lumma | hxxps://www[.]mediafire[.]com/file/1xyikgf2xq8vmss/Codex[.]rar/file

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/1xyikgf2xq8vmss/Codex.rar/file

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://uncertaintyrestsju.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 5 IoCs

pid	Process
5432	codex.exe
3136	codex.exe
6092	codex.exe
5316	codex.exe
4216	codex.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5432 set thread context of 4860	5432	codex.exe	136

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1012	msedge.exe
1012	msedge.exe
432	msedge.exe
432	msedge.exe
5556	identity_helper.exe
5556	identity_helper.exe
6104	msedge.exe
6104	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe
2616	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4928	7zG.exe
Token: 35	4928	7zG.exe
Token: SeSecurityPrivilege	4928	7zG.exe
Token: SeSecurityPrivilege	4928	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe
432	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 3288	432	msedge.exe	84
PID 432 wrote to memory of 3288	432	msedge.exe	84
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 4496	432	msedge.exe	85
PID 432 wrote to memory of 1012	432	msedge.exe	86
PID 432 wrote to memory of 1012	432	msedge.exe	86
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87
PID 432 wrote to memory of 2360	432	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/1xyikgf2xq8vmss/Codex.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdb8546f8,0x7ffcdb854708,0x7ffcdb854718
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1480 /prefetch:2
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7592 /prefetch:8
  2⤵
  PID:5300
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7812 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,17472021626276715339,2609748961966666523,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6104

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap3826:68:7zEvent20581
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4928

C:\Users\Admin\Desktop\Codex\codex.exe
"C:\Users\Admin\Desktop\Codex\codex.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5432
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:4860

C:\Users\Admin\Desktop\Codex\codex.exe
"C:\Users\Admin\Desktop\Codex\codex.exe"
1⤵
- Executes dropped EXE
PID:3136
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:1128

C:\Users\Admin\Desktop\Codex\codex.exe
"C:\Users\Admin\Desktop\Codex\codex.exe"
1⤵
- Executes dropped EXE
PID:6092
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:4464

C:\Users\Admin\Desktop\Codex\codex.exe
"C:\Users\Admin\Desktop\Codex\codex.exe"
1⤵
- Executes dropped EXE
PID:5316
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:4988

C:\Users\Admin\Desktop\Codex\codex.exe
"C:\Users\Admin\Desktop\Codex\codex.exe"
1⤵
- Executes dropped EXE
PID:4216
- C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
  2⤵
  PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
22c177b415e5b4c745b87c85bbc6e873

SHA1
06e9ef83cdb3d7dd6fbcf6d38fa2a59c3c62fe03

SHA256
73625965b5167cb9face7656d06a5af2712a1e9e68ceb87fa3e5b8fa42cc4103

SHA512
64a6dbfff4179d9bd550773b0a3dbad750c55a25788d6ebd88293383684967dcda505c941e601442b0f61374c006877521345510db3d35b9d440dfcda658b6f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
f3db71bdbb4cc4827f58426bb55a83c8

SHA1
63c6d99670295144789bc42dd80a4de6b7bea8e7

SHA256
d4b4f24fb8cf43fbdd137dd64977dea695f450e716c933179285a69a343eb5bd

SHA512
b681a5f140329e33391fdfbe3dd27f1130938f15415ac7f6c6327fa0558e61a0195c5a03f376c56101d4e2278f36cf274f76287f886099dc251180902eba878e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7e53a1e2cc4bd80814f3155fc30d58e1

SHA1
b60bf07e7e416352c65d9087f98c38c316de5458

SHA256
71849b160520ff62f7b08cb6e452f65f70f011a00b2724751a74e39eef6af764

SHA512
b492b4140960f2fc8344c74db5986ebe83563d07638533e20a993fbdc254853a9aa266d4407c42921228e30c347456e8e08455ee341e03873480673f0dc36b1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
23457981dc4381c8104322ee3ae7b261

SHA1
87fa4561881c06ee1cb829a686deebd8ea179a4e

SHA256
9d821a76436aa041235e51998138cf76cd0e322433bf5b04710fd1c73cbd08fc

SHA512
040af6ef9008a735026f251c305d55db033bee71082f359d08d01d61c02dd07b88f1396bfb7b15c5b23a06660fa1366e7081f2b762baeb188da87007086c04c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
0f169170ce8bbf609d905ba2941a21a6

