lumma | hxxps://github[.]com/bafym21/Seliware-Executor/releases/download/Download/script[.]zip

Analysis

max time kernel
155s
max time network
168s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-01-2025 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/bafym21/Seliware-Executor/releases/download/Download/script.zip

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Extracted

Family

lumma

https://fancywaxxers.shop/api

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 544 set thread context of 624	544	Script.exe	124

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0f4acc86-f562-4e5f-8037-21e3fb1f4f47.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250105135921.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5676	544	WerFault.exe	121

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Script.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Script.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3506525125-3566313221-3651816328-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
2256	msedge.exe
2256	msedge.exe
4696	msedge.exe
4696	msedge.exe
2940	identity_helper.exe
2940	identity_helper.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe
5204	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	5204	taskmgr.exe
Token: SeSystemProfilePrivilege	5204	taskmgr.exe
Token: SeCreateGlobalPrivilege	5204	taskmgr.exe
Token: 33	5204	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5204	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe
2256	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 4592	2256	msedge.exe	82
PID 2256 wrote to memory of 4592	2256	msedge.exe	82
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 5008	2256	msedge.exe	83
PID 2256 wrote to memory of 536	2256	msedge.exe	84
PID 2256 wrote to memory of 536	2256	msedge.exe	84
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85
PID 2256 wrote to memory of 3644	2256	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/bafym21/Seliware-Executor/releases/download/Download/script.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0xdc,0x130,0x7ff8ae9246f8,0x7ff8ae924708,0x7ff8ae924718
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,7270508026791842754,16033796098537613491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,7270508026791842754,16033796098537613491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,7270508026791842754,16033796098537613491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7270508026791842754,16033796098537613491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7270508026791842754,16033796098537613491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,7270508026791842754,16033796098537613491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2168,7270508026791842754,16033796098537613491,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2168,7270508026791842754,16033796098537613491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7270508026791842754,16033796098537613491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2960
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff68abd5460,0x7ff68abd5470,0x7ff68abd5480
    3⤵
    PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,7270508026791842754,16033796098537613491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6012

C:\Users\Admin\Desktop\Zeliwer no melwre\Script.exe
"C:\Users\Admin\Desktop\Zeliwer no melwre\Script.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:544
- C:\Users\Admin\Desktop\Zeliwer no melwre\Script.exe
  "C:\Users\Admin\Desktop\Zeliwer no melwre\Script.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:624
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 844
  2⤵
  - Program crash
  PID:5676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 544 -ip 544
1⤵
PID:5600

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5204

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Zeliwer no melwre\bin\metadata.txt
1⤵
PID:5164

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Zeliwer no melwre\bin\settings.txt
1⤵
PID:3212

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Zeliwer no melwre\bin\tbb12.txt
1⤵
PID:2232

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Zeliwer no melwre\bin\libEGL.txt
1⤵
PID:752

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Zeliwer no melwre\Qt5Concurrent.txt
1⤵
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
24dada8956438ead89d9727022bac03a

SHA1
09b4fb1dba48ec8e47350131ae6113edd0fdecf0

SHA256
bf1e5c7828e4672982b16451b5a201e65e812e98a97b87c9f2f7c22677cb4ec1

SHA512
03f092a4b20a4d8cc111220b35fbf5470878b7723faeddee65b1d9cf327167053792c77864103b4530b9b9f819e32a5721b44189291dfdb5832769835ea5dd94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b712a4c83dfb3c522d032cf900e863a

SHA1
4f5bec4be6f4ebfa959e899ceafc62309bb1f141

SHA256
31da2a41a051db11559c47feb923d4baad32a384f530013a435fa884dad64493

SHA512
03b24d9307623b3a341230805f3ea662b0107c314650a51ae7e89d901cb3ad212d4219bab4d763d0aa8d50831aa0e6d4e3379573cc2f724873804578e8642898

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
bf67b49b291dfcf1e14a834bf9f2f34e

SHA1
5600b79d79464d17657d52e56fb262c7fd549f93

SHA256
1f2126dfec9fb0400ab087aa2efe5013229391d255547f34919ba22cc0bbddfc

SHA512
189e1474e6856d1681bfcf62ca38993de8103b856724a8f0f48779b0f57712a5fc2754982b7c2ed7393eafdae233ff5ae700cb15edb884874de62f219a2ea824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe57f84a.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7ffa1e3bf7e8489d24e1ae630df02588

SHA1
bd041f6e5869a78af6220c0f5bdf252bca4ef189

SHA256
dbc992eee9594f2746a6d14fafca32478809bccb55827cb110129355890dd0aa

SHA512
b7fe613cb9a54224a881b8df678f2c8c694ac18e8132bb269c55ec72ee95d8a46531f3e80f1f7f8f6f499ae077a24453f9eee4eb4b931521d62de2697806aefe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d5d5145ca3e10393d9ac26d6155527f

SHA1
d0d6b38e5570e331cacf5af4803e202dbe5b4632

SHA256
c004184552c371f38926b6f725bd7bcc97a3fadbe4f35aa1fdde0d50a8839531

SHA512
fd7c28681d1c1c1521465c1a159bb0aecb52bb786b4e8985700d3756f83bd5c8eb5da4f5e46aa225e1f371150a05948f4e2f3c4168f71769a6eb114cdba1df7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3a367428c0516ca67198bce3b372fc09

SHA1
436a52e58261c2a0a7cd87e4d2c19163cf155a6e

SHA256
efd278099c39bcb1b31b20847036c1398bfbe2244242e2fd71913e722db539f7

SHA512
4ed8ef5faa7c83755f3bda249fbe00d5178eeb66d2a7085dbf3e2d93ca671e042370d03b7141d6e74399d7969bb1905d66c6a83f4a0faf58f669e842ffb0a1f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38077f1f8c2b3d491a9f8dfcdb1d5b5d

