lumma | hxxps://storage-prod-do-blr1-c[.]transfernow[.]net/files/2024-12-31%2F50881acb09bfe9169b09851e682d9750%2F20241231mbPXRY6g%2F6qtuPo%2FRelease-x64[.]zip?fileName=Release-x64[.]zip&bucketName=tnow-prod-apac&bucketId=6713bc8a-6b2c-4105-a432-4ff791c2ab89&size=20590647&singleFile=true&storageCache=true&x-amz-server-side-encryption-customer-algorithm=AES256&x-amz-server-side-encryption-customer-key=qX8L58lkXHtloqHC2VoqtciGSfMgTJBrZYdYl%2BafW3Y%3D&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9[.]eyJwYXRoIjoiL2ZpbGVzLzIwMjQtMTItMzElMkY1MDg4MWFjYjA5YmZlOTE2OWIwOTg1MWU2ODJkOTc1MCUyRjIwMjQxMjMxbWJQWFJZNmclMkY2cXR1UG8lMkZSZWxlYXNlLXg2NC56aXAiLCJpYXQiOjE3MzYwMTQ1MTcsImV4cCI6MTczNjAxNDYzN30[.]NAdmmrvsE9Po78rDXQdvJ_QMI5rU62WV16NfdK95tF4

Analysis

max time kernel
95s
max time network
93s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04-01-2025 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://storage-prod-do-blr1-c.transfernow.net/files/2024-12-31%2F50881acb09bfe9169b09851e682d9750%2F20241231mbPXRY6g%2F6qtuPo%2FRelease-x64.zip?fileName=Release-x64.zip&bucketName=tnow-prod-apac&bucketId=6713bc8a-6b2c-4105-a432-4ff791c2ab89&size=20590647&singleFile=true&storageCache=true&x-amz-server-side-encryption-customer-algorithm=AES256&x-amz-server-side-encryption-customer-key=qX8L58lkXHtloqHC2VoqtciGSfMgTJBrZYdYl%2BafW3Y%3D&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXRoIjoiL2ZpbGVzLzIwMjQtMTItMzElMkY1MDg4MWFjYjA5YmZlOTE2OWIwOTg1MWU2ODJkOTc1MCUyRjIwMjQxMjMxbWJQWFJZNmclMkY2cXR1UG8lMkZSZWxlYXNlLXg2NC56aXAiLCJpYXQiOjE3MzYwMTQ1MTcsImV4cCI6MTczNjAxNDYzN30.NAdmmrvsE9Po78rDXQdvJ_QMI5rU62WV16NfdK95tF4

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
4576	Bootstrapp.exe
972	Bootstrapp.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1908	4576	WerFault.exe	98
1584	972	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapp.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Release-x64.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1376	msedge.exe
1376	msedge.exe
2696	msedge.exe
2696	msedge.exe
1532	msedge.exe
1532	msedge.exe
4556	identity_helper.exe
4556	identity_helper.exe
3400	msedge.exe
3400	msedge.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	3968	7zG.exe
Token: 35	3968	7zG.exe
Token: SeSecurityPrivilege	3968	7zG.exe
Token: SeSecurityPrivilege	3968	7zG.exe
Token: SeDebugPrivilege	4624	taskmgr.exe
Token: SeSystemProfilePrivilege	4624	taskmgr.exe
Token: SeCreateGlobalPrivilege	4624	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
3968	7zG.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
2696	msedge.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe
4624	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3116	2696	msedge.exe	77
PID 2696 wrote to memory of 3116	2696	msedge.exe	77
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 2472	2696	msedge.exe	78
PID 2696 wrote to memory of 1376	2696	msedge.exe	79
PID 2696 wrote to memory of 1376	2696	msedge.exe	79
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80
PID 2696 wrote to memory of 548	2696	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://storage-prod-do-blr1-c.transfernow.net/files/2024-12-31%2F50881acb09bfe9169b09851e682d9750%2F20241231mbPXRY6g%2F6qtuPo%2FRelease-x64.zip?fileName=Release-x64.zip&bucketName=tnow-prod-apac&bucketId=6713bc8a-6b2c-4105-a432-4ff791c2ab89&size=20590647&singleFile=true&storageCache=true&x-amz-server-side-encryption-customer-algorithm=AES256&x-amz-server-side-encryption-customer-key=qX8L58lkXHtloqHC2VoqtciGSfMgTJBrZYdYl%2BafW3Y%3D&token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJwYXRoIjoiL2ZpbGVzLzIwMjQtMTItMzElMkY1MDg4MWFjYjA5YmZlOTE2OWIwOTg1MWU2ODJkOTc1MCUyRjIwMjQxMjMxbWJQWFJZNmclMkY2cXR1UG8lMkZSZWxlYXNlLXg2NC56aXAiLCJpYXQiOjE3MzYwMTQ1MTcsImV4cCI6MTczNjAxNDYzN30.NAdmmrvsE9Po78rDXQdvJ_QMI5rU62WV16NfdK95tF4
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff45a23cb8,0x7fff45a23cc8,0x7fff45a23cd8
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,6478089827766653083,16622372821822916498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1148

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1304

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Release-x64\" -spe -an -ai#7zMap20379:84:7zEvent13045
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3968

C:\Users\Admin\Downloads\Release-x64\Release\Bootstrapp.exe
"C:\Users\Admin\Downloads\Release-x64\Release\Bootstrapp.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4576
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1452
  2⤵
  - Program crash
  PID:1908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4576 -ip 4576
1⤵
PID:1944

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Release-x64\Release\scripts\config.txt
1⤵
PID:2408

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4624

C:\Users\Admin\Downloads\Release-x64\Release\Bootstrapp.exe
"C:\Users\Admin\Downloads\Release-x64\Release\Bootstrapp.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:972
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 1516
  2⤵
  - Program crash
  PID:1584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 352 -p 972 -ip 972
1⤵
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4049938e-2a5f-4c88-8c87-8e8fcb5b9488.tmp

Filesize
5KB

MD5
ecb6b50aa257708cb63cc62299f819c1

SHA1
1a670ef201c7b9c45b58604755d4519314728b6a

SHA256
662e8e33b1fc1e893e8690514b8450c38ab3d94360d5823796e06b9be0741b4c

SHA512
d67c86fa3db814e3fb32340ac54be4ba94d5e863b3809988faa4338044130bc43874bc8ebf85a7ab384ff23f1ee34be959ece6d465f3174289e3a9eaae464ed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
206B

MD5
01c773943215504d3c9aea332c78b3d2

SHA1
f9c05c87d0a1326417549c2a272c569b3a24b001

SHA256
5e6fba68910f4691120cc0713b80afaff3515ee0a26c891d5f9c9ce2960331a7

SHA512
71b180472a03b9e03f6b3f064407d88b957904a0fa2abf5efd9d16705187c9a0526483eb90f96b9090b979d9f38d717dbb2042bd19234e54f61341191984d57b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f0ebbdd9a7b9d765477e9f42484998bc

SHA1
3ecb1609ab469291267cbedd8d985a60e129ec0d

SHA256
180f5616d4cf20e6d04e6e80c24fdcfd9f487ce1c4c270317b7fcba372ec4b39

SHA512
e6bec4e368b79234b4eeda0bdede6ec99daeee1fecb076981ecccc5d7638ed31b560c980e224fb5f30d13c8e99c1745bb8cd4f0c4053ed7e04185eb201847d66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e10df9999a349d3d46c156c1c1da6af4

SHA1
916dcfbe98bb5e7acf648ebb8faadfc2a1f9b450

SHA256
5c30248f688a577be9369dfc51896d9290ddfc5b49970dece2614424e0e0ab52

SHA512
a88a501c2434b55275c307aa9f5790822347e50dbdcaba08666e39abeb77f656ae893ba401cb37d00e4bb0be70959d4af88c817e635e51b079fc799de2168e38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
80a2da2904e3315262d62828235d075e

