lumma | hxxps://roxplolts[.]net

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 23:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://roxplolts.net

Score

10^/10

lumma discovery phishing stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
A potential corporate email address has been identified in the URL: [email protected]
phishing
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5068	5004	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper-x64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3064	msedge.exe
3064	msedge.exe
1420	msedge.exe
1420	msedge.exe
3216	identity_helper.exe
3216	identity_helper.exe
2724	msedge.exe
2724	msedge.exe
2940	msedge.exe
2940	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2732	1420	msedge.exe	82
PID 1420 wrote to memory of 2732	1420	msedge.exe	82
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 2704	1420	msedge.exe	83
PID 1420 wrote to memory of 3064	1420	msedge.exe	84
PID 1420 wrote to memory of 3064	1420	msedge.exe	84
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85
PID 1420 wrote to memory of 3436	1420	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://roxplolts.net
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec9a246f8,0x7ffec9a24708,0x7ffec9a24718
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  PID:324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3608 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2292 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1844 /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,5245529842067969882,8215569216718089001,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4448

C:\Users\Admin\Downloads\Release-x64\Release\Bootstrapper-x64.exe
"C:\Users\Admin\Downloads\Release-x64\Release\Bootstrapper-x64.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5004
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5004 -s 1236
  2⤵
  - Program crash
  PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5004 -ip 5004
1⤵
PID:4432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\185cc45d-6ab7-420a-bf33-226d3b78452d.tmp

Filesize
1KB

MD5
6e0fe9dc326af819172cdc34a521ccf8

SHA1
6f0c2525dfc2d4119726639b64f50fc5edf4d177

SHA256
54bc92eb6bc68874180f65f02b30d818351f88bd943887b16a58a79edf06f6e8

SHA512
bd025ad27008b7c3fd87ed9a85630e6c555c1a3ebfec3065c02d5802a5e9f2194d2833aff6012e4f79f5388047ab01ab79f0bc6e848ac30a596853d3d755089e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
45ec65db72c71d42e3019a530837f5e0

SHA1
48f05b0dcc4b472f6e1a4b69df1457c23cf0177d

SHA256
35b7d337f37becce4adec1c44a530951bb54d5dba1e46f632ed32581617dd539

SHA512
66c30512df24998f69b3f23ef40189ee19696438bb049d6a412cddd4ca91436b753f009a295a630fb6f9bcc6426c04f24aa8bcf9af1a87820f24331d10d5131a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
68f6c81f7df3e4aef897342d7e22fa74

SHA1
32a72b89f0adc1f1f1e35370b4baaca93bf037ca

SHA256
1531e152cac7098aff99ea97d1a19d799fe37a4a144853205b22785b2e2fe767

SHA512
aa2312f69e6b0f8f68621bb5893ecce8caec8e9430b415739ccacd3b294ed2772d409d16b2ac745f724cef554ef920403752bbeb1d6445ebd06f3759cd61d173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c1f4b97e7d7aa0d4eef0cbd426e5364a

SHA1
f3afbd3d71ae61967e7dfd5ed593539b9ec7dea6

SHA256
82e435063f5d0a579f430d34d294a53696d78a3f4f9aa49159205f6762a8ee8c

SHA512
13d1d1bdd199ab7c5afcfd2b74237529384e8a835084f83d94798dffe86bb7aab8c10e58b46baadba519954710fb7f5f369299a01bc339a258ed1d8b3f6454d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c1819ca6a3ba9538e47591c8a08f8fcb

SHA1
cc9bb52425dac4ea297b32aefc434593bb628ad7

SHA256
579036880ed80274c5dd8252ea1e6021add7a946851050f89efd5f3643a69ebf

SHA512
23007475fe71889d6dd661ea2e9ec99d0e46d77e44b9b92f60440088fdbe9b3db38840b9c1a8df803068eb7e9a642047e666023ea096b7148d8821cf674fbdba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
76d0682d79dab6ae89e83585ec4a61c6

SHA1
6edb5a504f7a7869f178b5385a1013ca51db0efc

SHA256
b7c86dcb08095484806a72dbc2f6c8f7a3a57aa2bf83317842fd15594ca4b4a6

SHA512
cdac5442c95bc27012cdccdd85bbe99a30ae9348ef65bb9dbfb08ae948adf52f7eb2791938ec0fd8c9b310562ea870f19f18818eaeb7711748309b40f041fd54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
71d2f6cc9ee052d2ab6e337d74f4b483

SHA1
93e22438e5f6254f15a424390415eb05fc4744a3

SHA256
822b4becd8376003b941fecff704092966acfd8076c21559c4d5e137f93fa129

SHA512
22fa03fc5dfa623f778150ddf2b2d26cdfa3a453c12f490ef763eafc6a158c7890962cf8549168a399a2a8044349f218b3f7019293345875ee75ef06739fcb81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
750ef66e8e6edd2e2f6884592cd52912

SHA1
088f72207cc378bc19ed34384c9638b2b7ae051d

SHA256
b5b9f77c122b1195731f6887079cc0841f2945f1a5fe1269fd0f18ca319ed28a

SHA512
4e0683c42d58185042412b89ba17993de11156db6ae93aaa5ef0589c1557cc280c4c64401e3dcd6c0460290e46aa361945fa02b0a6046f229b918dc209b700a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
874917cc0df65a20419a8ab23440725d

SHA1
14ccd1f06eb7d469c9d7263629f38f3230212255

SHA256
6033eb4a4af91d1618f6956cdfe051a4d4af5502e7ad6e9ffda28298c10b486b

SHA512
ae2fd0d19a47e78aa0ec8a86823f66320347d041eff56230f3b2d3ce3702476a42125217b450430431c955e22706fb26ac7dac15144796bd53d3ce752cf45cb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
83317ad2554bfe10e4b0453d2be3ab01

SHA1
984c19d5aacd895f22358c59ee19c5da248bac75

SHA256
434f2efab84891386f9a13f2a4e8b98d9dd6b13c6adbf9756b29323599004fc9

SHA512
0ece741fb5f14e0531434eadc50e902a99db0932fa298f29f9c6286921510b3f1f0ce08eb29db579744bc75e3bd6ca11eb26040cee173cb44f52881a91335c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b53cb9828af9ac65f82cf6e68b7d456c

SHA1
101f7e05eb1dbcf468c156dfe7f98b34db23417e

SHA256
2b47221e997b3adb131396860444ecb7120aaf6e31984c6fc7979772a9fece98

SHA512
ab84cc1715ec07bf619e51524d853d901c719462d721025ba31902d79b58c3a225b588d3d779de3a80e2c047ddc9ef9cb9e83f21a0bd8e333bdf5467e3a36c1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0ecc6aee89ae5f84b72e6a9db5b37a7b

SHA1
bf291b9a083a385b20008fed31deb88133dce050

SHA256
9bbfe5162b1c1a3b94f41ad2e0085e1cf3be7e8821b82031fcbee50bae482aa5

SHA512
7076c16934de9db906c83370f116b0b0fce33dd41e5b729a5581c7c90b93b47cded409ad6950acbab3648f1d75cba4be273d1d79211141264422fc773334103d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581e31.TMP

Filesize
539B

MD5
e6727cb03c82206197db6230d5f06228

SHA1
ee8d6d72caec4754b7cf766c8d89defa1ba3efb0

SHA256
4fd5d56c4937d72fa576894ca2e53be64a874d8d6317522062cba38c81b58242

SHA512
46b17614bf9e7a794a83b7a21f159c10a78572859486cc4bdf31e941dc14648f94198238b6fc33bd088a7c865947f13ed5014af777f98827015914690ce88530

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9eefc06c59c87a6fab5e8d00478596e9

SHA1
cd008e6d2648c523b669229e4d8f1be646feb099

SHA256
7ab476275b40a7ac49d85e2d463ede04f3b7c5b9491d04ba6cd0788f1bd15be5

SHA512
010e7df5642246d446062d6629e4bc690adb7eca6edbe298393610b6cb92942918240c018875b5d93afb57b684d04ae8fce2fe7ce5d343a2eb52f1b43536dbe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
711300a39b226a3e45f5f98e058a0263

SHA1
72a962dad88a7728041359d8706036b84281430f

SHA256
ac3da4b451d840c67091bc584a1e00500af1cc2c20fd4c11b960dfdfec36b25f

SHA512
94c10eca45414c26f2c9eff9efa62e8235c614e1d72549c00c8037dc5864ae42dca24a02194958a971426db8a72c48da823ecd8047b62e775842954a1acbfa65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ca100ff6d1ca80cd7bc6d7a54f09a515

SHA1
cb9a85594cde122a5392f5691f0a49e301d23522

SHA256
dee732de3ecd8cb77a1344e80aafbf22586cae4cd61770664601c94c083dee36

SHA512
07d6b17e2cd1cf7279c8284e874fe2b9def1731f06cd6926f65a0f5da90689f5f76a35cbc10884e18c86d60f7e30f23affcb78285859306dff594f7f62c99395

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 516140.crdownload

Filesize
19.6MB

MD5
9ab907ac63d15998103eb8645420ebff

SHA1
33e94d15a3f5427e6ecde96c73fcf5f492c2033e

SHA256
a7f04932e4eb88bb7d618c0ecfd79b93f9fc131b4825d9c440e078d610480796

SHA512
b70299ac4ffe787b64032b8841636b44f3804e071d05c52051409de74998a2fc8f5f2ef2560397deac43613579a878bf4d73f983fad777b0cf5b4676230f3b69

Download Submit
memory/5004-394-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download