lumma | hxxps://mega[.]nz/file/3nZHGYgA#SZZy9ABTHHkPRL_S-mKpQE61IoShuYhVxNt84REZlr8?6743f2db9ebd4_6743f2db9ebd8&sdm=d1fd9e3d65c9858ccfe557c05b602dda2ea7b830

Analysis

max time kernel
116s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 03:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/3nZHGYgA#SZZy9ABTHHkPRL_S-mKpQE61IoShuYhVxNt84REZlr8?6743f2db9ebd4_6743f2db9ebd8&sdm=d1fd9e3d65c9858ccfe557c05b602dda2ea7b830

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://peacefulmind.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 7 IoCs

pid	Process
4808	Setup.exe
376	Setup.exe
2384	Setup.exe
3684	Setup.exe
2560	Setup.exe
5008	Setup.exe
2012	Setup.exe

Blocklisted process makes network request 10 IoCs

flow	pid	Process
74	680	msiexec.exe
77	680	msiexec.exe
80	680	msiexec.exe
82	680	msiexec.exe
85	680	msiexec.exe
94	680	msiexec.exe
98	680	msiexec.exe
101	680	msiexec.exe
104	680	msiexec.exe
107	680	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4808 set thread context of 4828	4808	Setup.exe	119
PID 376 set thread context of 1308	376	Setup.exe	122
PID 2384 set thread context of 1304	2384	Setup.exe	127

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133769800121465619"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
4808	Setup.exe
4808	Setup.exe
4808	Setup.exe
376	Setup.exe
376	Setup.exe
376	Setup.exe
4828	more.com
4828	more.com
4828	more.com
4828	more.com
1308	more.com
1308	more.com
1308	more.com
1308	more.com
2384	Setup.exe
2384	Setup.exe
2384	Setup.exe
3684	Setup.exe
2560	Setup.exe
1304	more.com
1304	more.com
1304	more.com
1304	more.com
5008	Setup.exe
2012	Setup.exe
2012	Setup.exe
2012	Setup.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
4808	Setup.exe
376	Setup.exe
4828	more.com
1308	more.com
2384	Setup.exe
1304	more.com

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: 33	2588	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2588	AUDIODG.EXE
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeRestorePrivilege	2972	7zG.exe
Token: 35	2972	7zG.exe
Token: SeSecurityPrivilege	2972	7zG.exe
Token: SeSecurityPrivilege	2972	7zG.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeRestorePrivilege	2584	7zG.exe
Token: 35	2584	7zG.exe
Token: SeSecurityPrivilege	2584	7zG.exe
Token: SeSecurityPrivilege	2584	7zG.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe
Token: SeShutdownPrivilege	1148	chrome.exe
Token: SeCreatePagefilePrivilege	1148	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
2972	7zG.exe
2584	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe
1148	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1708	OpenWith.exe
4808	Setup.exe
376	Setup.exe
2384	Setup.exe
3684	Setup.exe
2560	Setup.exe
5008	Setup.exe
2012	Setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1148 wrote to memory of 3028	1148	chrome.exe	83
PID 1148 wrote to memory of 3028	1148	chrome.exe	83
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4920	1148	chrome.exe	84
PID 1148 wrote to memory of 4868	1148	chrome.exe	85
PID 1148 wrote to memory of 4868	1148	chrome.exe	85
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86
PID 1148 wrote to memory of 2056	1148	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/3nZHGYgA#SZZy9ABTHHkPRL_S-mKpQE61IoShuYhVxNt84REZlr8?6743f2db9ebd4_6743f2db9ebd8&sdm=d1fd9e3d65c9858ccfe557c05b602dda2ea7b830
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe67d8cc40,0x7ffe67d8cc4c,0x7ffe67d8cc58
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,606760495386547313,7201259152064679225,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1620,i,606760495386547313,7201259152064679225,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,606760495386547313,7201259152064679225,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,606760495386547313,7201259152064679225,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,606760495386547313,7201259152064679225,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3632,i,606760495386547313,7201259152064679225,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4428 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,606760495386547313,7201259152064679225,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5088,i,606760495386547313,7201259152064679225,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:4216

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3188

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490 0x2c8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5100

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\" -spe -an -ai#7zMap12368:114:7zEvent25444
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2972

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\" -an -ai#7zMap8073:164:7zEvent24319
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2584

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe
"C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4808
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:4828
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:680

C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe
"C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:376
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1308
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2408

C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe
"C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2384
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1304
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:536

C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe
"C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe
"C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe
"C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5008

C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe
"C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\Setup.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2012
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
b4271f62de1908fcde79a81d07936c41

SHA1
9740c447d908b6fdb784091ce4b72f8a88c7400b

SHA256
fcb56f9c43fd14892ee189ee88e384e53271a4b04eba75cabe41d5b2c5d9e9d2

SHA512
1d75f0d7b4a0f9e19a9ebe6a153bb4728ac84d072d87a48c12a236ffb6f0ec52ecfa16a3df6f67720ba8f7de1f472174a053aba486f29c800911287dcb938612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
7de7e8ec546f68a37661edda252754f4

SHA1
3e5675d3a1eed2d7f282c280edb4cbb87a05fe56

SHA256
315c2e477ed95f0694b60832198fb05bd2d39bab76cf71c761cf97616c6c8311

SHA512
260af5ddf3a549a85b0a99637289e896bcf172a807531a4dece5b3f3b0ec5983bb49335bbfdf548a3efb77883a5c7ba606328de1e69c5754ad6b272cfdf27c0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
1f05441948b391a82802cedfd9bb3497

SHA1
f908c2273639f6e4b407b96e49896f5e730258b5

SHA256
f0de21738d62935d901aab73206bd2bd29eda543f2ccd84f6fa447c41c09735e

SHA512
cff058d4307fe3516f3ef518ca8b90b61ec0a47ea5c9b27700d9a8a8d6792d69c45a71d188423c632c6cf7003f7eb009b7a00bdf706944f92e8dbb6303415af8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
763709b6c70ba05f5bb38880cc119f29

SHA1
bfdbe14f8d932ac508302adcaea3a03c3a21463d

SHA256
9b27f51777c406b4b053299f908ae25dd09321ac51c727dd371c972e68710477

SHA512
d17f3f6237e263e233fb6dd60768704d4f79fd6bf2afdf20a21266626d65a94eb62915709d33f8375f9624461d08f43f48f923ecdaebb1d01e82a6217a99777d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7672d82d4e8e5c826c19435567050e0

SHA1
29d408098bfc6f3e80799eb150284d3a79f500bc

SHA256
304daf0316837a0576e304279bb7ef54c122e3d1a8e68e2ec1c67d2d24158024

SHA512
f6861112f7f6a0b585ea84c77a62beefb18c1313f7ce90fe22c30cb0958a574687c3766de668f63a76003b1cb29afc7e7d10e97551f1feb7e70b6d66a95509a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8911ecc35e69b5c7185c4bdbbf56ff6c

SHA1
1ac3ebb69086f70f4890fbd12e2057b04c9f8a5b

SHA256
9e2fdbc63dada13f81ec84638be53a37982a048b3d926fcfab4bc1befe89358c

SHA512
f75e439efb5f1a985d0af2c9b3bf211456a0f03fb28b6890993659ee5f44413c93e0b1bde6713ec361f598df3eb13057fcfd99a52d594189e4b1179951c9bf97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
517203475d4fe4eafa0c7d7f8df890f7

SHA1
3da138f3e715e24b0f24c04773c3cf2196b67dd9

SHA256
da9260d59b9dbf90f61a79bf76d74dd1b81478797b2a7348dc60164a73ca0fa2

SHA512
8a76b1ccedf6d8fa7f5ce39524996b17dd95d3aaa9db256cbcfdc7606173bbcf0845c4897f068f5cf6f479838f79a62636033ebc49bc82dc00d3a4fa87a95ef9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5ca3b44d758346d8487619866cebdcc3

SHA1
caafc73f554a2ea458b2f141b89ca95e98a80d06

SHA256
6474470c449d1c6fb725967bea2f8807c8d97a34080794d056b2f713048596d3

SHA512
83fdd426d071e278f33bb692ad65300c8a616175e721aa9df6eabcdf6ce73a78aed3e8ebd35be3f9ef4eb3f4e1a987dcc3210d87028a6ff63b4d8dd17f36d345

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c50c929dff7db7ca6b0fb6cfa0c797ad