SHA1
ed84ce6d1195808624e1397afe5bb4aa2cecae65

SHA256
8f1af37ada0c642049822a59850dc4e39a10d1035d62b7604c509365415e4fd0

SHA512
282c15598815d44a0fde999aaf1293321cfc71813740fd0e8720982068fa7cfbf7da742b9fbb3428a9662b9a92b7207e6e856127209ce8d8625839abb1e26220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7f58d6b6ec0dd4afa5767ced369b5fdb

SHA1
2948e8bdd731c559a5a5bb98e7facc43dca21cc0

SHA256
836df9605d42d6b59e3f1e56a311ee973c329ac461071afa9e0e559aa1df78ce

SHA512
8cc30dad6112c764515e11ef3536a56f17d857d41bd75d40046e26c514e38890aa989b19ff54ddc7a25647aa9a73fea4e61d5f3427e2c5deb7c053ee33dfd809

Download Submit
C:\Users\Admin\Downloads\Release-x64.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Release-x64\Release\Bootstrapp.exe

Filesize
303KB

MD5
8b4b611f189dc2c0da8f0418a4f75a48

SHA1
67da157c8da2ee1deb30472e06cacca5c1918d5f

SHA256
c06c92f33a0f706400bac3cb9174e27d95a995bd69886bd7e779638813483c78

SHA512
93cd273d5d0525e92340434cb4a255c8d2dad8db24a2cbb0d78a1a5be41ecdafd835971bed638e98e546bfdcd59151a8d2219a4fc307a50b8e22b6b928136e58

Download Submit
C:\Users\Admin\Downloads\Release-x64\Release\scripts\config.txt

Filesize
220KB

MD5
96c673c9e9dedefec5fd5e27284e4f29

SHA1
1b5865f8998749a1fd61f62e6357d19dedcc9a2c

SHA256
d92b9e01e24935e1cc6144734c0b39379edef1e3c06aedbd547dc304e7334d77

SHA512
4ac805e8528f1003911960ce317150d186022a30dc31c479a54e1f6adbbf9cbce882da4b46f8cf0991c9e07fb4239f970d07c1538e4d16c79b560b5b272e5b83

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 645472.crdownload

Filesize
19.6MB

MD5
25493ab271580066a0d5e8d43b25e055

SHA1
f2a8336d1e6a75233f796fe37ec00aa204fb6907

SHA256
5281883011b847e4ab3f68c7488a47fb8489ac802c558a2cb1e5bef588f06269

SHA512
41728fc89da12faca4fa738f5ef48cd1d7fd1c9b82151f9d011f4079611d0e7fdc7a06503a07a469a89b9de0424404b547bd89e5678da73a8dfa89668932deb1

Download Submit
memory/972-192-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4576-176-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4624-179-0x000001C8E1D90000-0x000001C8E1D91000-memory.dmp

Filesize
4KB

Download
memory/4624-180-0x000001C8E1D90000-0x000001C8E1D91000-memory.dmp

Filesize
4KB

Download
memory/4624-184-0x000001C8E1D90000-0x000001C8E1D91000-memory.dmp

Filesize
4KB

Download
memory/4624-190-0x000001C8E1D90000-0x000001C8E1D91000-memory.dmp

Filesize
4KB

Download
memory/4624-189-0x000001C8E1D90000-0x000001C8E1D91000-memory.dmp

Filesize
4KB

Download
memory/4624-188-0x000001C8E1D90000-0x000001C8E1D91000-memory.dmp

Filesize
4KB

Download
memory/4624-187-0x000001C8E1D90000-0x000001C8E1D91000-memory.dmp

Filesize
4KB

Download
memory/4624-186-0x000001C8E1D90000-0x000001C8E1D91000-memory.dmp

Filesize
4KB

Download
memory/4624-185-0x000001C8E1D90000-0x000001C8E1D91000-memory.dmp

Filesize
4KB

Download
memory/4624-178-0x000001C8E1D90000-0x000001C8E1D91000-memory.dmp

Filesize
4KB

Download