Malware analysis https://crypto-whales.io Malicious activity

Add for printing

URL:	https://crypto-whales.io
Full analysis:	https://app.any.run/tasks/934be0c2-66d4-46ec-b001-0e294ab80341
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Lumma is an information stealer, developed using the C programming language. It is offered for sale as a malware-as-a-service, with several plans available. It usually targets cryptocurrency wallets, login credentials, and other sensitive information on a compromised system. The malicious software regularly gets updates that improve and expand its functionality, making it a serious stealer threat. Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests. Stealc ist eine Stealer-Malware, die es auf die sensiblen Daten der Opfer abgesehen hat, die sie aus Browsern, Messaging-Apps und anderer Software exfiltriert. Die Malware ist mit fortschrittlichen Funktionen ausgestattet, darunter Fingerprinting, Bedienfeld, Umgehungsmechanismen, String-Verschleierung usw. Stealc stellt eine Persistenz her und kommuniziert mit seinem C2-Server über HTTP-POST-Anfragen. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 13, 2024, 19:40:37
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader lumma stealer antivm stealc
Indicators:
MD5:	8FEBEAE3452C5CD2A82DCCD906D85DE2
SHA1:	D1437A0BB6AE76C339E0CDDF18083254EC265185
SHA256:	DCB0230AD9B0BEF4B0DB4EEA684D35D08F11605937C4B1BD7D1D384472C0F761
SSDEEP:	3:N8KuOYn:2Kon

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Adds path to the Windows Defender exclusion list
  - Install_x64.exe (PID: 3904)
- LUMMA has been detected (YARA)
  - 1.exe (PID: 4772)
- Stealers network behavior
  - BitLockerToGo.exe (PID: 2476)
  - BitLockerToGo.exe (PID: 6280)
- Actions looks like stealing of personal data
  - BitLockerToGo.exe (PID: 2476)
  - BitLockerToGo.exe (PID: 6280)
- LUMMA has been detected (SURICATA)
  - BitLockerToGo.exe (PID: 2476)
- STEALC has been detected (SURICATA)
  - BitLockerToGo.exe (PID: 6280)
- Connects to the CnC server
  - BitLockerToGo.exe (PID: 6280)
- Steals credentials from Web Browsers
  - BitLockerToGo.exe (PID: 6280)
SUSPICIOUS
- Process drops legitimate windows executable
  - Install_x64.exe (PID: 3904)
  - BitLockerToGo.exe (PID: 6280)
- Executable content was dropped or overwritten
  - Install_x64.exe (PID: 3904)
  - BitLockerToGo.exe (PID: 6280)
- The process creates files with name similar to system file names
  - Install_x64.exe (PID: 3904)
- Process requests binary or script from the Internet
  - Install_x64.exe (PID: 3904)
  - BitLockerToGo.exe (PID: 6280)
- Potential Corporate Privacy Violation
  - Install_x64.exe (PID: 3904)
  - BitLockerToGo.exe (PID: 6280)
- Drops the executable file immediately after the start
  - Install_x64.exe (PID: 3904)
  - BitLockerToGo.exe (PID: 6280)
- Reads security settings of Internet Explorer
  - Install_x64.exe (PID: 3904)
  - BitLockerToGo.exe (PID: 6280)
- The process drops C-runtime libraries
  - Install_x64.exe (PID: 3904)
  - BitLockerToGo.exe (PID: 6280)
- Script adds exclusion path to Windows Defender
  - Install_x64.exe (PID: 3904)
- Starts POWERSHELL.EXE for commands execution
  - Install_x64.exe (PID: 3904)
- Searches for installed software
  - BitLockerToGo.exe (PID: 2476)
  - BitLockerToGo.exe (PID: 6280)
- There is functionality for VM detection (antiVM strings)
  - 2.exe (PID: 5372)
- Contacting a server suspected of hosting an CnC
  - BitLockerToGo.exe (PID: 6280)
- Connects to the server without a host name
  - BitLockerToGo.exe (PID: 6280)
- The process drops Mozilla's DLL files
  - BitLockerToGo.exe (PID: 6280)
- Windows Defender mutex has been found
  - BitLockerToGo.exe (PID: 6280)
INFO
- Executable content was dropped or overwritten
  - chrome.exe (PID: 6328)
  - chrome.exe (PID: 7124)
- Reads Microsoft Office registry keys
  - chrome.exe (PID: 6328)
- Checks supported languages
  - Install_x64.exe (PID: 3904)
  - 1.exe (PID: 4772)
  - BitLockerToGo.exe (PID: 6280)
  - 2.exe (PID: 5372)
  - BitLockerToGo.exe (PID: 2476)
  - 3.exe (PID: 1656)
- The process uses the downloaded file
  - chrome.exe (PID: 2360)
  - chrome.exe (PID: 6328)
- Create files in a temporary directory
  - Install_x64.exe (PID: 3904)
  - 2.exe (PID: 5372)
  - 3.exe (PID: 1656)
- Creates files in the program directory
  - Install_x64.exe (PID: 3904)
  - BitLockerToGo.exe (PID: 6280)
- Checks proxy server information
  - Install_x64.exe (PID: 3904)
  - BitLockerToGo.exe (PID: 6280)
- Reads the computer name
  - Install_x64.exe (PID: 3904)
  - BitLockerToGo.exe (PID: 2476)
  - BitLockerToGo.exe (PID: 6280)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 7000)
- Application launched itself
  - chrome.exe (PID: 6328)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 7000)
- Reads the software policy settings
  - BitLockerToGo.exe (PID: 2476)
- Reads product name
  - BitLockerToGo.exe (PID: 6280)
- Creates files or folders in the user directory
  - BitLockerToGo.exe (PID: 6280)
- Reads CPU info
  - BitLockerToGo.exe (PID: 6280)
- Reads Environment values
  - BitLockerToGo.exe (PID: 6280)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

Lumma

(PID) Process(4772) 1.exe

C2 (9)deallerospfosu.shop

writerospzm.shop

celebratioopz.shop

mennyudosirso.shop

complaintsipzzx.shop

languagedscie.shop

bassizcellskz.shop

quialitsuzoxm.shop

samledwwekspzxp.shop

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

164

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1656

"C:\Program Files\launcher289\3.exe"

C:\Program Files\launcher289\3.exe

—

Install_x64.exe

User:

admin

Company:

Ashampoo GmbH & Co. KG

Integrity Level:

HIGH

Description:

Ashampoo Music Studio 2023 Setup

Version:

1.10.0

Modules

Images
c:\program files\launcher289\3.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll

2360

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5368 --field-trial-handle=1936,i,8163975433772719385,13751584378607153761,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

MEDIUM

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2476

C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe

1.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

BitLocker To Go Reader

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

2536

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5108 --field-trial-handle=1936,i,8163975433772719385,13751584378607153761,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

2872

"C:\Users\admin\Downloads\Install_x64.exe"

C:\Users\admin\Downloads\Install_x64.exe

—

chrome.exe

User:

admin

Company:

Install_x64

Integrity Level:

MEDIUM

Description:

Install_x64

Exit code:

3221226540

Version:

1.0.0.0

Modules

Images
c:\users\admin\downloads\install_x64.exe
c:\windows\system32\ntdll.dll

3036

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3188

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5104 --field-trial-handle=1936,i,8163975433772719385,13751584378607153761,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

3864

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=5232 --field-trial-handle=1936,i,8163975433772719385,13751584378607153761,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

—

chrome.exe

User:

admin

Company:

Google LLC

Integrity Level:

LOW

Description:

Google Chrome

Exit code:

Version:

122.0.6261.70

Modules

Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

3904

"C:\Users\admin\Downloads\Install_x64.exe"

C:\Users\admin\Downloads\Install_x64.exe

chrome.exe

User:

admin

Company:

Install_x64

Integrity Level:

HIGH

Description:

Install_x64

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\downloads\install_x64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4772

"C:\Program Files\launcher289\1.exe"

C:\Program Files\launcher289\1.exe

Install_x64.exe

User:

admin

Company:

Vidar Audio

Integrity Level:

HIGH

Description:

Vidar Audio RAIDEN 1.0.0

Exit code:

666

Version:

1.0.0

Modules

Images
c:\program files\launcher289\1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll

Lumma

(PID) Process(4772) 1.exe

C2 (9)deallerospfosu.shop

writerospzm.shop

celebratioopz.shop

mennyudosirso.shop

complaintsipzzx.shop

languagedscie.shop

bassizcellskz.shop

quialitsuzoxm.shop

samledwwekspzxp.shop

Add for printing

Total events

26 472

Read events

26 161

Write events

305

Delete events

Modification events


(PID) Process:	(6328) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	failed_count
Value: 0
(PID) Process:	(6328) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 2
(PID) Process:	(6328) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\ThirdParty
Operation:	write	Name:	StatusCodes
Value:
(PID) Process:	(6328) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\ThirdParty
Operation:	write	Name:	StatusCodes
Value: 01000000
(PID) Process:	(6328) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:	write	Name:	state
Value: 1
(PID) Process:	(6328) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:	write	Name:	dr
Value: 1
(PID) Process:	(6328) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:	write	Name:	user_experience_metrics.stability.exited_cleanly
Value: 0
(PID) Process:	(6328) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Chrome
Operation:	write	Name:	UsageStatsInSample
Value: 0
(PID) Process:	(6328) chrome.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:	write	Name:	usagestats
Value: 0
(PID) Process:	(6328) chrome.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Operation:	write	Name:	metricsid
Value:

Add for printing

Executable files

469

Suspicious files

173

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6328	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old		—
		MD5:—	SHA256:—
6328	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old		—
		MD5:—	SHA256:—
6328	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RFe5e77.TMP		—
		MD5:—	SHA256:—
6328	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old		—
		MD5:—	SHA256:—
6328	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old		—
		MD5:—	SHA256:—
6328	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old		—
		MD5:—	SHA256:—
6328	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old~RFe5e96.TMP		—
		MD5:—	SHA256:—
6328	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\coupon_db\LOG.old		—
		MD5:—	SHA256:—
6328	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Version		text
		MD5:FCE53E052E5CF7C20819320F374DEA88	SHA256:CD95DE277E746E92CC2C53D9FC92A8F6F0C3EDFB7F1AD9A4E9259F927065BC89
6328	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Variations		binary
		MD5:961E3604F228B0D10541EBF921500C86	SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5052	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	unknown	—	—	whitelisted
5052	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	unknown	—	—	whitelisted
5052	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	unknown	—	—	whitelisted
2240	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
5048	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
4436	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4436	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5052	svchost.exe	HEAD	200	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	unknown	—	—	whitelisted
5052	svchost.exe	GET	206	34.104.35.123:80	http://edgedl.me.gvt1.com/edgedl/release2/chrome_component/acaldksiunzh56452py2db5mnbpa_120.0.6050.0/jamhcnnkihinmdlkakkaopbjbbcngflc_120.0.6050.0_all_dgzfpknn7v3zslsbhrwu6bt44e.crx3	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
5600	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
5116	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
2120	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6600	chrome.exe	142.250.110.84:443	accounts.google.com	GOOGLE	US	unknown
6328	chrome.exe	239.255.255.250:1900	—	—	—	whitelisted
6600	chrome.exe	188.114.97.3:443	crypto-whales.io	CLOUDFLARENET	NL	unknown
6600	chrome.exe	151.101.2.137:443	code.jquery.com	FASTLY	US	unknown
6600	chrome.exe	142.250.185.106:443	content-autofill.googleapis.com	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
google.com	142.250.186.174	whitelisted
crypto-whales.io	188.114.97.3 188.114.96.3	unknown
accounts.google.com	142.250.110.84	whitelisted
code.jquery.com	151.101.2.137 151.101.130.137 151.101.194.137 151.101.66.137	whitelisted
content-autofill.googleapis.com	142.250.185.106 142.250.185.202 142.250.186.138 142.250.186.74 172.217.18.10 172.217.23.106 142.250.184.202 216.58.212.138 142.250.186.170 142.250.185.234 216.58.206.74 142.250.186.42 172.217.16.202 142.250.186.106 216.58.206.42 142.250.185.170	whitelisted
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208 40.127.240.158	whitelisted
www.google.com	142.250.185.68	whitelisted
z5dy0w9re.top	95.216.241.251	unknown
09lbiq6ms.top	95.216.241.251	unknown
www.bing.com	104.126.37.154 104.126.37.162 104.126.37.137 104.126.37.144 104.126.37.152 104.126.37.139 104.126.37.161 104.126.37.147 104.126.37.160	whitelisted

Threats

PID	Process	Class	Message
6600	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6600	chrome.exe	Not Suspicious Traffic	INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
6600	chrome.exe	Potentially Bad Traffic	ET DNS Query to a *.top domain - Likely Hostile
3904	Install_x64.exe	A Network Trojan was detected	ET MALWARE Single char EXE direct download likely trojan (multiple families)
3904	Install_x64.exe	Misc activity	ET INFO Packed Executable Download
3904	Install_x64.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3904	Install_x64.exe	Potentially Bad Traffic	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3904	Install_x64.exe	A Network Trojan was detected	ET MALWARE Single char EXE direct download likely trojan (multiple families)
2476	BitLockerToGo.exe	A Network Trojan was detected	STEALER [ANY.RUN] Lumma Stealer TLS Connection
3904	Install_x64.exe	A Network Trojan was detected	ET MALWARE Single char EXE direct download likely trojan (multiple families)

2 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

https://crypto-whales.io

8FEBEAE3452C5CD2A82DCCD906D85DE2

D1437A0BB6AE76C339E0CDDF18083254EC265185

DCB0230AD9B0BEF4B0DB4EEA684D35D08F11605937C4B1BD7D1D384472C0F761

3:N8KuOYn:2Kon

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Adds path to the Windows Defender exclusion list

LUMMA has been detected (YARA)

Stealers network behavior

Actions looks like stealing of personal data

LUMMA has been detected (SURICATA)

STEALC has been detected (SURICATA)

Connects to the CnC server

Steals credentials from Web Browsers

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

The process drops C-runtime libraries

Script adds exclusion path to Windows Defender

Starts POWERSHELL.EXE for commands execution

Searches for installed software

There is functionality for VM detection (antiVM strings)

Contacting a server suspected of hosting an CnC

Connects to the server without a host name

The process drops Mozilla's DLL files

Windows Defender mutex has been found

INFO

Executable content was dropped or overwritten

Reads Microsoft Office registry keys

Checks supported languages

The process uses the downloaded file

Create files in a temporary directory

Creates files in the program directory

Checks proxy server information

Reads the computer name

Checks if a key exists in the options dictionary (POWERSHELL)

Application launched itself

Script raised an exception (POWERSHELL)

Reads the software policy settings

Reads product name

Creates files or folders in the user directory

Reads CPU info

Reads Environment values

Malware configuration

Lumma

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules