lumma | hxxps://www[.]mediafire[.]com/file/90r312lo4frwt89/#Pa$$w0𝑅D-7093__Sat-Up@![.]zip/file

Analysis

max time kernel
165s
max time network
170s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-11-2024 02:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://www.mediafire.com/file/90r312lo4frwt89/#Pa$$w0𝑅D-7093__Sat-Up@!.zip/file

Score

10^/10

lumma discovery phishing stealer

Malware Config

Extracted

Family

lumma

https://powerful-avoids.sbs

https://motion-treesz.sbs

https://disobey-curly.sbs

https://leg-sate-boat.sbs

https://story-tense-faz.sbs

https://blade-govern.sbs

https://occupy-blushi.sbs

https://frogs-severz.sbs

https://winterchill.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
A potential corporate email address has been identified in the URL: #Pa$$w0𝑅D-7093__Sat-Up@!
phishing
A potential corporate email address has been identified in the URL: #Pa$$w0𝑅D-7093__Sat-Up@!.zip
phishing

Executes dropped EXE 2 IoCs

Processes:

Set-up.exeSet-up.exe

pid	Process
604	Set-up.exe
1208	Set-up.exe

Loads dropped DLL 2 IoCs

Processes:

Set-up.exeSet-up.exe

pid	Process
604	Set-up.exe
1208	Set-up.exe

Blocklisted process makes network request 6 IoCs

Processes:

msiexec.exemsiexec.exe

flow	pid	Process
42	1364	msiexec.exe
43	1364	msiexec.exe
44	1364	msiexec.exe
45	1068	msiexec.exe
46	1068	msiexec.exe
47	1068	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

Set-up.exeSet-up.exe

description	pid	Process	procid_target
PID 604 set thread context of 1548	604	Set-up.exe	97
PID 1208 set thread context of 2372	1208	Set-up.exe	102

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2336	1364	WerFault.exe	104
2316	1364	WerFault.exe	104
4704	1068	WerFault.exe	110
2580	1068	WerFault.exe	110

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Set-up.exemore.comSet-up.exemore.commsiexec.exemsiexec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 17 IoCs

Processes:

LogonUI.exechrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "55"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133771496049115549"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe

Modifies registry class 6 IoCs

Processes:

BackgroundTransferHost.exechrome.exeOpenWith.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

Processes:

chrome.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\#Pa$$w0𝑅D-7093__Sat-Up@!.zip:Zone.Identifier	chrome.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

chrome.exeSet-up.exemore.comchrome.exeSet-up.exemore.com

pid	Process
3332	chrome.exe
3332	chrome.exe
604	Set-up.exe
604	Set-up.exe
604	Set-up.exe
604	Set-up.exe
1548	more.com
1548	more.com
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
2156	chrome.exe
1208	Set-up.exe
1208	Set-up.exe
1208	Set-up.exe
1208	Set-up.exe
2372	more.com
2372	more.com

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

Set-up.exeSet-up.exemore.commore.com

pid	Process
604	Set-up.exe
1208	Set-up.exe
1548	more.com
2372	more.com

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid	Process
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe
Token: SeShutdownPrivilege	3332	chrome.exe
Token: SeCreatePagefilePrivilege	3332	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exe7zG.exe

pid	Process
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
2500	7zG.exe
3856	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

chrome.exe

pid	Process
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe
3332	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

