lumma | a9f9d70ac11bceafc5b850cf44b959c2796a6b1c728f7a4e42fa09c0a87ef693

Analysis

max time kernel
495s
max time network
499s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
03-01-2025 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PASS-1234.zip
Size

37.0MB
MD5

65760834f3a039f72057f2debd91dd64
SHA1

11027039cec72c0cdabb0a9ca8271f4bb2e7f3b2
SHA256

a9f9d70ac11bceafc5b850cf44b959c2796a6b1c728f7a4e42fa09c0a87ef693
SHA512

3295e82acd101b622301eecfbfe23b61f6137e6ce86190ded172afcbe3c0143205dd2849f208c5fc3692ec59485e4eca095101a7d7826ccecc2573eaf51cd638
SSDEEP

786432:fnuq+CaDeprnuq+CaDepAnuq+CaDeplnuq+CaDepCnuq+CaDepXnuq+CaDepcnu6:G3Caap63CaapJ3CaapQ3CaapP3Caap+V

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 11 IoCs

pid	Process
2576	PASS-1234.exe
4824	PASS-1234.exe
3472	PASS-1234.exe
3692	PASS-1234.exe
4428	PASS-1234.exe
2304	PASS-1234.exe
3852	PASS-1234.exe
484	PASS-1234.exe
2360	PASS-1234.exe
1088	PASS-1234.exe
4776	PASS-1234.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2576 set thread context of 4824	2576	PASS-1234.exe	107
PID 3472 set thread context of 3692	3472	PASS-1234.exe	110
PID 4428 set thread context of 2304	4428	PASS-1234.exe	115
PID 3852 set thread context of 484	3852	PASS-1234.exe	118
PID 2360 set thread context of 4776	2360	PASS-1234.exe	122

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PASS-1234.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
924	msedge.exe
924	msedge.exe
3016	msedge.exe
3016	msedge.exe
484	msedge.exe
484	msedge.exe
4692	identity_helper.exe
4692	identity_helper.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe
4100	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4736	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeRestorePrivilege	4736	7zFM.exe
Token: 35	4736	7zFM.exe
Token: SeSecurityPrivilege	4736	7zFM.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4736	7zFM.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
4736	7zFM.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe
3016	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2740	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3016 wrote to memory of 276	3016	msedge.exe	81
PID 3016 wrote to memory of 276	3016	msedge.exe	81
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 840	3016	msedge.exe	82
PID 3016 wrote to memory of 924	3016	msedge.exe	83
PID 3016 wrote to memory of 924	3016	msedge.exe	83
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84
PID 3016 wrote to memory of 584	3016	msedge.exe	84

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\PASS-1234.zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff754a3cb8,0x7fff754a3cc8,0x7fff754a3cd8
  2⤵
  PID:276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:484
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5576 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,1789695451512874529,12607037180093375787,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3112

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4680

C:\Users\Admin\Documents\PASS-1234.exe
"C:\Users\Admin\Documents\PASS-1234.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2576
- C:\Users\Admin\Documents\PASS-1234.exe
  "C:\Users\Admin\Documents\PASS-1234.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4824

C:\Users\Admin\Documents\PASS-1234.exe
"C:\Users\Admin\Documents\PASS-1234.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3472
- C:\Users\Admin\Documents\PASS-1234.exe
  "C:\Users\Admin\Documents\PASS-1234.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3692

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Users\Admin\Documents\PASS-1234.exe
"C:\Users\Admin\Documents\PASS-1234.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4428
- C:\Users\Admin\Documents\PASS-1234.exe
  "C:\Users\Admin\Documents\PASS-1234.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2304

C:\Users\Admin\Documents\PASS-1234.exe
"C:\Users\Admin\Documents\PASS-1234.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3852
- C:\Users\Admin\Documents\PASS-1234.exe
  "C:\Users\Admin\Documents\PASS-1234.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:484

C:\Users\Admin\Documents\PASS-1234.exe
"C:\Users\Admin\Documents\PASS-1234.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2360
- C:\Users\Admin\Documents\PASS-1234.exe
  "C:\Users\Admin\Documents\PASS-1234.exe"
  2⤵
  - Executes dropped EXE
  PID:1088
- C:\Users\Admin\Documents\PASS-1234.exe
  "C:\Users\Admin\Documents\PASS-1234.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4fa95008-3dbe-41e2-a7d2-ec1f1d6bfe5b.tmp

