lumma | hxxps://drive[.]google[.]com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Analysis

max time kernel
145s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01/08/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://flyyedreplacodp.shop/api

https://horizonvxjis.shop/api

https://effectivedoxzj.shop/api

https://parntorpkxzlp.shop/api

https://stimultaionsppzv.shop/api

https://grassytaisol.shop/api

https://broccoltisop.shop/api

https://shellfyyousdjz.shop/api

https://bravedreacisopm.shop/api

Extracted

Family

lumma

https://horizonvxjis.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma

Executes dropped EXE 2 IoCs

pid	Process
1028	main.exe
536	main.exe

Loads dropped DLL 2 IoCs

pid	Process
1028	main.exe
536	main.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4484	1028	WerFault.exe	114
4916	536	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	main.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000_Classes\Local Settings	taskmgr.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
808	NOTEPAD.EXE
2684	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1312	msedge.exe
1312	msedge.exe
336	msedge.exe
336	msedge.exe
4380	identity_helper.exe
4380	identity_helper.exe
4940	msedge.exe
4940	msedge.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
1460	msedge.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	4392	7zG.exe
Token: 35	4392	7zG.exe
Token: SeSecurityPrivilege	4392	7zG.exe
Token: SeSecurityPrivilege	4392	7zG.exe
Token: SeDebugPrivilege	2148	taskmgr.exe
Token: SeSystemProfilePrivilege	2148	taskmgr.exe
Token: SeCreateGlobalPrivilege	2148	taskmgr.exe
Token: 33	2148	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2148	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
4392	7zG.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
336	msedge.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe
2148	taskmgr.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe
2180	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 336 wrote to memory of 4540	336	msedge.exe	83
PID 336 wrote to memory of 4540	336	msedge.exe	83
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 456	336	msedge.exe	85
PID 336 wrote to memory of 1312	336	msedge.exe	86
PID 336 wrote to memory of 1312	336	msedge.exe	86
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87
PID 336 wrote to memory of 4532	336	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1fwJdsnnK8CE52uB6ttf5BOyA6_zlBL57/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc5f046f8,0x7ffbc5f04708,0x7ffbc5f04718
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6432 /prefetch:1
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2280,18076605698438271624,836901417118451671,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4840 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3844

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\install\" -spe -an -ai#7zMap22970:76:7zEvent4853
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4392

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\install\Tutorial.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:808

C:\Users\Admin\Downloads\install\main.exe
"C:\Users\Admin\Downloads\install\main.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1028
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 852
  2⤵
  - Program crash
  PID:4484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1028 -ip 1028
1⤵
PID:216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2180
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\install\cr.dll
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2684

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2148

C:\Users\Admin\Downloads\install\main.exe
"C:\Users\Admin\Downloads\install\main.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 1144
  2⤵
  - Program crash
  PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 536 -ip 536
1⤵
PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea9ef805116c4ab90b5800c7cd94ab71

SHA1
eb9c7b8922c8ef79eef1009ab7f530bb57fbbbea

SHA256
bff3e3629de76b8b8dd001c3d8fb986e841c392dfe1982081751b92f5bd567b0

SHA512
8c907d2616ce16cfe08ddeb632f93402e765c5d9430a46e90ab5ea32d4df0a854c6007b19f9b0168254ab7aadf720fed8c68d1a055704db09c1b36c201a9b3b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
347755403306a2694773b0c232d3ab2c

SHA1
94d908aa90533fcaef3f1eb5aa93fee183d5f6ac

SHA256
d43f2dd4ac5b6ba779100eb8b84bc92fc8700bedcd339a801c5260b1bb3ce3bf

SHA512
98f1fb18bc34dfc224132dfa2a2e6a131b280b25fcb516fac3bb66da2a47c7a7061124881de6fa5f65602663dc0ea71357b171a3346bb1514176943438322253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
8ecb39562e247a227df9eb6c03abe346

SHA1
de61c8ea24251b55cefb8424f8950dd7e4f841cc

SHA256
3306bfe80aa2289829bbe5a9e51bcf76320c80979243caea91dab7be3dae0ba4

SHA512
630fe50beea85b57132ed06552fc41a2ca2060e85175ef318fe442a0bdebc8c3374326e00fec59216023b5b9091be91bf8a7ad0f9ca69ba8ca8acdbd6c1b00c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
eba203c9bb85b889f3f21de79f3b07c0

SHA1
c00567891d3d1dcc334b8635069cffd44e4cbaf3

SHA256
f863ce4080b23ed9c7d69a8aa493f6856635310142e80138b7f2f55ac3cc5bf1

SHA512
4a8319cb0aaaa3c0efe6b37fc92330cbd413e6d960e97417de568b8ec18df8538181a15397a44c8342a9acd172b4979422f54d85f4ea67972575eb29743250a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
349ccd52ec6cda29b3f9d562145ff9a9

SHA1
98bea2e546234b75fea63a72a0b47a2bac057d13

SHA256
1dd0b1e0235c9b589f4e9e4ad8bea04e4e74ca39e97bfdeecf4f9f32808fdffc

SHA512
edae8de8d9da3fa80b8f391a385b9b4c2a39b924f5e313195399062f7d779cbe289a0ee7ebe61a5ad1092134977b1e0b6888467aaebcd0c37d327aeee6858673

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
22a027771481a0f1f2a8dbc867369ff0

SHA1
a913e9361ebf54ed340714566b863442c761618c

SHA256
9b8f656ef76a1931f057b0604a51e62fb58e568c8a2fc514c8282556019d016e

SHA512
d7a135d1fc33d2646dbe63780f0bdc0ca321283912e34a0a49f359fe060709e3cf3eb7584c53a0f7592ecd5e560ff952acc5e0439463485e34324e1e83e9a77f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5fe15310bb2b965d88ffb4d8ef5c2d49