OpenWith.exeLogonUI.exe

pid	Process
852	OpenWith.exe
2868	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 3332 wrote to memory of 2492	3332	chrome.exe	77
PID 3332 wrote to memory of 2492	3332	chrome.exe	77
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4300	3332	chrome.exe	78
PID 3332 wrote to memory of 4016	3332	chrome.exe	79
PID 3332 wrote to memory of 4016	3332	chrome.exe	79
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80
PID 3332 wrote to memory of 3492	3332	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file/90r312lo4frwt89/#Pa$$w0𝑅D-7093__Sat-Up@!.zip/file
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffa748cc40,0x7fffa748cc4c,0x7fffa748cc58
  2⤵
  PID:2492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1792,i,10696435252903333614,8343881391755739570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  PID:4300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,10696435252903333614,8343881391755739570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:4016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2144,i,10696435252903333614,8343881391755739570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2392 /prefetch:8
  2⤵
  PID:3492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3100,i,10696435252903333614,8343881391755739570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,10696435252903333614,8343881391755739570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4664,i,10696435252903333614,8343881391755739570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3544 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,10696435252903333614,8343881391755739570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5208,i,10696435252903333614,8343881391755739570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=2988,i,10696435252903333614,8343881391755739570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4832 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5480,i,10696435252903333614,8343881391755739570,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:1412

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4592

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap12642:112:7zEvent18852
1⤵
- Suspicious use of FindShellTrayWindow
PID:2500

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\#Use-7093-to-0pen!\" -ad -an -ai#7zMap10541:96:7zEvent31696
1⤵
- Suspicious use of FindShellTrayWindow
PID:3856

C:\Users\Admin\Downloads\#Use-7093-to-0pen!\SatUp-Here\Set-up.exe
"C:\Users\Admin\Downloads\#Use-7093-to-0pen!\SatUp-Here\Set-up.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:604
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1548
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:1364
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1464
      4⤵
      Program crash
      PID:2336
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1364 -s 1436
      4⤵
      Program crash
      PID:2316

C:\Users\Admin\Downloads\#Use-7093-to-0pen!\SatUp-Here\Set-up.exe
"C:\Users\Admin\Downloads\#Use-7093-to-0pen!\SatUp-Here\Set-up.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1208
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2372
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    - Blocklisted process makes network request
    - System Location Discovery: System Language Discovery
    PID:1068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1440
      4⤵
      Program crash
      PID:2580
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1068 -s 1428
      4⤵
      Program crash
      PID:4704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1364 -ip 1364
1⤵
PID:2088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1364 -ip 1364
1⤵
PID:2664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1068 -ip 1068
1⤵
PID:1840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1068 -ip 1068
1⤵
PID:3844

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4396

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a28055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4845e0cff32208361cfe2e4f0fa98f9f

SHA1
79c3dc6e810c36430873407f8caf7182ecc63341

SHA256
69eedcf825bc5ebeab81178fd8bf2cb087c80fd1419579a25b297ec06d66d757

SHA512
b5999144c3261f90b1b9fd1c709d628b3018117a9a295e3ff2108d9028019c9d2cdac577c2e0a905583844727e0c7bbbaf3e0632e0bf123a4f750d71c79f86ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
bf9ed676a728e9fba3e9f14b4f17ff82

SHA1
080e8a240e86c0f460d9d917c6098c7502264bb3

SHA256
8e08e3cc9d4ebfd0d189b4fc7247291b5c839a9ad4a60ab2725674cdb2cfbbf4

SHA512
7a8e1aba8597fc2cf44f6cda472a41b8db0a7d6bf8f6c931868a6746be092cbd836c0c5de2160a72f6840e02d1814cdfce571e87405e26543a02de87c1781c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
ec6ebcaf37a690c1bdfce5495c93494f

SHA1
6e22ec09ed937e2de462405b855b7f28c086efd3

SHA256
3b645fdf607d54f313572d93725a8db90dd24eed212fdf98390a3d0c4b9d8a13

SHA512
6da1705adc78d77a3ce0fcf6d97c5f1d90dbe08b74b5fe4da406ebcec5eaad76ed26feeb3b468068696f408e91521bc5a3c721e5a061198165c0603e12c3c2de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
854B