SHA1
6ea102e97408d70b414d43c20a223b699dfa839a

SHA256
d6a6d170869cbb4ce706e557fa068080cf35183cc2031dc1d8e5c2486830c51c

SHA512
29272bde0b45c187fabfa83928976f66baa5f8b26d7066f571ff0a1fc0ff9a3dae024dfe69710630f1f207b7bfdccb640d4a671bbe34aad93447d84f40d2d7fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cafba38cb74fcce0f995b49612cacb91

SHA1
7d3d24af1085c294d61425e69dda2d86fa1d5d32

SHA256
dd661ac1915e688e72127a6e067c5cf9805370f2b415067f1b02babcfda51360

SHA512
908da4e9a00035cd8bbae998982b625f18e98c5eccb69967cfd8a8487b307809aaba213d58793c15eabd2855e6ad8d2b39db19652319a033134b31ca16eaf129

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c48574f88abb848714b24c1eaab083e2

SHA1
907efbb24ba8a0734e83efe98f11b218cbf98c1e

SHA256
fd0551f81e666b833ae6823e5bb20f0dbc2642f4c2cb1a3400701b6bf87cb72e

SHA512
14c8adc0d59b0015074e3177c7b33b7a96794bc561d7823f6927b49d49da305b3c0fe9e353ea9f0f4cc12d0d5eec9647a8ee2e4a612bfbca22c1397df99f2596

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c1cee1926a1a446bdf20dfeb37b350b5

SHA1
f3eaf6ee31f746508f4d56858730638d83737807

SHA256
df81f032ec9e5549d47ad3b6f49422b97650962629c72376181849939dda285e

SHA512
14046389d0ecc5261e2b6f68411aa57378b98b4d0cf7f5006201ced4f18d7be499c78b56723e3f5d09430145838698f64b51aa487e257071b7e941d70da5358e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
507aa43959a4a47edfd8180a55721890

SHA1
5ded3d386fa68512c357247da6fd528538bbb4aa

SHA256
f28d65997dcc576b122f122623da3af645a0de4fa05730460d09a413ebe7d8b3

SHA512
ce9adf10b412a600e383cec2fbbc2e590f5092fc1b5ce408d5ed6e4a2a30e8e28d9612e934eea9f9e99ac7d81736fad79393f82398cd1c549f94fdaf26ccca56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
4eab6a292224840d5ae7ef855cf4f322

SHA1
827d95024c861a5749efef2d55393352c95883c8

SHA256
b1189f62d085d22b3dccdb82c2a7a09de5b39e617d6f4e12ed61517df216af8c

SHA512
25c336b5af88860638dd0214d1303749157400a55b90002bd28e63dfa2d997041be903f3832d8d0030a918cd4f9497f252159cf60fafac28a7e420c92b9765ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
dcd646c687171958f425fad231faf2b6

SHA1
9c5ebdc23888157f6c49ebbed3ba60f2235e84e0

SHA256
6a26dd681cf5d013f65f5e483421fb7fc8a0967d7132d408de711ee614abeb0b

SHA512
197b77893fce3852954d619870d48d00f401eebb370d1030d2aa019b29278a4f1656d8fc995493041085e02cdec4a45c8b7f62d40e1f5becf70dd975fb1f0d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\f48c2229

Filesize
1.2MB

MD5
f0ee07352037ac24bc90b2bd7fcd7665

SHA1
2d9bb7cca4883a47fd4e08d05755b30379ea813f

SHA256
2fd1503ec901c95c0556024d343e24e449ba8d2e72fba20b96ba9255eacbed09

SHA512
e328344b5a708341e3efc852291237cc6dfd3f969e7a85e21b0f294c16aae73fff1fc23b5b63ff3d5da34185b67db833f1235590e4a6376298cdba4401b44f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fb931036

Filesize
1.0MB

MD5
3108d6f824adc976dc4be5ce7a7eb3ce

SHA1
b996acbc28e452127bf5bd122fd123392ab6157d

SHA256
9bbbedc01878a0a012baf56e5a142a023c6c9927f6cf278f607dae6041a54b7b

SHA512
a19e178b4aca4da492133d0412a2342cd17ed07d0cba7a8835ca7087ba0941fa15480e7cad96eeaad50e48712dba85c85d3c88118ebaaca34218dec659fa7e22