SHA1
455328e2edf4877822fc889b4495fc051bc19722

SHA256
a7ef6588f88cf7c8aa522a260676c9a6dba5a8574a0a0bf405a5b8c553f48615

SHA512
9c0ae168f88b79ffc27545649c6d466fce70587dedf33ca01975676ae36210c707cdcdfdc4d5812b5ba3c5f519cb96063ddb3edd3fcf75488cf7de966096ef42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
39225421416d125429f2745700209c2d

SHA1
69973c4a42ed42329eb428aa79ede47d74313220

SHA256
ab28c59d8518c415712e8b4cca9d88d9ca5d1082340ea7256613943b839aebe4

SHA512
7d3bd4867ff93c4ccc4e299b860d18777e0441783ba410be81ab865ab11d2636736503f2ba147b2e01004928a53e453bac6beba175bfd0f347cefe909a2917ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
034944130018ae43c745d1372e90560d

SHA1
f3107f85d78d401eccb0743d148cd441189ab5f5

SHA256
764f966f7d2c0d46bc2d11d744d321e5ed9deb66264477210f82c284d882cc4f

SHA512
d732e96d2c5e5c159a192c4795f1ddec65f59a54408e632e18f33c1778b61f87b84c5f5c7c344077dbd672ec0791eb4141a27feb6e28dc1faa031a7b55aa8424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
31dacb73837cfa9b4b597d6ccbc67510

SHA1
38dd55650e40eebac816b299bff905b82b05bdd6

SHA256
3d35904de7f60b7ed3c9c6e15dc2cdaac85d3f173f9e7829a4ecbc4798d3efbd

SHA512
31a3dc998f49e00193b92a79a20ab603b626e5af685ff2edee224259d8648b0523d752e4e2de7b6b3fd435c939d6694316312342c686983fd1979b73afd15c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bd9cc2a91eaf10ce85a7a025c128e4bc

SHA1
45c8ac298701b9b8518c727811d1fde4c664da62

SHA256
013bed0b65be7a704f16ed027ca1138d340b761c09f84c14d8f6cdf805e27c35

SHA512
383c2b7b99dbe445186d8a8d6d18990620ec83a255d16ce2a115fadcd4274982ae189310499dcf0f610118b4ad448c0d69f5cb99f3de75000bd7d14b3222407c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 2594.crdownload

Filesize
448KB

MD5
4564a9a35d9e7e7883faa2ed3361e0e4

SHA1
79a611b96bc0cdab0bea30423814b4ad7245800c

SHA256
06ce088beb65731be6268934f89d44a00d386e517ad88f8e28a8968c0a43b7e0

SHA512
efcec8c64edc5e23a7d24610c4a7e7facd3c682eb42875bc0b19e95ffc3479749d044a78f274cbdabd4252a07ef3da567aabe995abf2f5790da139203075fa51

Download Submit
C:\Users\Admin\Downloads\install\Tutorial.txt

Filesize
136B

MD5
ee6277d8476011bb2c294156b84c4d74

SHA1
c7fcb8b2ac1a6ba858a4f72f0ae21bcf4c278dc2

SHA256
dfbf6f42ab6d461d1a7533ff30a7c81c80c58704b0933f52c79987e9f66ed95c

SHA512
8f777642a54be57c7022bcdd34005914a0b9ee38e3875ee0a26c7290b04fde619c3a8aab5119de79960fa66b9a79754296516d9a2d87150e1c34bdb0ea30a6ec

Download Submit
memory/536-234-0x0000000075300000-0x0000000075464000-memory.dmp

Filesize
1.4MB

Download
memory/536-232-0x0000000001130000-0x0000000001185000-memory.dmp

Filesize
340KB

Download
memory/536-229-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/536-230-0x0000000075300000-0x0000000075464000-memory.dmp

Filesize
1.4MB

Download
memory/1028-177-0x0000000075310000-0x0000000075474000-memory.dmp

Filesize
1.4MB

Download
memory/1028-167-0x0000000001B90000-0x0000000001BE5000-memory.dmp

Filesize
340KB

Download
memory/1028-162-0x0000000075310000-0x0000000075474000-memory.dmp

Filesize
1.4MB

Download
memory/1028-161-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/1028-166-0x0000000001B90000-0x0000000001BE5000-memory.dmp

Filesize
340KB

Download
memory/2148-209-0x0000018365E70000-0x0000018365E71000-memory.dmp

Filesize
4KB

Download
memory/2148-210-0x0000018365E70000-0x0000018365E71000-memory.dmp

Filesize
4KB

Download
memory/2148-203-0x0000018365E70000-0x0000018365E71000-memory.dmp

Filesize
4KB

Download
memory/2148-208-0x0000018365E70000-0x0000018365E71000-memory.dmp

Filesize
4KB

Download
memory/2148-207-0x0000018365E70000-0x0000018365E71000-memory.dmp

Filesize
4KB

Download
memory/2148-201-0x0000018365E70000-0x0000018365E71000-memory.dmp

Filesize
4KB

Download
memory/2148-211-0x0000018365E70000-0x0000018365E71000-memory.dmp

Filesize
4KB

Download
memory/2148-212-0x0000018365E70000-0x0000018365E71000-memory.dmp

Filesize
4KB

Download
memory/2148-213-0x0000018365E70000-0x0000018365E71000-memory.dmp

Filesize
4KB

Download
memory/2148-202-0x0000018365E70000-0x0000018365E71000-memory.dmp

Filesize
4KB

Download