Filesize
539B

MD5
b0e42ebc2182f55a4c7e27cbe04e2019

SHA1
d7f641a347995abbb83f813eb88a583fcff5a1cc

SHA256
9932f395f1fd392869e84363a35696f37109ef00d03ddf4eadb9c70ee47435d1

SHA512
3f11cdb257b323fa5c90e2c8f2f0bb253ae1f17706feacabce67ebeaa8bedda2e6ed9580aa296d04c663570044cfd34f767958607bee1187d3a34e5f6679541f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
91d599c6f02b5141b57a571db1f43fac

SHA1
23490f46ad820476f81d0140884499c28d0018cd

SHA256
9d9114406f561a51a3cbf64836432843124b865ff1ddbd0c0ec32bade90dadcd

SHA512
8a4722aab8db6480948e24fa4ccc83b33422515c0c61db492d4597b46e6c201b7ca788d17a724b4a13d1490dc896c3b7d8b5c3bbd068c2f104189c0d24b7e85b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
946B

MD5
600ce301b1f4ea6db578bee714cfd712

SHA1
e3cce339e9f608b9e1f553a5ce2a776156121fca

SHA256
94b2f144f6a452be5b2f463edb4862e9288d815c64f9de76e60884430919e731

SHA512
430831f34b08bd9c113473e31f3eaa0163a033cbcd81aab5f265687f1b7f1747a98d402790804dc27278f9f0c4c3f0fb09c966a59b8411154c49ec2d9fc57197

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
76d2c9b6c5ad812778e1755bf2cfba3f

SHA1
24f9b1e7d486a1df4aff65f8692865e35470359e

SHA256
35b7715bc720bbce86d8897fb35a2c39a2d0a2be338b0ed8fe2e7d712991e420

SHA512
635f69a7ebca5b3ff875e9c066b0107800dd651bb27c71da87af137ac98e841a1c14fcdb95e6b0400ed508785e20569bcff5fad42672dd3f52f1c59001d70da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
96d349e31da82376b9397d73348c8d03

SHA1
168e1b0f0d4b775fba6122752ebaca9520cf2ac2

SHA256
90730ba391289ab2f8b879cec3f8622a78ccfe9951aacd64475ae36ab495dba6

SHA512
5736e01ad7b2cacb721fb18919eb7f8f5a957fe33bb5fb22c1ff82183075d6ccd59e967404a0756bc197d829f7cb0bb4aa28f27e125b02ac2a5db93ca8103254

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ba7fb5017ef7609645c4082f7485700

SHA1
8811d3ee0854bafe1182dec3c2746235ff301ffb

SHA256
0f9f48d9de0744dcf40cd9f0876d088049f40c8349723b4a22ab09e99a4b20dc

SHA512
82c244389923b205220c6897a1e892844b70000fdf26a380a0158b62b0d858dc22a1228808b3a98dd1100134fa34ac85fe6c67d45df620bc30aaa50279214a12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0fca2fe5cfeba7fb8c22481221f5bb3b

SHA1
42c035ca0e62f02dfedbbde38798f45a70d03c35

SHA256
44167829aadc23623a18945104f33fb5e1bf18f5d1351c63870d7ae293f00a5d

SHA512
bd1000c2d279ae37ee5070940c95c82f3823270341635d28701932b50262ccc3af4f4ff84272b08471cef2ecc3753329420a84b1ce670ae65e772c91f3055794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5ee357fd79cc93b0fc6645dbbf868722

SHA1
6ee10656334a54a0eda2c357513f818aa01af2f6

SHA256
be8997b4ef7dfa33b1dd8f56eac1e76c11beb59a18d6b047fcc2f80d7a20a9ae

SHA512
fcd9153dd58c08297265f11cfc094ae2dfe065d9bcd30af8c15be2483601d419d0e6ba7f07e4762b9b0da7f447ef50f74adb7564bdcdab4b9d9cd265ae662fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
08930a5f0d6e2822e87ed96c02cf6d2d

SHA1
5ca79ab127b50fb41ad13bf0e1e640808c3800f9

SHA256
8052281fe8be6700fe709b7b3f7698dc16617de2269d831a95d88a0b5a84d10c

SHA512
dcbfc604bcca31db437ab2815d7e58e7a3ec31e24b685fea57ba9577282e7bfdbe742ef6751e06997d36486f6be25b68ba3d6d74fed7c9751ea13ccc273cd826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
077f83e26ca8783076e50ff167d64c6d

SHA1
9e03e6d3ca56bf98c5ea48822eafc554cd9fad3d

SHA256
fad21346a1d9292713fa09a8f6b07260951b0f0ab71927bb77d6a6b416480606

SHA512
a5a006b02c7912e542d76008ea491f732fa881cd6c5ad8cb412d8687bd6d2e42b2eb494fabc8f47ae889df8b450149cc6488123966843d0d7e1787823ea94a11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
391bdf1bd16cc599e3e9b78dab5b7e18

SHA1
9d920fae75a11f9343abe0dbca3ce402383129b0

SHA256
47eb5b3eb2544653df58d7876756b5e49a5d26346bebba206a24003a697dd3d3

SHA512
8f205bd1c7fe8f102ebb274253d49dab1c8d7df94f18baf0b39fa0513d26caefbe870eb536c895c2f2871fa39affe2615605f4d7e0375d6684438f4d6ddf6dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4820f36bc5c15cc245fdae9d9a370bd7

SHA1
242ed134c7b82127548ba3b815d1edac4598fbdb

SHA256
5df6f2ff430d753e2c833ca0b89e95a823a50de220e1279e39d0bc4a35a9146f

SHA512
9b2ad195e266fe9efa6b7c6c07bdd3bf37593970206353fb6f47018abc2eda4947bc46142ae4fd99b1b7fba136b09e62d7b0dcd92d634387ada8e8183bdc5eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
11f7b98a2b98a6205d386965f569392f

SHA1
8263c357c1eccb34a5db55231bfb71b35fb8b613

SHA256
571fc2341fb96b6bf1e19aa7350c9606faeb0b079c3e27b05b0569f998e936df

SHA512
f9a59455d4d061ac6b71a0364e6fa6db4e344131370896fe7c8a6a8b669543ddba262f48e98f43a213ed625baa1b43c43e84cf3d15ed2be189e591a910aec022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
36aed25a0ecf3e33713cc2cfbc644325

SHA1
382013f0452fbe8c046fa8044c1aaa20e7b5e8e8

SHA256
197dfefaa5df556804a9d781057ca789be06efb2cede5a78824f7f3ef1468653

SHA512
b68cf1e41ec99b8e2e708f4824950895581a6954dee807e6fcc7b06a258886f2e1df9fdbe4983f68a64d38a675b37b3a978231ed11163ca34ddfe5dbe7d872f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
a7b9c4e1a46d080867e11703174410a5

SHA1
027f69669125282e248f54fdbea384c7ff9e83e3

SHA256
7566f96413d7b3be1ee5087dea51b38efb1c6da390ddab417f4a9bfe3b25626f

SHA512
3fce51aab94bc80fdf0471647b494b0c4e279d450269a3b4bbac5b69c7da088489824df885dfc4c409452780078229d85b32e84af402e7f85ab562a1feaefa85

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1301a13a0b62ba61652cdbf2d61f80fa

SHA1
1911d1f0d097e8f5275a29e17b0bcef305df1d9e

SHA256
7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

SHA512
66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

Download Submit
C:\Users\Admin\Documents\PASS-1234.exe

Filesize
526KB

MD5
e2567466f88e3da8bd430a7fd6bbf229

SHA1
3269a6517fa157a962051024d8e46e6655740035

SHA256
aa4f774f707fcec31895672d4c6845761d57006adf73342ae9739c37b4c9c597

SHA512
92d1cace941d468d65cf7dda4a906697e82fefe2e03770a90f473c8a4e6f325f554fcc006c784fdb5b7e663f26d90de53e843cf12a1a90e6f7013a22fdec8313

Download Submit
C:\Users\Admin\Documents\libbry\libb3.dll

Filesize
21.2MB

MD5
d048a16cf471fca67d6805385a2488b1

SHA1
3385cd047d14909ccfc0f28d552c2301272e0af7

SHA256
f00a35a9725ab3ba68cf340c547e88e8916adc5c2e8c9220d0a76f0f83ff14e5

SHA512
1249f917a600a7abaeb88e2efba9583f840bb39c769aa481b991eea40567a286c831749f7950ead4f83d4b6407209a517303a5e8ce7c3830882ff6627a189ddc

Download Submit
memory/4824-314-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4824-316-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download