lumma | hxxps://drive[.]google[.]com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Analysis

max time kernel
1156s
max time network
1160s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
30-07-2024 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://flyyedreplacodp.shop/api

https://horizonvxjis.shop/api

https://effectivedoxzj.shop/api

https://parntorpkxzlp.shop/api

https://stimultaionsppzv.shop/api

https://grassytaisol.shop/api

https://broccoltisop.shop/api

https://shellfyyousdjz.shop/api

https://bravedreacisopm.shop/api

Extracted

Family

lumma

https://flyyedreplacodp.shop/api

https://horizonvxjis.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 1 IoCs

pid	Process
436	main.exe

Loads dropped DLL 1 IoCs

pid	Process
436	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
25	drive.google.com
26	drive.google.com
158	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
752	436	WerFault.exe	138

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
316	msedge.exe
316	msedge.exe
4384	msedge.exe
4384	msedge.exe
3004	identity_helper.exe
3004	identity_helper.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
3676	msedge.exe
4220	msedge.exe
4220	msedge.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	4424	7zG.exe
Token: 35	4424	7zG.exe
Token: SeSecurityPrivilege	4424	7zG.exe
Token: SeSecurityPrivilege	4424	7zG.exe
Token: SeDebugPrivilege	1188	taskmgr.exe
Token: SeSystemProfilePrivilege	1188	taskmgr.exe
Token: SeCreateGlobalPrivilege	1188	taskmgr.exe
Token: 33	1188	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1188	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4424	7zG.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
4384	msedge.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe
1188	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2016	OpenWith.exe
2016	OpenWith.exe
2016	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 4796	4384	msedge.exe	84
PID 4384 wrote to memory of 4796	4384	msedge.exe	84
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 4580	4384	msedge.exe	85
PID 4384 wrote to memory of 316	4384	msedge.exe	86
PID 4384 wrote to memory of 316	4384	msedge.exe	86
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87
PID 4384 wrote to memory of 4820	4384	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff91ad46f8,0x7fff91ad4708,0x7fff91ad4718
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2644 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3724 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1764 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,17054152687292691704,14680165084883148060,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:968

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\install\" -spe -an -ai#7zMap16940:76:7zEvent31083
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4424

C:\Users\Admin\Downloads\install\main.exe
"C:\Users\Admin\Downloads\install\main.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 1188
  2⤵
  - Program crash
  PID:752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 436 -ip 436
1⤵
PID:2432

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
408B

MD5
3f2c739de0326fa87ad4776c6bb146e6

SHA1
89dabb7c6d48994493115940bd3c901b32607ab7

SHA256
9720605193e08f98f40f741cfd269247008427fec3a8af300539e624496e293d

SHA512
d0f430edeacca68bd7429cbec5a3981499663ea7183ecc146a9ff8bd48dd90004eff87292fab4c58621346f71801c3f7a9fe051e3d6b1da4640de79b47cfc3a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d90c62c0d35add54a15d39e9d13dc4cf

SHA1
f61f7a244d25277b98360d131567ab910b54f80e

SHA256
638b9845f462188f44b5f115e0a5fe557cbf8aac19bf2ce580c89838483f91b1

SHA512
3a748e0522e96a6bf346da8b81894d99e2fe080ea4e358759c164411ace91ede01e4ee8b3da0020eb26b81d2eca7bddfd7e417bb65764e1f0d38116a96bbc2aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d5eb8f77a572cc28956761f5b86bfafa

SHA1
134ba44b51280d762af414852faf90cc76ab4c12

SHA256
829e0a5fb538615d9a7f9752f14653d9b34190f48b517412677f116d8ede57e5

SHA512
9ce2fc173d67d0988df061acf31f60eb4e658cff915d72572da1637aafed6c73fa64e3dc8458b860640da4ca6f46ca7d7dc9aea451b0e5f458c24d29ecd1e11e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b1e733c1ba6fdd73903b5f0b05e6acb7

SHA1
fd45ea778d861eee164f75b0ae645ac146acaff7

SHA256
6fa54543f66fa9e44ceee7f00e1d67c60056158168f56c4d486867117c9d5725

SHA512
c4ff140a16121b44521351a06dd3b30817d3ed5464fbbc73e545e26e42dbad634470dc3ce6d540fae16bcb277512b1ad273e1f3ee5e9c26dda2d75b05421ad98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a57e72af3fa9570732da7b60bbaa4d8a

