lumma | hxxps://roxplosx[.]ws/

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://roxplosx.ws/

Score

10^/10

lumma discovery phishing stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fastysticke.sbs/api

Extracted

Family

lumma

https://fastysticke.sbs/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
A potential corporate email address has been identified in the URL: [email protected]
phishing
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5892	5688	WerFault.exe	118

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bootstrapper.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4632	msedge.exe
4632	msedge.exe
2028	msedge.exe
2028	msedge.exe
3936	identity_helper.exe
3936	identity_helper.exe
2752	msedge.exe
2752	msedge.exe
2452	msedge.exe
2452	msedge.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5440	taskmgr.exe
Token: SeSystemProfilePrivilege	5440	taskmgr.exe
Token: SeCreateGlobalPrivilege	5440	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
5556	NOTEPAD.EXE
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
2028	msedge.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe
5440	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 4904	2028	msedge.exe	82
PID 2028 wrote to memory of 4904	2028	msedge.exe	82
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 464	2028	msedge.exe	83
PID 2028 wrote to memory of 4632	2028	msedge.exe	84
PID 2028 wrote to memory of 4632	2028	msedge.exe	84
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85
PID 2028 wrote to memory of 556	2028	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://roxplosx.ws/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf92b46f8,0x7ffcf92b4708,0x7ffcf92b4718
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5916 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,9360564260499080396,5849511944191062571,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3116 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2032

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Bootstrapper-X64 (1)\README.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:5556

C:\Users\Admin\Downloads\Bootstrapper-X64 (1)\Bootstrapper\Bootstrapper.exe
"C:\Users\Admin\Downloads\Bootstrapper-X64 (1)\Bootstrapper\Bootstrapper.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5688 -s 1292
  2⤵
  - Program crash
  PID:5892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5688 -ip 5688
1⤵
PID:5848

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
b29661224cb4851ea51e61e55b222e55

SHA1
1af25e58c5156531e7b32994aea358acac1e8d4f

SHA256
6e64ca19710b2abcdb8ac9c3380ce90053f8cc9ead7329f6a2f3e28686743d4d

SHA512
686054a6b4a6c16bc8a99c12bca3af694c4abed42af8f1fc43ee7f7227a6b4d43fb07580ca46b6f4019e8f5f81c483ee35e35e151902f15fbb28830f34315c3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e351a12c93c7945131c5f89e5f67ea12

SHA1
63c9cb0d3db0b11626a58cfa820e3c57a98878e3

SHA256
64ad8acc42b2ef145600a9f5c45a8960f179bd692f783f2a043cd69237cd7703

SHA512
e071dd622660a0b7f386c312b33fd09055821c01213afcd568fe595561ec2fc7f0e3d2546f439f7449911bc70199f9cedbc230f1a94af3be2e2d44461236df3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b3928c5f1b7c01f87f70e0638750e417

SHA1
2f84584d65d81c409a08100e78088de14eb9183a

SHA256
038345ae3aabbed387d67451f1ea9c560c03a4f7606931534191497750d483c0

SHA512
25a397d4e73f58bcff7391fad2316832d387f535beb21f36204317056c3d356df6f6a1bc8ab9267789f2ee97a5e201c472a4df7a44f5a04b882aa4f54bd27585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
71e2ca87a046dc9814ce3d18898ee4d0

SHA1
a8a06745f3efbd187418b45a9b0c4d38258ea970

SHA256
00e49506a90c1b3483c786e76ccc0309b61f5090e6f693f35c29ca992f466d9e

SHA512
d31aaf7202f111ab67cc9f138ed7265a36338a79d2aeb373722d4a93692eef75bb6536b2d876febc552630f88d5ada899a6c10883da6c1469b739f4d6014453c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
21b90085daf65a7e3529615f24c42170

SHA1
0f8111f1a782108f2285be9fb4aa9e773a37e1fc

SHA256
663766b9506ba43b086042aa7c019e59da1052c6aa817b4df8b0b021515f33dd

SHA512
4687296bba511781f271e8375a333784ef15632ef136313565bcb905cb188eabe2528ffa5014710bfb6ef8c9d84a7e1ebdb3a4727dba7ea9c121d26bff3df790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3e9cb68c70e6b7995bfdc4decddfb694

SHA1
afcf6b0ada03c19c5e1ae2c1e1d89badd736cd1c

SHA256
978b8eb9081bd6fdaa4bb3198bc61fd5b28eccb784344a9f04d479558903cf1e

SHA512
dcd548d6324901da07cb230794747464d9694afa2110aab85e809027fc91a040857ec2ba6716f1b6457f07603beb73470a19f9751f1b5a6ca848872f6f4fd0e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
190edf532d442e87614ea2204a8431ba

SHA1
c4226a13d6383ce6335baf0d95387f58e3d57afa

SHA256
e3c2bc75e1ef774678b64e836aa64b8229e7f31f6c360bf031d611b3ed558698

SHA512
e2a4ab327451c2d7e6f87062910bc023dae8562b3294cc8a8c5f3460cafbd078a944e9e61b1601c5852a141a4d2c7c2408e17069c07bb5fb5860611b5f77369b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2e96640972297f1f44fae20588aa495a

SHA1
193b21a1b45834c797014409380d4fbf58bb6d01

SHA256
f1df71446452db65718014cd6eb64f8855b6a137ba30cf379e7ac228284c0331

SHA512
54d71e9d6a997d7e921ce3c17079df1818fe8d7218de1d9fffeeb484090a15c96fa7dc6ae8a3d84a1451d859ba05f0a7c27e53025b64130d37672d6bad19b45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0c16ab62ad1eec09814b905a14594d3e

SHA1
2341436c4e55c17df5ecf6a8d8b10641b5929ea4

SHA256
8a1e10ddc3bbd682e7b7a7c38456d9f7f37937b2f8e5e7103fbae089d1840439

SHA512
2d75e221fcf0ca7fd04c9f795a5f38ecc2ec768828986b278e9518892b2931e56175518207926ef2255d024ec37c5eded664ef188aea7d1762fb6ec9d7e173ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f21d1950570d01a7641ad65dc3001ce4

SHA1
8094a8e0a99a107bc58d40bb8aebebe7fe73bfb8

SHA256
8d8d60d22af38771d0f62800680458c5debb2dcbb79a94e70c396904d94db3f9

SHA512
0277105f7fd8c985e9b8ee2d6d487722aab18834b3930d86e7a1e5a13edc5e9bea699399278aa2eadb9e0269bdad5fe655474bb11f757f8dc6c19b91de539ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
11e529a9feedc120cf6ffd51029b5d52

SHA1
7e1d04a31649a5b6a7ef86ed974e04b8dcc3d4e5

SHA256
a7026c791b83d2bcf1c79078f370d2219ae265fceeed80884a2a6bb35f96bcbd

SHA512
b87195650b0c0ab8e23b8b7bb80db83c9a87669c4344a501e8143fd0607929e28342184c168dee3b9df93135841ca2c8d34e0f71a146d7c3263fc9f7c7bb7f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
69b0e8b046652c08106ffeb4ad231e52

SHA1
08b18b25ddd79fc4eb136c5bafba28fe9470be3a

SHA256
861b0f7a0f171c2bf45f3582dae2e89e7d82fe99c17029e8ccbed0feb93289a6

SHA512
35081f6a312fe6caac777889b2a930902004d88b88308f91a9edb576655b6afdb45da11461615329195a81651869be7d9cecdab99fb84ea29f7a12beea6286ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3eafa1a91c626ab51e382c343f84db9c

SHA1
22f2942f8a9a763021d869a8d6f7aa17f7e0241a

SHA256
1ed850f1dd3b60bd93768f382f0101047bffce6ce5e02bdf099888e78d49c93e

SHA512
f768f515654a01f34ec56dec421cf5f5051bbb8b13d25f6f4a9970c6689689e26d4e5179c703927cdd573e8820e0833e610d433ea41e1f89aab7be00e7b77583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58003a.TMP