MD5
b5b1c99fdca92131567f092aeb896c8b

SHA1
9ec04a4a438cac3d5955a9762f6591a917fe9176

SHA256
e3b618553994ca8a2532454a75a3a7a4f7d451298e74196f23519f66ad9af19c

SHA512
c1652ce0bdf9b552bfb743f17a6cb770654fc99cfdac1b842005431275b183c4cb6efd588973651da6c75a15dc373997b997bde7f2d11506eb8dfcb724c0ba0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
fd870928b9f06f53e819c179838a7760

SHA1
54f1591bf4e363405700bd71f6d07b49610d9a75

SHA256
42a94446c1bfd6d3d3455421a3a09e33a5d060af1184db174b99299bc328d3cb

SHA512
1a37bc89989713ade00a5e92c9db371b7040a37475173b748173e0be7d02800378693a6824cfcccb807ffb9fa3f50cb3368f45bb33faea684ea2ed62c41e2ab2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee5fd9ab8cf29ada900095db48f986bb

SHA1
2902866ba89394ea4c7e6e56a82f74fa7fdc7de9

SHA256
7a399ce5a3bd5ab33e10b1c2bf825bd68b097b9fa755a1be0a47cff81636388b

SHA512
8572caaf3254e9289a1e9724dc87eb24ccbf08a1a35c05d01fb3a786ea43a44b362d0fbe89a9d2649bb21bdae07c594b11832fa35683ad42aad3b339f3a22e0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
01526cd00b08fa43828c75bce6073466

SHA1
4eef846e38279bdb6e634c16c46ed84cf0f58f0b

SHA256
eca3675af6bbfe45f26c05f2ab36854b3050898c696d33244336e8312d4b879f

SHA512
525cb561b60c4a465133bac3d86dd5a29b58291cece81319eb0dc5d09a9bc8517c150cf4acd01243daa2e1456892e0d5344ddd519c99a66851f4e341cbab69ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8217d464f2198695dfbcd6f94121a541

SHA1
0d64a095ed392144c22c83b002e39446ce09fdf2

SHA256
4e2a2add92bfa0aacf554669a2160aef9f9c5b19c1dc62a74fecb4d434871178

SHA512
b3254424d85b1701039b2f63be1ff3213098e3ee3101e5cf2c53e1b934dd9013dc8d8185283fc475022c576fb17d512afbc03f411e9325ae58c5303d749f7e72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed1cc0b17f1dfa8726ec359f01e52da7

SHA1
065b9c36e9304396221bf75803455971d9a27310

SHA256
22f516c30a43ce250b72ef18d3d9730a412085d33855db827a7778a013e40d26

SHA512
0667c3bea35b4bcfbdd8ecc603c87932f3dba7005d9717b75b4d85ab2a35fae695f7aa9f935838f14f031ce842ce5a7368f48835d6ac7b9b01d19105346a36fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
326edb3c0f26c074e53f9322e2509192

SHA1
d1b9803129256df153c01c1a7eae57c2f73d29f7

SHA256
e4d831c1efe751d7aeca8b7cab79ec8c0204091b234b0a2aea009e3394f643bb

SHA512
1be4f0c160631713cf1528bd74b99ab499fae48c2d8a5d2b863105d7d0cb4c8daeb61b6fdb964a3199faed85e1273a65cc2036397a77a5af5dcbb5783fc8a2e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bc3921e5b17402f2cdeca66bfbaa4f94

SHA1
3c040b70a36f4a574367b90cfa3be1951006fc43

SHA256
a8965e373e3e5b2d9c40feb00cb0888e4b6da62065e46ddc6c6f46897164e5b8

SHA512
c978b15f02097ecdfc75ddc06964ddb053bfb1e87ca57623a7f0bb57bb4a7b3b4a15a8652bd34b99e5516dc490913748380d4fa664329255eda2b2af69aa2125

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
99c035d37c3e3184b7003f7429a08e82

SHA1
6f98fe539c45e5c95c8c951a2e1052f4f8d3aeb0

SHA256
59c30d6e3279658da06da7c1fbeff6326cec96d7ae39b13716d868e92a4040c5

SHA512
704e9b249c614ddaf93d05cfd0a7e5f3d204d8e100586235427bb88cfe55e1da9e07812c568a0ec5fec5ca156b938cd0d5161439a6c2041a2525c078754ad794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
623f12a1ddf3f8254d559558be7b79d5