SHA1
d87127f6f3b296158c76e427d600062102b096a4

SHA256
0650c215649fc9c0ef32d9c0c48fa6d94325a2286fcd2f41e56cd3e06db4cbf7

SHA512
b75ae353e4184ca0ef92f1cc193adae756c80f0ecd814d5265218815cde801f308e2ca4a5064f1d1583ca89c93debeffde59c68ff9b67be65547249c9ffdf998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
13a364397bcc0d13951eb27618a4f513

SHA1
61ed83b71afd8b72330abf8c7887b80218b672c8

SHA256
5e8a28b60a1d0e3ff3b92bff68e657eefa02d0f33e5d8121a01267b4bacbc16b

SHA512
030858512be4e763c97ff4f78fa9dc191919de91cba000e9c471e5e4a88aa93af50d7c6ec3dc5eeb60071b90028c0bd335e432e1ee234df2621e6e063a31c299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c8f534f56a36a563e48331453c2ba072

SHA1
ab36f58c6df0bdebf185ce21fcd83488b24b46cc

SHA256
06ffd00c7b032e92cc756ea35dd4ed75b1e200c17fcca1d3a267b8f39613cc23

SHA512
ed10ede41648a50a7e8ff52b0ec98f24f02ccc8d2f2b04224a11d899ea516add14cef824ec0dd557d2ad08a4530fab56e35a1bf871cef793f647cab74952769a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
80faa94c4e2c37501bef14a32103ae65

SHA1
71e75eeb2450f55adc9d683ed0d6582e621c9c18

SHA256
f743ed3e09b5b91d338c664355cdf1bb0b9ade7ecbbf5e060af6ccc01e8ba298

SHA512
5196ec1b20949a1b26516bc198e6733fe2f76305f650f4f97fd2d5a2f320e908f071ce7e540e622e424651a3af2ac36c3205cc287caf4d6797b78b0559dfd41c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
8fedb1ab856fb710ae1651cb291917df

SHA1
3e1d40d4eaecebab99641aadc09d52273fa0d47d

SHA256
04f0575b47f707dcfd0e5f9f7f1d15774a1c2b75ca7561edb797abd6c2fee6f0

SHA512
6fc7afb73f61e277275fcdc5c35bb41b79053f470068ec30ec2de4741bd6c169070a8ba2cae26d610d1357eeaae2296ab9b997374817e5c5acb9db72a23e0280

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c0539d3779450d374a5ce932eafd3440

SHA1
aea5f4e19c01eb4fc384c7315223af522b771ba3

SHA256
38b1f25cd70a52fc1d59e36882770642459c62080996e3058b64f2960ce66e0a

SHA512
d843478602b1828328a7ce87ec92635b223752d5e4c2f6a7568e3d6a6cbdf9e1d5b4ce60f658445a19f8f1ac0355b831911c8adae49f98cff765c1ceffd8040b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3612d76bd4f782404103599ddd46aa23

SHA1
7fd6344d6bae6bfac81814ebd30316eb43c4cb7e

SHA256
96b009f54afb321fd72c27ad22b8fafab3192395ffce6f11cc7f29ff8026b4e4

SHA512
1d68cb3022a140936a0026552900f6ce2cd88cba295520793a7f2f5efa167d3d49c70ed55f27217001e3217c9e31cf6f629ca1f1543281fb22dfd53e74492c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e5831be84a10ee87c4930da9109a4d09

SHA1
8397082c8ab4724ed81dfac58db72002b76fdc3d

SHA256
513fbde66876cfdc6e0a96430574981e761f64d2fe8bef8dd42986464555b175

SHA512
81a9bb5dad335ee99b036461cf6ddeaaff076fe103ffa6b3f0b5265c7e5864bc37210b4d7b96607fed2452b9ec8d425ad36252b2edf5397cc02b29b619ffc896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b76051983b2e471600dd4e63b343ddf1

SHA1
1892905578f7a069a70d1fe8581402be7635694c

SHA256
c83f53a6988ef8ef5f40d58a7eb4c8054ce0a25bf8f49a66f1d55494bd5f579b

SHA512
221d82741f4317b03db7780df025dc8ec2d1141c976811d2dfdff7589e37827dfb14df334ab662338755b330803d85cf700ce2497289a826401e69633239a186

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4d0b0b97a4cbbcf755dfa7ca241ad29d