Download Submit
C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD.zip

Filesize
10.4MB

MD5
e5e62f709a612327654afb8e04f17c76

SHA1
2fc544dbc44170a0671e0669ea116140d45c39e6

SHA256
210d6fbb21bfb2a96bac37e5e4c77f8cb22783a49292444f7bf553888a05f2b5

SHA512
0862a5ff1366cb0c7cd86817c777f4de762bbee9a1ac55dcffcc25ad110adde3d22e394c1e07d8a18041d2adb2ee3b3e21a3cb1b6cb040b8e9b8c6f04c497f50

Download Submit
C:\Users\Admin\Downloads\UŞe«─«☻52439☻«─«As_PsW0rD\UŞe«─«☻52439☻«─«As_PsW0rD.7z

Filesize
10.4MB

MD5
a6a810d5edd05cd096eb111d18042c9b

SHA1
62310e25478653d6a772edb4fab956a85555e411

SHA256
45f9a5841d4280a52b2c68b57f4d5f414483032939014994ebef2fab08618db3

SHA512
3140e2eea05653402da8325997052ac2df757bf8f6d4232892594a5bfdd602c296bccb6c774ea35b6912d47641cf703980f6323ffea51cf5f15f2669aa1666e7

Download Submit
memory/376-241-0x00000000734A0000-0x000000007361B000-memory.dmp

Filesize
1.5MB

Download
memory/376-242-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/376-235-0x0000000000400000-0x0000000000B0E000-memory.dmp

Filesize
7.1MB

Download
memory/376-259-0x00000000734A0000-0x000000007361B000-memory.dmp

Filesize
1.5MB

Download
memory/536-357-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/536-356-0x0000000000770000-0x00000000007CB000-memory.dmp

Filesize
364KB

Download
memory/536-355-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/680-306-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/680-305-0x0000000000930000-0x000000000098B000-memory.dmp

Filesize
364KB

Download
memory/680-293-0x0000000000930000-0x000000000098B000-memory.dmp

Filesize
364KB

Download
memory/680-294-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/1304-328-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/1308-264-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/2012-371-0x0000000000400000-0x0000000000B0E000-memory.dmp

Filesize
7.1MB

Download
memory/2012-379-0x00000000734A0000-0x000000007361B000-memory.dmp

Filesize
1.5MB

Download
memory/2012-380-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/2384-321-0x00000000734A0000-0x000000007361B000-memory.dmp

Filesize
1.5MB

Download
memory/2384-277-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/2384-276-0x00000000734A0000-0x000000007361B000-memory.dmp

Filesize
1.5MB

Download
memory/2384-270-0x0000000000400000-0x0000000000B0E000-memory.dmp

Filesize
7.1MB

Download
memory/2408-327-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download
memory/2408-326-0x0000000000640000-0x000000000069B000-memory.dmp

Filesize
364KB

Download
memory/2408-325-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/2560-317-0x00000000734A0000-0x000000007361B000-memory.dmp

Filesize
1.5MB

Download
memory/2560-311-0x0000000000400000-0x0000000000B0E000-memory.dmp

Filesize
7.1MB

Download
memory/2560-318-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/3684-303-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/3684-302-0x00000000734A0000-0x000000007361B000-memory.dmp

Filesize
1.5MB

Download
memory/3684-296-0x0000000000400000-0x0000000000B0E000-memory.dmp

Filesize
7.1MB

Download
memory/4808-244-0x00000000734A0000-0x000000007361B000-memory.dmp

Filesize
1.5MB

Download
memory/4808-208-0x0000000000400000-0x0000000000B0E000-memory.dmp

Filesize
7.1MB

Download
memory/4808-214-0x00000000734A0000-0x000000007361B000-memory.dmp

Filesize
1.5MB

Download
memory/4808-215-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/4828-265-0x00000000734A0000-0x000000007361B000-memory.dmp

Filesize
1.5MB

Download
memory/4828-248-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/5008-368-0x00007FFE76830000-0x00007FFE76A25000-memory.dmp

Filesize
2.0MB

Download
memory/5008-367-0x00000000734A0000-0x000000007361B000-memory.dmp

Filesize
1.5MB

Download
memory/5008-361-0x0000000000400000-0x0000000000B0E000-memory.dmp

Filesize
7.1MB

Download