Filesize
1KB

MD5
bfd33e61b62c585a4601eb1bab323695

SHA1
f7a14d9f0b34432f8dd64b88de5ff9f9906d49c1

SHA256
c6ad4417161741f8198a143b0db00d1c25801e3ca9ebac4b8416676359ac6d51

SHA512
b4cd0a2bccdfb0cb2f7b249b954c7f53622c2fba9bfdaa377b7852d372b7acd7d5777aee6a803b933681abeef6bfaba8d989b194b81e5691cf866b50c61fcfc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d165aec6-5ec1-4a0c-8e38-e159d5b217fc.tmp

Filesize
2KB

MD5
953b9d5dc9e3c22f7a8f5c8db057859f

SHA1
0f4f862352f1b3e845af650072bf72ba5a759b98

SHA256
0b0bbcf0374a6d7aa78fd99644a24f461238fdf7d5f60541dbc99073c913fc96

SHA512
171a14a75e6a782827cb48532a8033c34fd7905fe673b9497965b1d462a7e0914333c666f9e7a193d28f3fa22f81846cb2f97efec207adfc9cc8d747aa780e7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
230dab0004b7621ed258f0b879e68be7

SHA1
b41f57060ba4b4172c247c6efa737c746a0d01aa

SHA256
8f2055ab26b8a54e9535598a8e4b3f89e13ce23de0d1a7fe7390f236018080c8

SHA512
8b8c26a121d5135f35844e89faba13e62e42c96a415c0925b4cffd16d31ce59744a45c850b3a72358d3fdaa1ebb971ac2ec69c91648fa0443a0d94693c1072be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f6cbfa05f08a630f3ede39b0b4d35b27

SHA1
3a2c5c59c40bf81b9c6364171dd1307ad16ec749

SHA256
57f5b8f03f6c86f043e52a1afeedcff3402c59a90e565dd050cd70bb537c2fe2

SHA512
5bc30986808c93035ca1c34a4f7ca6db41df40d2b64d663bfaa8085af3b9c4f96a3f83692b24605babf041ae2b32d779b7a070f3092ef61bb54cc6b68ba7e08b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
82d57955cd2e5d42a72ae131e335a294

SHA1
597b20a4c584b0ebf96bf8cd07968e43c1ed2b3f

SHA256
7ef6a72ace46ca97d111a78ac3096873a2e2d375f0ea1ee62842f113bdd41c6b

SHA512
12cb8d3d2e8135883bddeed297aadda0eded1ba2971374f1f1169d4e76b720b64047c7550968d27bd361b684c1a96b74d4f4155b68d46a7854d861f7bda699cc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 775553.crdownload

Filesize
19.7MB

MD5
8482834389adc1a2a7a2b96659a5f415

SHA1
ea34aaf99b73570c13a1a0a022d6093227590d8a

SHA256
42c61a5848929966015eade9bb6f45d9cca3eb778e170000f5ec2436fca03840

SHA512
669af65e33d1355c7586cc817f40761f89ae861d1fbfacf156608214cc80ee1fa103379651f7d6a6dfc9ab9673ea89c271479bc022d2e3ceecbc29b832a76d4b

Download Submit
memory/5440-598-0x000002D7C04A0000-0x000002D7C04A1000-memory.dmp

Filesize
4KB

Download
memory/5440-597-0x000002D7C04A0000-0x000002D7C04A1000-memory.dmp

Filesize
4KB

Download
memory/5440-596-0x000002D7C04A0000-0x000002D7C04A1000-memory.dmp

Filesize
4KB

Download
memory/5440-595-0x000002D7C04A0000-0x000002D7C04A1000-memory.dmp

Filesize
4KB

Download
memory/5440-594-0x000002D7C04A0000-0x000002D7C04A1000-memory.dmp

Filesize
4KB

Download
memory/5440-593-0x000002D7C04A0000-0x000002D7C04A1000-memory.dmp

Filesize
4KB

Download
memory/5440-592-0x000002D7C04A0000-0x000002D7C04A1000-memory.dmp

Filesize
4KB

Download
memory/5440-588-0x000002D7C04A0000-0x000002D7C04A1000-memory.dmp

Filesize
4KB

Download
memory/5440-587-0x000002D7C04A0000-0x000002D7C04A1000-memory.dmp

Filesize
4KB

Download
memory/5440-586-0x000002D7C04A0000-0x000002D7C04A1000-memory.dmp

Filesize
4KB

Download
memory/5688-251-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download