lumma | hxxps://www[.]mediafire[.]com/file/jp39je7o7rbt9yy/Extreme_Injector[.]rar/file

Resubmissions

07-01-2025 17:05

250107-vl5wjsznhy 10

07-01-2025 16:47

250107-vaq81szka1 3

07-01-2025 16:17

250107-trvgbszphp 10

07-01-2025 16:15

250107-tp7zmszpdq 3

Analysis

max time kernel
177s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/jp39je7o7rbt9yy/Extreme_Injector.rar/file

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/5272-441-0x00000000009E0000-0x0000000000A40000-memory.dmp	net_reactor

Executes dropped EXE 7 IoCs

pid	Process
5272	Extreme Injector.exe
2584	Extreme Injector.exe
1412	Extreme Injector.exe
2992	Extreme Injector.exe
3824	Extreme Injector.exe
640	Extreme Injector.exe
1316	Extreme Injector.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5272 set thread context of 2584	5272	Extreme Injector.exe	137
PID 1412 set thread context of 3824	1412	Extreme Injector.exe	145
PID 640 set thread context of 1316	640	Extreme Injector.exe	151

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 3 IoCs

pid	pid_target	Process	procid_target
5544	5272	WerFault.exe	133
3488	1412	WerFault.exe	142
2016	640	WerFault.exe	149

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Extreme Injector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Extreme Injector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Extreme Injector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Extreme Injector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Extreme Injector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Extreme Injector.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2008	msedge.exe
2008	msedge.exe
4836	msedge.exe
4836	msedge.exe
4328	identity_helper.exe
4328	identity_helper.exe
5548	msedge.exe
5548	msedge.exe
5736	msedge.exe
5736	msedge.exe
5736	msedge.exe
5736	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5692	7zG.exe
Token: 35	5692	7zG.exe
Token: SeSecurityPrivilege	5692	7zG.exe
Token: SeSecurityPrivilege	5692	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe
4836	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 2896	4836	msedge.exe	83
PID 4836 wrote to memory of 2896	4836	msedge.exe	83
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 4472	4836	msedge.exe	84
PID 4836 wrote to memory of 2008	4836	msedge.exe	85
PID 4836 wrote to memory of 2008	4836	msedge.exe	85
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86
PID 4836 wrote to memory of 4200	4836	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/jp39je7o7rbt9yy/Extreme_Injector.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb76ff46f8,0x7ffb76ff4708,0x7ffb76ff4718
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6876 /prefetch:8
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2136 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7584 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7084 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14889979744707500322,1220719688741222997,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:5592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4788

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Extreme Injector\" -spe -an -ai#7zMap17837:94:7zEvent30761
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5692

C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe
"C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5272
- C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe
  "C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2584
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5272 -s 816
  2⤵
  - Program crash
  PID:5544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 5272 -ip 5272
1⤵
PID:5492

C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe
"C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1412
- C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe
  "C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe"
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe
  "C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3824
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 804
  2⤵
  - Program crash
  PID:3488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 1412 -ip 1412
1⤵
PID:4116

C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe
"C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:640
- C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe
  "C:\Users\Admin\Downloads\Extreme Injector\Extreme Injector.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1316
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 640 -s 796
  2⤵
  - Program crash
  PID:2016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 640 -ip 640
1⤵
PID:5768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3ee7e3ba7c2e0a2d0083ac6fb0a4acaf

SHA1
8b0070bf18e60a18810d352f4a75a6cb5ee5a74d

SHA256
2738c9fa8ee709f5f5370fee58185281c0079335883403367f74caeaab56f751

SHA512
422535895d21f445eaff0d2154a6b861ffdc2550acacaee80cf5cab6dc9a6d0f89e0306410b2d873f79c8e1c737663cb8b91cb7f7024083895dad3e3f0e00497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
202af6b19a2d261befd8a26c60093fce

