lumma | hxxps://roxplo1ts[.]ws/xeno/

Analysis

max time kernel
92s
max time network
93s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2024, 08:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://roxplo1ts.ws/xeno/

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	bitbucket.org
25	bitbucket.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2284	1224	WerFault.exe	129

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1312	msedge.exe
1312	msedge.exe
4932	msedge.exe
4932	msedge.exe
2204	identity_helper.exe
2204	identity_helper.exe
2260	msedge.exe
2260	msedge.exe
5012	chrome.exe
5012	chrome.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeShutdownPrivilege	5012	chrome.exe
Token: SeCreatePagefilePrivilege	5012	chrome.exe
Token: SeDebugPrivilege	4904	taskmgr.exe
Token: SeSystemProfilePrivilege	4904	taskmgr.exe
Token: SeCreateGlobalPrivilege	4904	taskmgr.exe
Token: 33	4904	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4904	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
4932	msedge.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
5012	chrome.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe
4904	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 3012	4932	msedge.exe	83
PID 4932 wrote to memory of 3012	4932	msedge.exe	83
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 4996	4932	msedge.exe	84
PID 4932 wrote to memory of 1312	4932	msedge.exe	85
PID 4932 wrote to memory of 1312	4932	msedge.exe	85
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86
PID 4932 wrote to memory of 2720	4932	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://roxplo1ts.ws/xeno/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc7dda46f8,0x7ffc7dda4708,0x7ffc7dda4718
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4248 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,12223198385103260752,6610217866808697273,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Bootstrapper.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Bootstrapper.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1224
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 1244
  2⤵
  - Program crash
  PID:2284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1224 -ip 1224
1⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc6d4acc40,0x7ffc6d4acc4c,0x7ffc6d4acc58
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,17476667772246514459,11155730415973733324,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,17476667772246514459,11155730415973733324,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,17476667772246514459,11155730415973733324,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2496 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,17476667772246514459,11155730415973733324,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3416,i,17476667772246514459,11155730415973733324,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4596,i,17476667772246514459,11155730415973733324,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:992

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3008

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
749bd892fcf4dc6abee8e91a3885f0d0

SHA1
79a86e04d12a68a55f2848a836f489d40cf3addb

SHA256
ab7e1dba2d8f5d8ca3ef65707f85bab7005c0f67f4a18ef5a97592555fc3da05

SHA512
5342d3b5666f52861699686985f548920aae4ff28606ddbfeb1ba7ea869af1b74168f4c9222f642b34343ad7a556723a06d1a704c3bd4133f3090859b05517bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f0f18e35d8b75b36ab360b859975ef54

SHA1
ab7c10a810ef79b29c568b979ad4ef64483150c1

SHA256
9978d478b9bcd415e6f033b213f9bcfb5b3a478e50d5597fb414dcf488ffb212

SHA512
68b2b254b5266f7c4caab0ff2233e50324106b6bf64208ec8f07042e93df344748bebb65119228829265e101f07d86ab2898be94470dd8b921de5bdcd62e70d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fd24c15da41877676bb6dbf28554b748

SHA1
1da8085b8bd192f47d0b0f49cde8becc5ef33d20

SHA256
abd55a7a94e4ee4a52fbd7bf32cc906d9d3afb35d6102543d2f83a2c9cd7204f

SHA512
fae9940ce50a22205ff31a11f3ffa0765419d2aa57a833e63e744a80f77ca17802dbe3708c6d22024bf05a8abbdafaa437953cd57d093c3d232266efc78a842c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
ccf58d07a5514dec7dc29526ba1e5735

SHA1
5d8b2e464f07c0e6c6a0becde3ac6bb3697ec0c8

SHA256
758d0b4c6a2df3b6eaf636814b0a352914d28b1beeb1dc00e19d3c6fdaab06d8

SHA512
d5f50566dbd488d50ede4f017746e625d35d6ec9b6afdcbb5397c1694a2af74c5de84d80106758ed587d30949df7c3a2a16a12cb2b8dece1e6c571eb30a2a62c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2806eee1-8deb-4f97-802f-219ab1c2c761.tmp

Filesize
10KB

MD5
375ae5561d8f9b92c58f182d5e1957eb

SHA1
1c041db91753726b8b27d3121d1b759efb5b4f10

SHA256
925b9279b2c855556c1942244063a4e58f01655d04048e37fc24120bde51e2ad

SHA512
bebc8ad8afee783b5455b1d6530dc89c660fa5f51420787eaff6a59b5c49b22b446503888091d93a60e793fc39ffdcf43b83440169f11013688c9b991450967b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7c5d3db2f56c286e6c28e9b1293799c0

SHA1
e1f05c86f6322023158b08fb1b446ed69622262f

SHA256
31b09a1580281cdbc94f0cdc434b4e5eadcaa173b0f44aa2a84bf412616a9233

SHA512
c3ef220abc188f6d1e0080adf6fabcecefafeac8471cef6422fde540741ddcf9f2322f4b2c566edbb5e913d1e121548fd6e29fffc13cf0194f7bf0d57a7cfd97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
322B

MD5
c0454705d4e21edf7a0d8ebc2a956e27

SHA1
b123d663b6a6219f37b72261689f732963193556

SHA256
1dcd4703ba7cae0fbeaf6237d9866da93a8bf52961d8f4b327a9072d6799b051

SHA512
792af3a7dadfdf586d566f687a23c1f20b6c7905b47ca9beea4c6bb3e1e7c8a408ff25b58cc0cdad911654bdef82b9eead554376f5596f0e5b089f8fbfff1c2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f01c05f4608c02d900552a766df4d5cc

SHA1
22b4fe10a97b6c629a843ac6e1e7c3b65e369ca5

SHA256
101e5c69a7cb5f2a45b20afb0f436fb8eec519e36672cb651cadc636f60ce497

SHA512
8e46487c5748ea72a705a4152008c087c3149d8536c1ee11519c659a8b59d5494385c5e4a0fd5828bf2ce682cd11cfac918b2d199dc58caf12089fd28c041dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
18d0594a4b642e63db229abaee13d02b

SHA1
2ae3b1746fbf9b93726c0024223c47938bf37ebb

SHA256
8ea326dc2c7d87587af4f78771ee5201112c5d0f9d8d8b6d67a05401fddf3dc4

SHA512
5b23d3ca39b7e776874e8063f0bf91174316171c7079bcd35bf7787590f1c3480beed83d9cd25c11cd6461ce7cdf88a5e29fc56efc45b094ddcb105370994fe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ee7e46bc73ccdb36b51169247cbbd63

SHA1
1b65b11ba504efb9791d9af82053195c7d6c46d2

SHA256
39b5cf640e03576c0c976042c122741a5e70868cfd532076811a32da8cb2978d

SHA512
eb0a027c92a0b6ec387b22201764f721be326e6d31cbb991a6b9b3cf8c4622d3de318936074b2c0d4b189b027649afd1735a5287f1da4ede2d67b05a2dd1a18d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9d77e76495e05904413dbc24c7f9b0b0

SHA1
8cbc7d76c08123e4f3f17f089b6355fbda39c9e9

SHA256
80e023b58dc81aef35155edfd705c430879d9515715cc4ecdca3ffb6140ecc7d

SHA512
c48d8e4ea7b429d26421f41bf7b27f60aea5615a0bc3030dcc43955f5f88b06c92fbc865dc895809e80a995df382ca9118976327a8447de40b0481c8967aef0a

Download Submit
C:\Users\Admin\Downloads\Release-x64.zip

Filesize
407KB

MD5
1724e94f97c52c65a6ae1c832e53fdca

SHA1
bafe19a74833aa5fe5c6c8c6df4b3d8a17865351

SHA256
39133523ca12661cd7edaa797b55b0db4f3618220f3135b2e6af4f8b0f4f1d6c

SHA512
d3f2dd414653eddf917cbca2a871b88292d56e09db426584c27a01c2ce1f59a9c742aa67eb43cc2e06923c1dda2f85387457ba1034bd519fb15ff165691151ca

Download Submit
memory/1224-221-0x0000000000400000-0x000000000083F000-memory.dmp

Filesize
4.2MB

Download
memory/4904-331-0x000002311BFB0000-0x000002311BFB1000-memory.dmp

Filesize
4KB

Download
memory/4904-332-0x000002311BFB0000-0x000002311BFB1000-memory.dmp

Filesize
4KB

Download
memory/4904-330-0x000002311BFB0000-0x000002311BFB1000-memory.dmp

Filesize
4KB

Download
memory/4904-342-0x000002311BFB0000-0x000002311BFB1000-memory.dmp

Filesize
4KB

Download
memory/4904-341-0x000002311BFB0000-0x000002311BFB1000-memory.dmp

Filesize
4KB

Download
memory/4904-340-0x000002311BFB0000-0x000002311BFB1000-memory.dmp

Filesize
4KB

Download
memory/4904-339-0x000002311BFB0000-0x000002311BFB1000-memory.dmp

Filesize
4KB

Download
memory/4904-338-0x000002311BFB0000-0x000002311BFB1000-memory.dmp

Filesize
4KB

Download
memory/4904-337-0x000002311BFB0000-0x000002311BFB1000-memory.dmp

Filesize
4KB

Download
memory/4904-336-0x000002311BFB0000-0x000002311BFB1000-memory.dmp

Filesize
4KB

Download