SHA1
71c5c168f30663f27c78583f0017a38d7281b6e1

SHA256
3aa9dfbc92d02759a73af79ce220523eb7ce9a693b6eb6d500f0c930eb39181e

SHA512
e403918d22d1aa8d51f849fc4944f3f92760f2b1cd6c02c934a1534f042d0f4caf2c29daa42c3d975ebb0b569047debc1521f845a2494a24fe65ad6edec2a944

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e4cf4517fa4e40dc8a7a8a3109f0f13

SHA1
8988bf54cdb565718d71c7305ee55f7ceebe0b07

SHA256
bc079ae3572e0a7e366fc6f44b9eef14a26e82a2d115abf8102815faa279eef9

SHA512
0f92e63001a007516a7b98bafaad5e4c79ebc70d01e35361229b067b9111ea26a839dadbcab562366ac12747e841269aaaccf734d2ffc3a3fef9f89d8bdeced7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2be69883c426fbed89413fa325f658f1

SHA1
6f48d05e7f6c77755479e912eb091d616996e28b

SHA256
e5a39329d39aa0620e2fc1b33629e22f01496bd1fd3c2c22d20979e8cfb08ccf

SHA512
703847cce8167fe91be0a8fca00e95d8f85d488817472015266a4b5a6f425d2eed5a3183a7f58c904acfbf4b6284dbddf62f8e98acf79c3312013068cbd4d558

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
156ff75628e8bcb88b036d5a5d43bbfa

SHA1
a06c0971c3a857f4b201b92568880c3ccb9ffff0

SHA256
8da3926d7af7b520991b81273862eeaeddd29dc760fb21ac286970b1d294b8a2

SHA512
7292a96f2e0decbd3d1e54d2817ac1bff71fa22c92a706e1ad6bdc72ca4d0bf03a8ec7f9e77014c9268a6c6bc8323f0c37bd5eef68c6f9e6a70acea9206a33c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
cd7a2a1b7160a6f1329bbcf595013989

SHA1
150cc9bb2713cb59c64f8616de206aa6801f4df8

SHA256
edb0faa80b0c6636654b165700c3672cc1b69225784b48d4d3fe7a04d832a7cf

SHA512
9eb2816a7aedaf96e8cc1470dfb6fdebb18827153ecd91d799fb33bbe66a45cde31cba297cfc37da019a2fbaa66581d2b69fd53a623fed1592fe442bdb9294cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
d1e24d76cc62ca20d3ae4edae234f117

SHA1
d12fd81edb5d519db64f3cc7ff1e6aad2a80837d

SHA256
05577835e99ef97c8232f1d0e36128110b3f62d70cad7043f438ac4abf0dc3e6

SHA512
868d74c03fbe66eb860b03f70521151a4f7070da46aae32f7935541d5a8726c9d4138cc724b821ca14513359560add2ca6d44e83415453b8f2c17ec01fb1db14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
f7ebdbdbef50d3f05bf920ed31b22192

SHA1
1ed9eba2fafa066d9fae09c13d5b1e21d33e901a

SHA256
3b77346bb39988e69e2a3a657e0b0e4c1b707150859b9f4da6d7c894b5f427c9

SHA512
f4803fd98bf86e0df974e644e24745649ba3b859c591d3ebef44a19b9c4c8a7b807ba34e465ea6c99815295f0e7b6e9ff359ddd92f8524f393cc928d12df3c55

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
c27e45978dab94d828a1d8cc2e62cd80