SHA1
384a2c6ef6d70f626924c246ade1bed788fb8603

SHA256
f1cd7e93fb340de7f82e87dd6cc0c93654b2cc4781d4fcbd85cf8c4c7fe09820

SHA512
af1a5d052f354127b79934453aec0e1bc22ec9f39d218759729f70b93e322e5fb7c1f091475e9e3c7a3adbc569e7e3285c43f6fef62061c5e948b601d1b7a9ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4b758b71194b498af0c8ce6d9b8a37d8

SHA1
563cd03e18950fb52b0de02b4faa540e97dd2b41

SHA256
ee20c59dc09255b12546123281669479861196cd963fbcf2d228e2d0c76560e2

SHA512
8bcb16f9cffeba7f8d648f3e3a9061fe5030a26732849ff789598663c384a60b30c1b4902f7904934be794999024790e85ca793da18028170b2a2b908c3debe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
658f24456216af90dc55e6ce5e195857

SHA1
7bd63727e08a547cf85294f830f783d339c73f28

SHA256
cbd5172963c3c2695d4a0286811b32b8203fc77b2eae1cccc60efdf69a9308be

SHA512
2fc297211deb04582f4da71780fc1e43cfcfd4c588dc96ebaef56ce947f876ebdc61cd65062d2619576a355226dc14baf8f114fc9637bce1d4110a192e9372fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7719960dae5e66c0777a6135bbb4f0a6

SHA1
8295df2bbb958275d04eefa5604d37239f203491

SHA256
225c3d04d0e3c7b7dd037a20b7bd986da1564382e114080fb956848ad4fc0195

SHA512
e67b6d5313a18a1e238bebe25a18237cb6bcff66da17a2388d424a2bf21d02c0b8d0f4f2a375688b0e4746b75ab6f8237dc5281b867eb520f933884e0c3e424c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
55fd0ab12c1514051d0aec2ac028551b

SHA1
a5bb9b26b14bd54e256c2877645c579719ea329f

SHA256
3b3fe077ae1e6b5a6d8be59d67fe17e4796863bc5498e0a2f25dc594bd2c8e9c

SHA512
812c43160010ffcebbde48d33a33c256b47568b8ded056c7f0d94aba5a32c9c27649571965968aefb1de44db7085a1acf0d675c7a7a28956053bb512a318b4b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
964f04194270bd855d2b828a89a0e9ba

SHA1
a8432d21d4ae363aab241ef6e23ed1cb0d9210ec

SHA256
debd1b4e5ddec3251c54405c19174189e2dd0900d49b3e16d58f0fb9bcd8a7f8

SHA512
884d072d73294b8c4950bc7b9fe526f1023919a037d214b37c9bf0becdb6594760acc98cd2c36eeefbd6194b5c4d2102c06d7464c871e30ac26bf7edba7937b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bd2d0b1870a333aec52fef2b42e3417d

SHA1
21a3422e1f9bb4b3871e7badb21d4892f630e624

SHA256
73bdfd7737dddb90a90779b101c81f9e469577205f1579bde8699eefb77e8ed6

SHA512
0c47de5a05128c6275a10fd4fc076cc09139008cbbf238dade67e843a798d35a76de9b1ae1609d4d68d0f246f921db9b722f2f2d3e97b92a586b3ae8f1d073d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
078dedfe83da52b261f177895f396129

SHA1
502d998d041a0bb6a7c33794c518d56ca0f543fc

SHA256
bf79720dcc0b376b5569484d8b30def81551a8c0d90c01c2ab2610dea0bc67ce

SHA512
4248d11a6bbdfcce494967bd34b300926bb7afc3185c62bcb425dc10b9c7ab5c3e90649bf6c0b50c443aae0f96976d5d8dcce365b6d563502ad77544701f3b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
583aff8919caeb1b02e3eac64dd885d0

SHA1
0a7ffb68b56f4b039f5468267f36f99af74ab0b4

SHA256
6b7f0ab587d2253c000c05288262042a4f2323d90ecfcd49c7a903aa941a9e56

SHA512
00729cea4806e8aa1e3fb0401dd565268f700c9b62b6ec305e34016be715a4f4a65aad3bbd23e13c952bc8669a916644e3d19a58e57ce1724a2fc27e7c3c7586

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0c375df5313c6c9c18094943afa0c6da

SHA1
a0e1f86a83c1a0b4e81b060056365c408845e40c

SHA256
02c43eb80b978cd611619a0bee0eacab38f026b6b4c92af5c29eb11da7572f38

SHA512
6449e9266b902507928eb824fa4f08168f3af94eb531dfaca0145ca9bc6738fff56e0f1fd31dc06ef63f50c0417b2dca545c55ffc444c24c501817b1dfb12305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6531bb48615456390a28486e89a00fef

SHA1
5a4606a405de70ae9c136faa16809addc45dda4a

SHA256
b5a4ae9ebdd6d2995381aef8f067006868320948351f715dc5706dea8975edfb

SHA512
3eaeb6e3c375c226baff11401e3111db8064582351aa1b41b7468f3aded9876a2f58adbc22056cd4cea2dae57b73e9a35e9115d5c94c68bdf1f4216b78e660be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5833bd.TMP

Filesize
48B

MD5
dec930b529f44a1e54e833cd54f85175

SHA1
7999e3d19ebd77f74726a7674af5b1ff57a41b2c

SHA256
c6a96d90351223c0a1d40f537ab2db956cc9be566be015aee2f24c4511051211

SHA512
51d8da12172484adb65b76666bab7506ad6c97df2051bb22106b3327cc7339e8b9a0e7bbdf32335e3ce8e8367d40482b7490d84018a5e477912a45b21f2b554c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eafdae87fbadf72d83d1b5d676a03808

SHA1
3321a6075861b5b0b8444ecef4cb8a64926542de

SHA256
f997568aca8176bc50017b077cb3aac9b42db597c1682dbb5c34d261aabda3fe

SHA512
b41447f475eefb0b20eab4fcaf7e50a3f7b03136edc895ff1e30df2b243fbd9a3e50aca5d0cf10deeb38acf9a00b09e2ed9d7c7c9646e28c1bfd80927d8e5a64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580182.TMP

Filesize
706B

MD5
7db95cb1927d3cf209913b0c27ab2754

SHA1
ae5c909f28aa75efb420996e17ece89e3c710541

SHA256
530bd141868f47955889fb2b128b890673291534c404348bb8dbbd8a151abe0d

SHA512
72ee4f9b67c08a3f9bae94cad551f2311839460700a4653e76b493c9eb24aef2f0630a0844765e374e44c522db5c0e980a781465a2b56c190827888847af2c25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
33207da3d80c5bd294c5cfe58553aaa1

SHA1
54ed68381ebbd06a31bf7403c21ed941b57f3e9d

SHA256
35de444bfc823a381ffedba4025e77740c9da5cd848cbe76a8c7671181661eeb

SHA512
a8b192d132fde23166e128899277137dc7ee7d7c3e7a6f9510c18753de51a42594a2f6b3122c1b616811f52dd756dc38d43664611e66003198c802eac61d55cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
83b0f3720db179a99118006881e00e3f

SHA1
b847ec87544cf805043a187949105370e88b25cf

SHA256
d8d6316b3e4ded9fb04cde598e1c556c6216f9acdae200d1eb5aed0fb796eb2f

SHA512
e7f664abcb535233c843cafbd81ee5a55f774ef105cb382b5f168ad015dd31918ad54515418468fa8091b733f4d65932baee1bbd4312d54ffe0ccbb6627958f2

Download Submit
memory/2584-453-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/2584-455-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/5272-441-0x00000000009E0000-0x0000000000A40000-memory.dmp

Filesize
384KB

Download
memory/5272-442-0x0000000005880000-0x0000000005E24000-memory.dmp

Filesize
5.6MB

Download