lumma | hxxps://cvasdf[.]click/?startcrack=%3C?php%20echo%20substr(md5(microtime()),0,rand(10,30));?%3E&x=4&kristo=%3C?php%20echo%20substr(md5(microtime()),0,rand(7,27));?%3E&p=%3C?php%20echo%20the_title();?%3E

Analysis

max time kernel
275s
max time network
276s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cvasdf.click/?startcrack=%3C?php%20echo%20substr(md5(microtime()),0,rand(10,30));?%3E&x=4&kristo=%3C?php%20echo%20substr(md5(microtime()),0,rand(7,27));?%3E&p=%3C?php%20echo%20the_title();?%3E

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://robinsharez.shop/api

https://handscreamny.shop/api

https://chipdonkeruz.shop/api

https://versersleep.shop/api

https://crowdwarek.shop/api

https://apporholis.shop/api

https://femalsabler.shop/api

https://soundtappysk.shop/api

https://induceboori.cyou/api

Extracted

Family

lumma

https://induceboori.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 3 IoCs

pid	Process
1108	Set-up.exe
3904	Set-up.exe
840	Set-up.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
552	msedge.exe
552	msedge.exe
4776	msedge.exe
4776	msedge.exe
1404	identity_helper.exe
1404	identity_helper.exe
3616	msedge.exe
3616	msedge.exe
1108	Set-up.exe
1108	Set-up.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
3904	Set-up.exe
3904	Set-up.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4956	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeRestorePrivilege	5020	7zG.exe
Token: 35	5020	7zG.exe
Token: SeSecurityPrivilege	5020	7zG.exe
Token: SeSecurityPrivilege	5020	7zG.exe
Token: SeRestorePrivilege	3616	7zG.exe
Token: 35	3616	7zG.exe
Token: SeSecurityPrivilege	3616	7zG.exe
Token: SeSecurityPrivilege	3616	7zG.exe
Token: SeDebugPrivilege	4956	taskmgr.exe
Token: SeSystemProfilePrivilege	4956	taskmgr.exe
Token: SeCreateGlobalPrivilege	4956	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
5020	7zG.exe
3616	7zG.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4776	msedge.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 4076	4776	msedge.exe	83
PID 4776 wrote to memory of 4076	4776	msedge.exe	83
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 4268	4776	msedge.exe	84
PID 4776 wrote to memory of 552	4776	msedge.exe	85
PID 4776 wrote to memory of 552	4776	msedge.exe	85
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86
PID 4776 wrote to memory of 2088	4776	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cvasdf.click/?startcrack=%3C?php%20echo%20substr(md5(microtime()),0,rand(10,30));?%3E&x=4&kristo=%3C?php%20echo%20substr(md5(microtime()),0,rand(7,27));?%3E&p=%3C?php%20echo%20the_title();?%3E
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff997246f8,0x7fff99724708,0x7fff99724718
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4652 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3784 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6536 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,3979341444062831674,14118364968480238457,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4816

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2775:122:7zEvent8279
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5020

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap28633:120:7zEvent3667
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3616

C:\Users\Admin\Downloads\Set-up.exe
"C:\Users\Admin\Downloads\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1108

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4956

C:\Users\Admin\Downloads\Set-up.exe
"C:\Users\Admin\Downloads\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3904

C:\Users\Admin\Downloads\Set-up.exe
"C:\Users\Admin\Downloads\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
68a69de1318afa20149a0fbaee017c03

SHA1
3ade7f486366d573790a7f28fd97c74f57acdb69

SHA256
0da107a44e5ec599a7c2a7eae56925e89a6078693ed8f8a9f8eaa3994cae7314

SHA512
5e6c6420c31cf299f1d77334bd9c3c8e43acc3fdfd7d137845ff5cd41e62f5b55cb79feb24428081c4c1f7c5c8c89323db2b558d502a9be5358442404fd69ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
3917e75115ae2dbe4ebe28b62931dfd0

SHA1
5047894ca1bc7c1af9736c103ded361bcfe99da2

SHA256
fd4fc3896924a56cbbe0b4366db04789dd18a73b854443109c78501c9c542b59

SHA512
6e965a2901ec110afc0b1d099c17c5533cb37ab8b081bf39b590c9ab000b4a2b5c4df2a2fa36192e5041b0026b7086c751b30947f9268f7703135a95ec97ba5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0c238bc578d925193e8ee5c42ad53cca

SHA1
683e4370be2ff30f2ba2fd7e14b0cb3b2f37a396

SHA256
8529c0d8d0e667e3dfd2da4c79918fb1ef7e573c5878c630ef3185924f46ee7a

SHA512
6803cd7d2987922ef94c6a8942ba3c980b13ded37e1a86a030fb803cbaad5ca24dec9cc6031af10ac2dd021751f90e15feae983e3b19cd16611af83bb0c080ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34d54c6c0b770c9b2eb7c8938dc5d0c5

SHA1
f86252ecaa9fcaba42e3e97a4dabc63950f70cab

SHA256
bdd1a46dad57c6852c057c92f0320ea4bd64bd15c2c3e0e2872d021f3df8beb2

SHA512
c074b0bf189facdca9aac7261191b1d7a048a92c15a4f8aca7a7b83aab8d45b2fdbef51d916a972d55df184e564dd84229eb5aaf5124bd809585e2fbf9c4180e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0b1d6ea9b973721f76a79f1484cf8976

SHA1
c537d72b5730c0b40353d8e72781796e461dd886

SHA256
254e8adfa7a189b246293ff0990513e278fdd4f74755d74d6a754d3fa7e31f3b

SHA512
2ee2dcc2c6ee2bfe8f59afe8620fb29ab60e56b0da2c9782ed339da196b533c17eba56e1a4f5d77af510cebfa3fd2928da5c5a63e3a96a48da1b41ad63e9b531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
40778f27d3f2191d290c25fb5a520595

SHA1
de199d5900cc3c1d01d8c05aafbb9d0550e1bc32

SHA256
1847da348f408e0915acb04fb3e64ecf420c8f8dac78507e1a1ff6f00415b10a

SHA512
386389f3ac38c8e60895c741035169cb6e7a50bf958da689b8db830cf5c77b0e50220c64ed1d9b3e764efba3a4fbb05ae25880cef491ff7df6458e31da0ec2d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
18be8f71bab12e3eb7958b8bb38d01ec

SHA1
d0adbfec579eccb149a28b81d046d0f79340204f

SHA256
a7f36af54cb06db41efe788c720939361987808b30fbb47b865247cc82d6a80b

SHA512
064329b3e6c32fcbd9e2a878a4314744451cb042332174b96aee385e319e000e8675a708103f5c771be88110e485032fa281515078351ee7b9247b73ab2e0109

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583553.TMP

Filesize
204B

MD5
a7c1341191ad483cc0d1c04e54bed087

SHA1
3f30ada8def90be35972b261db96c85de7ccaa47

SHA256
c75d73b30b510c9c0cbdc3bd90fdf7adea5f1f83dcf4646448b7131def25a6ed

SHA512
40e10d684037ee877755146222bdb15691f8607e001ecd9ffc5d97516e2755dafd0d08000b7e8dc9298a4cba0d80b8c693691a8b109ff7aab72504e69a2da7f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ed65d3a0503363b2e6a878af8c13d96a

SHA1
75edcbc6a2c52cec88ced61b820aab18d345e3b7

SHA256
3c9881c439ec0c579ab6ffa63757693d9fcef1f8080b102236ef0b13e0f6ca3c

SHA512
386e987105622f85a41071c0d2eb991d4cc78430b48dbb8c0efd556ba7ffb63175595885bfcaeec657bdfb7d334499924587f41c73916e51fac05b4dc60bdee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
153f5826767d14c276d41e62ecd6d80c

SHA1
5b109a56748fd057e9c8e11eeb2c3181dc061ad0

SHA256
8682527499d6a445dcaaee96585ea789e6959eba3137f56532dad83533920691

SHA512
21d2e8b17966ec425f0a61726dfabc2dfd16c96961b1e815adf6a7428a1e05e76308d66e492a7c55887b3b67bb5502829291b62e29e3c54bf2913ec1c8269d72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\#Pa$$w0rD__5567--0peɴ_Set-Up#$.7z

Filesize
14.3MB

MD5
a04e8de4bdf723564b661497113d25b4

SHA1
1478dbf5aef672c379c2d367df86fc6b7ee82eea

SHA256
01e6606f2c375f61d85503445764629c1df5aa8da294a7d66c869361e9d0c80d

SHA512
027c7c22303a31854fda7224e3e63dbe15748c330cc795298616cb031a80a5f72522feb4ded8aefe4f9f5e27d46ac813192edbc3ef4955038d120948b8c7bb01

Download Submit
C:\Users\Admin\Downloads\#Pa$$w0rD__5567--0peɴ_Set-Up#$.zip

Filesize
14.3MB

MD5
df4de2875a50eb46421896de0fef7344

SHA1
148613728a20dc267c92cd45bad0fec45e449270

SHA256
162f1594ba9d3cf7831b5ff7d957db07a9ec346cef0f7777167f0a91b1c7fada

SHA512
0066347cbb27e73b1ec7e84877241b0e678edd9da336fcd70a7717e008821bb44b9ba05b13c02395e5306d790ff18da6c63b3825f81087a9a22aa368252b6a39

Download Submit
memory/840-475-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/1108-444-0x00000000023C0000-0x0000000002414000-memory.dmp

Filesize
336KB

Download
memory/1108-446-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/3904-468-0x0000000000400000-0x000000000054F000-memory.dmp

Filesize
1.3MB

Download
memory/4956-452-0x000001D2FC3D0000-0x000001D2FC3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-451-0x000001D2FC3D0000-0x000001D2FC3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-450-0x000001D2FC3D0000-0x000001D2FC3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-462-0x000001D2FC3D0000-0x000001D2FC3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-461-0x000001D2FC3D0000-0x000001D2FC3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-460-0x000001D2FC3D0000-0x000001D2FC3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-459-0x000001D2FC3D0000-0x000001D2FC3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-458-0x000001D2FC3D0000-0x000001D2FC3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-457-0x000001D2FC3D0000-0x000001D2FC3D1000-memory.dmp

Filesize
4KB

Download
memory/4956-456-0x000001D2FC3D0000-0x000001D2FC3D1000-memory.dmp

Filesize
4KB

Download