SHA1
cd99a515f7e9024e02219e05447f84ac1bcff5ab

SHA256
011139f4e290468e83441fdbd1a342650825889d2a380c9ceb9f6a57e23ba8f4

SHA512
1030f245608af13cb341f17fd05214b8791e8814f16fc9fa9ee66ca905f96758a91db95a65769395745280bcca8e24fbe4eca8c2b8a985220e9ee40b2ac12217

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
85eca930a791cbcb1373f5fdaf17857b

SHA1
ffea7d54e9803374a484f1e4c124766e80024efc

SHA256
fbc990061790350f00dc28f2dda277aac81bb8385a6e92e90a20101436c3312c

SHA512
2ffe0de3f80ac60f2ffa55f334026979e6be328b7c69f4603aa3c5d1bfa6c3b3744d86ac2a34ecf904d0a41b36bc485392ece58f6cc89d7ffca293d02efe5bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
99a7edf9124dba808b6d025b14aea278

SHA1
f1de2fdd81ea87ee78e8afdc1a7cdffcf62a92ef

SHA256
9d38a8d193a503b9be7b39be5d150bcf22038c84fbf3d53979e2f075a35b9089

SHA512
fc371b7ad5606a9948ba4a315e40a0a93592f57103be4a3712020977b43e4277d95d74ff35e490239dbce1cc475fe1d1746764f5970d2e9f04483c985268f5c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000001.dbtmp

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e34b62bd210491dbb85c4846bf709a8a

SHA1
e0f78514f31285c11260e3b93994251635a8cf3c

SHA256
0f13d7011d3066867863476d14dee8ab8320cf2a7722caea7d4540c03eeffeb3

SHA512
a6c0ed4e7258a4f666806fb7408916cbfc87cb05daedda67befd1080e3643809dab9ee5490e0b98244f74df7648151b2d0d641119f815d76a308d2108d048043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
2c3a8ea9a307143c2db61f6b062a1043

SHA1
76ad89044735ef160b981793a1dda7d0991bb3db

SHA256
f4f8b11fcc03ff48de9b745babc77525babb954c068822aef1109b6ccd43360a

SHA512
744090ed838e833261d5df2364ecc553683dc6136599e1d5995c2b395cd74f4992867e46517531cdcf8617616aa89512f600cf38beba419e82bcbcbf37e76c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
166418f3e464a708e9a22c4ee0c94b94

SHA1
a9a4b467b4cb039d4497ad3b22414a17b1abb15b

SHA256
019e2832e7ab6b2f1ea9b36a6451403820bdcce177f068557457cba3ae12a789

SHA512
1c5e9d85160082585489efb98a86073ea962e92c640208cf1ca477908c9ea6d8e1c84ae7b19b6e67eeb5d0d93796b004768207d029dc2a5ae0b216613a2b7f0b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
5d1acdc78de6c5749856fec5eaf0ce77

SHA1
b9ed1a519a7ce6d501ad1705bf6e2be5cc49c801

SHA256
6a55aaa9fe91c461a5e5f66c07266b257f0d32bc177bbcb3bb21eb180c0338dd

SHA512
5254445eb194ec1a85ce270d178a77c5d209625dc99e58aa41ebb4335696b619a4164ff9586089517c8def60e574debf1327592018fbeb39b7c13859fd552da3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
f089cdb0229c0e8376a6632016b8d90b

SHA1
31015cbb70f1260e883090ff3c3bdb4c287b4e4c

SHA256
4fc5da3f4ffdafc6d188f1ef21d99ab91544cbf2ab71933ca7c046575e032101

SHA512
14eaa469d4f651b4de77e2786e549955808447cfdd0cca94dc5bddeb6a36f01db1e952b0c6689eea260d7702085dc44ece1428fcdb30234f954b8ae9420eeff5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 689846.crdownload

Filesize
5.4MB

MD5
a8f18d05ee349962e2f6c4ec12c31adc

SHA1
decabb22b693adde8b9a50561705750d36063506

SHA256
60881fb0340f0104136d089421f819b3f42bbd5b42a095b6a66cfb756ec0d09a

SHA512
3303f2ac273617cf74579235984c6e60836a87b46726f9a96eb876af53b0a84adc7aef3b3f3462264218befbf39e673c9799a657cfbb670488971a9eaf2ceec1

Download Submit
memory/544-341-0x0000000000300000-0x0000000000362000-memory.dmp

Filesize
392KB

Download
memory/544-342-0x00000000051F0000-0x0000000005796000-memory.dmp

Filesize
5.6MB

Download
memory/624-344-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/624-345-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5204-347-0x0000021193930000-0x0000021193931000-memory.dmp

Filesize
4KB

Download
memory/5204-348-0x0000021193930000-0x0000021193931000-memory.dmp

Filesize
4KB

Download
memory/5204-346-0x0000021193930000-0x0000021193931000-memory.dmp

Filesize
4KB

Download
memory/5204-353-0x0000021193930000-0x0000021193931000-memory.dmp

Filesize
4KB

Download
memory/5204-358-0x0000021193930000-0x0000021193931000-memory.dmp

Filesize
4KB

Download
memory/5204-357-0x0000021193930000-0x0000021193931000-memory.dmp

Filesize
4KB

Download
memory/5204-356-0x0000021193930000-0x0000021193931000-memory.dmp

Filesize
4KB

Download
memory/5204-355-0x0000021193930000-0x0000021193931000-memory.dmp

Filesize
4KB

Download
memory/5204-354-0x0000021193930000-0x0000021193931000-memory.dmp

Filesize
4KB

Download
memory/5204-352-0x0000021193930000-0x0000021193931000-memory.dmp

Filesize
4KB

Download