SHA1
d855a67f6892d547aa52ade71c4da4784c6dca71

SHA256
18d11745fcc7084bf1dee8680df89fc0584d494aa2befc57087eb68ce973ac93

SHA512
c25c4699c58a443bb6a622a81753ab0cb9cad4dffeb0696c35f19db673f2f6ea33417d2395b4c43aff0f0b221bca31831cc1a779d34da6476eaa50c8b9a1becf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45bab829a3578f5b25d7cd5c18e85cac

SHA1
434ee826faa6b3f9c5819e50350690aeb1591883

SHA256
16b84bb561b3ef4adbba7771f6995445aeb1e2b5aad59a440f35390276bbd939

SHA512
8dcfdd555a489db1e675e6431b4c5a763ee3f3518929229d58adb2f086555eb3c6520f57821e3118adcee09e35297b5ea3b0a8431e278173cab80b8fcd01899b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b55b6002a7c147fb185cd266f05f89f5

SHA1
c063c2c43a0d9cd1da4dbfec8413932bd794c3ca

SHA256
ab5500cac200e7d5d873eedebc2237ad86c4137a26a4555515b5812fde25edda

SHA512
af3982fcafaff676e439ac4ad837ff19400c4ee3decc4ba74093675afb56c40fcb9a196035e4d89990b431a6d716805787e9cf78bad28fa56cf52a6e115d7fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dc39d65265f8921537c9f3ffb1a1746e

SHA1
1efa1b5d64c15cb6ab37311becc081cb01702b20

SHA256
cbfc6190983a2b4f75c8842761322c5bfbff9ea7ae77573a94d3012fe55ec4c1

SHA512
12a548f7a202f0ba8be7f12d02d22923869297c6d1216fc7ec7ec5ef82c55d94251263675eb962c7da45d2d61586965ff255d605e5430607c6cdcff8e68d46ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
edab2b51f3f88d55b7b28b271c3bd5e6

SHA1
efa1465f7ab966b2f7a88a966bb70b5c1985ce59

SHA256
d7f62f1b359e2d24f85c2b8db2fb559ce09391b465beeebc926b9d06388960db

SHA512
89684be4fe876ab16eec9ba7f9820573ef0377fc4c36d8858d44294d40dff407eab72f0eb3328ce9659e7e4540821de21b19ecfd56e2bbb834ae94373c663c39

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 230173.crdownload

Filesize
448KB

MD5
4564a9a35d9e7e7883faa2ed3361e0e4

SHA1
79a611b96bc0cdab0bea30423814b4ad7245800c

SHA256
06ce088beb65731be6268934f89d44a00d386e517ad88f8e28a8968c0a43b7e0

SHA512
efcec8c64edc5e23a7d24610c4a7e7facd3c682eb42875bc0b19e95ffc3479749d044a78f274cbdabd4252a07ef3da567aabe995abf2f5790da139203075fa51

Download Submit
memory/436-290-0x0000000000A70000-0x0000000000A7D000-memory.dmp

Filesize
52KB

Download
memory/436-295-0x0000000074FC0000-0x0000000075124000-memory.dmp

Filesize
1.4MB

Download
memory/436-291-0x0000000074FC0000-0x0000000075124000-memory.dmp

Filesize
1.4MB

Download
memory/436-292-0x00000000007D0000-0x0000000000825000-memory.dmp

Filesize
340KB

Download
memory/436-293-0x00000000007D0000-0x0000000000825000-memory.dmp

Filesize
340KB

Download
memory/1188-314-0x000002C2C0440000-0x000002C2C0441000-memory.dmp

Filesize
4KB

Download
memory/1188-315-0x000002C2C0440000-0x000002C2C0441000-memory.dmp

Filesize
4KB

Download
memory/1188-306-0x000002C2C0440000-0x000002C2C0441000-memory.dmp

Filesize
4KB

Download
memory/1188-312-0x000002C2C0440000-0x000002C2C0441000-memory.dmp

Filesize
4KB

Download
memory/1188-311-0x000002C2C0440000-0x000002C2C0441000-memory.dmp

Filesize
4KB

Download
memory/1188-305-0x000002C2C0440000-0x000002C2C0441000-memory.dmp

Filesize
4KB

Download
memory/1188-316-0x000002C2C0440000-0x000002C2C0441000-memory.dmp

Filesize
4KB

Download
memory/1188-317-0x000002C2C0440000-0x000002C2C0441000-memory.dmp

Filesize
4KB

Download
memory/1188-313-0x000002C2C0440000-0x000002C2C0441000-memory.dmp

Filesize
4KB

Download
memory/1188-307-0x000002C2C0440000-0x000002C2C0441000-memory.dmp

Filesize
4KB

Download