f7a248fa347213d7fbddcd8cf7a374069802e261bd15718

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
de2c6d1d82aa0fce94fb9fa334f1c26e

SHA1
1fbabdb2a0cb0096634bf8a05a34372e322a4239

SHA256
adf7af550ec1b5f90502c643a6c1b137dc522699838249642a9249856f7f963c

SHA512
2c443379c8ccad1e26cbfccefd273e13f125eca67764092ae26824afebc19417f34c2e230f465310013e32454b79718c166c5ef82f47c6f4aea2f167c3f541cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
c2d857e5baa3613afbaf770a5be73d0e

SHA1
b428f87a5fa903b06243b0d5731718cf3a5a637b

SHA256
d6d11227490644e4ce4213648b86ad1174f09909620cb943364f9ba83c2da81b

SHA512
fe2176350f1531b69903daa947d658bd70b6bc8cafe711d057af344b33fb72e4078dc98af2e365a08fd94d6832e5d8a37796cdbb966a93aee85f01af4de09554

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
e3545a1af0c0ca91347eb0f7f457d188

SHA1
3040cc195358cefa798cc79ee4fcdd4ca922fedf

SHA256
51c76ea7c8945272628c34aa2f57782a1f50720940db998f1923c5345e156396

SHA512
4e9492413938a29696ff5af62436a24b163e7773d4da57e4551cef534136fdb46dd2d09756109b082f34d4e0158d647d3460ce5148ec2b2eb9a2803cc9894c2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
c8ceec04bbfde8d2de5833f0d9ca363f

SHA1
561a651f033561b77de7e43f79acdb68d2574383

SHA256
388b17b346601d2f7fdc588bad1b075f51f57903b5b3c6e7f7445afa28c2fbdd

SHA512
c6d8cd7ab17ad7f2c01565010bdc4cd04851dd10aad33364201af5c311563fe14941dde4f56d070451f6834f99543c9361ba3e82e7b11c1934d036693359be24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
b79b2b4bdcc1a1393b6dedf041f47749

SHA1
2d66a49f7f9750f8696b876fbeb7273872820472

SHA256
1ce26d5776e0f1627704ed4de03c9622ca32792ee4ebe24804c058c2190ecd7c

SHA512
f03acbae1847bba7a975a1ef3d39e3d657bfd172861f27c554ca70c279edc02a8156bf741576dc8f720375413fa2c733d3fe40cd26b7df41d2242c16f67b3331

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
0413a83f1f984e4fc6cc37ce1d3f10a5

SHA1
3d5979fbb8be78dbdff1e91b98132ac636cf7fb8

SHA256
fac22d5e1c49589e212e2498ee3cee89a6cdd676f3b4e49d90cec5cb5a0fb3f8

SHA512
e984b6a7aa21a0093749679c3e3b916322354e4b53d63a49019037dc0811a91bae2bc3486e2472b8809708d9e9b9dbd201712ed153fedcab27173c1cb2df6d00

Download Submit
C:\Users\Admin\Downloads\❈5⇂P-я-σ-g-я-α-м-@ss3ss✦C-0-d-ε--!@#--!❈=9192.zip

Filesize
21.5MB

MD5
4efd4cfe37ffac149da9dd30ce1ece3c

SHA1
39849642bee41928cdedf9e405b859d34073117e

SHA256
575b29f71ed86aa6ea40013ecace5a90af2d0c55d50ec5ca64058fe4c815b306

SHA512
e327fcbd1ec80804f3c495dcbe65ee0d6c767cbf9c231c1e3aa801713c53a780770f57e81b7f51b6a023e6da407cc3b3e680a598c0597b3ca92d961d50671dbc

Download Submit
C:\Users\Admin\Downloads\❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!@#$ ❈⇂P-я-σ-g-я-α-м-✦C-0-d-ε--!❈9192\Set-up.exe

Filesize
10.1MB

MD5
7e42b9b55f51d624d8537661d36a3d5e

SHA1
bb50bc99c3ab936f35d4f35d9706fc21aff0cabb

SHA256
2e59bd7db699a8a7063c44ad2da160316941bef24b18654eae8de5fc97cabb57

SHA512
d286906c8c47aeb9dfd1e755a930dcda99690edc8d16584b3092c403774963930a13f873d6b6ec3a738a17b04850837e748113b9cd38d4278048204c850422ab

Download Submit
memory/5564-478-0x00000000017D0000-0x0000000001828000-memory.dmp

Filesize
352KB

Download
memory/5564-476-0x00000000017D0000-0x0000000001828000-memory.dmp

Filesize
352KB

Download