SHA1
2f1998a2c2435cc61aadf3c08a364fe28d147de2

SHA256
da330498211e8db3894baed3b4e8160ee41b799caefb940c146f2e32e3242fb3

SHA512
8e1352512cfcd1b10489c228596c4a7ae800f91edabbb0e17be665945752acee535c24b0a9678d809df37d978f24b55cf6785b06c19a1abd279efd9c4645988d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
15c26c792843a85e90bf8536dec63a94

SHA1
151d9e9065c849f169a719c01143d7b0815eb3e8

SHA256
5cdfe31d20810858b2b5cdb857be044d0af10acc396ceb61f05beb3ec8bae7a3

SHA512
bf582846fc5f2c6447ddc3621f517561dff577f43e7282a435abd4bdb61e073eb268d0c5771b28025397ee659a94c25962246906634299c42bb00e9e277f36af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
21ddf4943d932e53130f55760c632baf

SHA1
d95a5a9b4bf20e610aacba29064958341cc069e9

SHA256
66eb396359a0f6a7104fb7517ef5da677ec1175fa13c3f15dbd2454ebfd445f1

SHA512
c407298094eb54e652be14a276213601dc3cf3b0cf67e1bc4c7980c184746c8c07b1aaf1366c09c0ef6b61f6e8ba03332e84ff603561277bc3f0b2f177100f47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6a1f24c5536111349e8747c5e3227fcc

SHA1
7c2401ead1826f37ad6919164f59dae5144023e3

SHA256
d680522f8b4013f6611805eded16f78b87d90b82ec60dbcef6cfb8dc50ca92ae

SHA512
ecd1ddd910b04d24a2fed25e4e4bc36d1e9e8bc9cfdc604f46f5a7d9e5000fac8e0ba8c426f2aa5d276b0ef337d92c2c46f36331c4cfbfceef96923e44215f30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63abd7b0d2e8ecf4526e4122c62886a1

SHA1
f3c381fd1ffe7cc50385fc796b8743fdd8ffde9a

SHA256
9a4cfa545edd43b113705356bfdf2cb0cba5620d93517675d857abc9d1e93f40

SHA512
26c45b788bf3b9ddb5d85782723e517e13b797466ff61724494da429f1896105e39f7afe85caed690cb253ec36bce4ed588219ac6445d0dd949ced9b34e1d784

Download Submit
C:\Users\Admin\Desktop\Codex.rar

Filesize
13.9MB

MD5
fc0ee60f3b1ceb5bd73d472caa455718

SHA1
56efc77a3bf49917486df8c762da27041c64a06d

SHA256
01c02aac58b261e026e1567d770a4fc21a00b8deb5f8ecbcee458451de5ef820

SHA512
88ee11bff17192856882eaff6c13e31f3f103487afa633cad329146e7a17eb27ed33468f7dfba0cfeb57d1d95f6930498c8292d3ec24ec75399b56858461723a

Download Submit
C:\Users\Admin\Desktop\Codex\codex.exe

Filesize
13.2MB

MD5
8a2a2799cfc30673f86ca720ba059723

SHA1
49248c8b0856d6454f90f0dd40f9a6d0e821140b

SHA256
798c0fdaffb1a7d10daa9cb9ca659c4f565d9e0bcc6681c8975174d54be08f46

SHA512
4e5f16422606af7bd49324f67609044549fc0d438b32ce601427a951f3508b65084745d62fbd038a182bac0a6a4d1e31fd4b859b85748d3340aa0545e8709db9

Download Submit
memory/3136-351-0x00007FF7636F0000-0x00007FF76448C000-memory.dmp

Filesize
13.6MB

Download
memory/4216-419-0x00007FF7636F0000-0x00007FF76448C000-memory.dmp

Filesize
13.6MB

Download
memory/4860-310-0x0000000000330000-0x0000000000386000-memory.dmp

Filesize
344KB

Download
memory/4860-312-0x0000000000330000-0x0000000000386000-memory.dmp

Filesize
344KB

Download
memory/5316-353-0x00007FF7636F0000-0x00007FF76448C000-memory.dmp

Filesize
13.6MB

Download
memory/5432-307-0x00007FF7636F0000-0x00007FF76448C000-memory.dmp

Filesize
13.6MB

Download
memory/5432-311-0x00007FF7636F0000-0x00007FF76448C000-memory.dmp

Filesize
13.6MB

Download
memory/6092-352-0x00007FF7636F0000-0x00007FF76448C000-memory.dmp

Filesize
13.6MB

Download