SHA1
527899979551b761f0615df07b9d68bc5b7471cf

SHA256
3b20a2dca276302585bf05479af02e06425a00ae8063ec09feabeefce1439457

SHA512
f3d4b4ae3852d7a0e79b551f9dbfff2dd3bbcd7eef347f6f9e2fa46f24a5a8ad195e06bed0c4f0f88f889ba1f436e4e4872b6d87e4780a2c6f9b4895561b8e8d

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f8a41141-f24d-45f8-be5b-6483683e0159.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\690ecc6d

Filesize
1016KB

MD5
27750f19f93a38e4ac51abeac3c33b18

SHA1
8c32900422f2b28133a5dab2a0901d43bb31c5e7

SHA256
4b4132fe3129138f4ad09e810695bd8b9baad5aadfe72102571c999cf2dc1a13

SHA512
7bbff3d2b0afabc8f1b89110fccbd888ff77fe0b56b95070d3140fae0d6d1b4048fadc3ced7dee1658b7ba2664b7b1b75e03c003ab48e171206d55b215309f34

Download Submit
C:\Users\Admin\AppData\Local\Temp\c399c1bf

Filesize
1016KB

MD5
5f5a261b6e5880363f18eeaa5c74d17f

SHA1
ecebb41526bde2be68f6df84de319668385e577f

SHA256
7e3c707cbd21a19be31767bad5a5b2bb2e7dda8bbd2a553ff0baf91a241ab274

SHA512
b43b7ff615f50a513c0566bfdc8d2c22afed224dd521d3c49b0dfb7a0ff05d80123911a37fc47ad3d12538a1da72d70e1b2a1168324b823b0f034f2b5b5d2244

Download Submit
C:\Users\Admin\Downloads\#Pa$$w0𝑅D-7093__Sat-Up@!.zip

Filesize
24.3MB

MD5
fc9409e5459a8e074b8663b875725f8f

SHA1
9762782564b9aebe97fb63a4ac2aede793c0e6eb

SHA256
bf37065a1e0336445e708b7e99dcee8e53758f35d58496e193bdc6adcf910977

SHA512
c8a4aff5821b72335d6592e54f9a323465f9f61a515a3db8650aad239cfa22948e43dac4fb73e4f112335666a7557cbc15df52963ace262d939ebe82015307c0

Download Submit
C:\Users\Admin\Downloads\#Pa$$w0𝑅D-7093__Sat-Up@!.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\#Use-7093-to-0pen!.7z

Filesize
24.3MB

MD5
6483f3aa31e0eb9b988e092eef4ddf6a

SHA1
3220e78b4278ee9a0912f53f9a1fb423106312c7

SHA256
21ac04b5927be74b8f96aaa720697ef60e4aad86ff16bdf10b4210370aeb320f

SHA512
962dfb4526402530b81453e56bf1017a6bfb624063963121adb29cb58748e8980a917bbe7383e540289a5801c94deef239f577736f127a2ac71e4f943845bc7b

Download Submit
C:\Users\Admin\Downloads\#Use-7093-to-0pen!\SatUp-Here\Set-up.exe

Filesize
1.8MB

MD5
098ac4621ee0e855e0710710736c2955

SHA1
ce7b88657c3449d5d05591314aaa43bd3e32bdaa

SHA256
46afbf1cbd2e1b5e108c133d4079faddc7347231b0c48566fd967a3070745e7f

SHA512
3042785b81bd18b641f0a2b5d8aec8ef86f9bf1269421fb96d1db35a913e744eaff16d9da7a02c8001435d59befb9f26bc0bbfa6e794811abf4282ed68b185fe

Download Submit
C:\Users\Admin\Downloads\#Use-7093-to-0pen!\SatUp-Here\WebUI.dll

Filesize
15.6MB

MD5
cdf6f41dd30c6024085b4d16ac265797

SHA1
befc48b8bf7fe9e005190ac242835acda96efa68

SHA256
2326376afbfacb1d8067bb924cb5e9588b4bcfcb1f11c3c555cf1272c0307e76

SHA512
deefac51048876fb38f5b49eee7235b958c86722dd8f39697340e64d091f2a94b7381ca557add09a90713b7dfc5989a12c6a77d6ee382265bb01433078ce3f4c

Download Submit
C:\Users\Admin\Downloads\#Use-7093-to-0pen!\SatUp-Here\ajq

Filesize
779KB

MD5
d4c0c5c3498525dfe1a1e467d04adf70

SHA1
1fada9db19e76219a2a1ef23286458dbd4fdf6aa

SHA256
2fe1ce837938166c23fcfd05f50c3337ec8da80e452996f11d7f2e419db29099

SHA512
20d8161b0eabb601340345224388598ffb46e5cf5849fa3b61e009dc2bcc05a7b744c97fbf3f10a00532be1055e54aa66b01a2a09ee0f8111e790a20b498632e

Download Submit
C:\Users\Admin\Downloads\#Use-7093-to-0pen!\SatUp-Here\xlnwtea

Filesize
15KB

MD5
20aa873838ff8d9e189b8a3a6c77dcbd

SHA1
bbdcb50777870c61b76034291e10d4c06f10e643

SHA256
52ef82bbd07c36431181fd7311f1a7fa5de07401cba3ab2786220356f34b56da

SHA512
db0a6736912900db9822eeecc88e1f953af128b32b14f02d76262f2195e065088279f44302967c40e67a1632967a55579191f3ffb3f6f79c84107ffa9ef432b9

Download Submit
\??\pipe\crashpad_3332_IWJSZFKYPOGWQTRY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/604-551-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/604-552-0x0000000072D70000-0x0000000074C44000-memory.dmp

Filesize
30.8MB

Download
memory/604-562-0x00000000729E0000-0x0000000072B5D000-memory.dmp

Filesize
1.5MB

Download
memory/604-558-0x00007FFFB6340000-0x00007FFFB6549000-memory.dmp

Filesize
2.0MB

Download
memory/604-564-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/604-557-0x00000000729E0000-0x0000000072B5D000-memory.dmp

Filesize
1.5MB

Download
memory/1068-642-0x0000000000750000-0x00000000007AB000-memory.dmp

Filesize
364KB

Download
memory/1068-643-0x0000000000100000-0x0000000000128000-memory.dmp

Filesize
160KB

Download
memory/1068-641-0x00007FFFB6340000-0x00007FFFB6549000-memory.dmp

Filesize
2.0MB

Download
memory/1068-640-0x0000000000750000-0x00000000007AB000-memory.dmp

Filesize
364KB

Download
memory/1208-607-0x00000000729E0000-0x0000000072B5D000-memory.dmp

Filesize
1.5MB

Download
memory/1208-597-0x00000000729E0000-0x0000000072B5D000-memory.dmp

Filesize
1.5MB

Download
memory/1208-609-0x0000000000400000-0x000000000061B000-memory.dmp

Filesize
2.1MB

Download
memory/1208-582-0x0000000072D70000-0x0000000074C44000-memory.dmp

Filesize
30.8MB

Download
memory/1208-581-0x0000000000840000-0x0000000000841000-memory.dmp

Filesize
4KB

Download
memory/1208-599-0x00007FFFB6340000-0x00007FFFB6549000-memory.dmp

Filesize
2.0MB

Download
memory/1364-625-0x0000000000820000-0x000000000087B000-memory.dmp

Filesize
364KB

Download
memory/1364-626-0x0000000000100000-0x0000000000128000-memory.dmp

Filesize
160KB

Download
memory/1364-624-0x00007FFFB6340000-0x00007FFFB6549000-memory.dmp

Filesize
2.0MB

Download
memory/1548-606-0x00000000729E0000-0x0000000072B5D000-memory.dmp

Filesize
1.5MB

Download
memory/1548-566-0x00007FFFB6340000-0x00007FFFB6549000-memory.dmp

Filesize
2.0MB

Download
memory/2372-614-0x00007FFFB6340000-0x00007FFFB6549000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads