lumma | hxxps://github[.]com/Ruq20/counter-str1ke-2-h4ck/raw/refs/heads/branch/Loader[.]zip

Analysis

max time kernel
117s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 08:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Ruq20/counter-str1ke-2-h4ck/raw/refs/heads/branch/Loader.zip

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://hummskitnj.buzz/api

https://cashfuzysao.buzz/api

https://appliacnesot.buzz/api

https://screwamusresz.buzz/api

https://inherineau.buzz/api

https://scentniej.buzz/api

https://rebuildeso.buzz/api

https://prisonyfork.buzz/api

https://ingreem-eilish.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Loads dropped DLL 3 IoCs

pid	Process
1112	Loader.exe
4868	Loader.exe
1840	Loader.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
25	raw.githubusercontent.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1112 set thread context of 2852	1112	Loader.exe	128
PID 4868 set thread context of 4668	4868	Loader.exe	138
PID 1840 set thread context of 4024	1840	Loader.exe	142

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regiis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4084	msedge.exe
4084	msedge.exe
3448	msedge.exe
3448	msedge.exe
4456	identity_helper.exe
4456	identity_helper.exe
5096	msedge.exe
5096	msedge.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5112	taskmgr.exe
Token: SeSystemProfilePrivilege	5112	taskmgr.exe
Token: SeCreateGlobalPrivilege	5112	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe
5112	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 1780	3448	msedge.exe	84
PID 3448 wrote to memory of 1780	3448	msedge.exe	84
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4900	3448	msedge.exe	85
PID 3448 wrote to memory of 4084	3448	msedge.exe	86
PID 3448 wrote to memory of 4084	3448	msedge.exe	86
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87
PID 3448 wrote to memory of 1180	3448	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Ruq20/counter-str1ke-2-h4ck/raw/refs/heads/branch/Loader.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff94ef946f8,0x7ff94ef94708,0x7ff94ef94718
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3332 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,4385940595242005977,9305876399923148951,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:2812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4160

C:\Users\Admin\Desktop\Loader\Loader.exe
"C:\Users\Admin\Desktop\Loader\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2852

C:\Users\Admin\Desktop\Loader\Loader.exe
"C:\Users\Admin\Desktop\Loader\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4668

C:\Users\Admin\Desktop\Loader\Loader.exe
"C:\Users\Admin\Desktop\Loader\Loader.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4024

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Loader.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
2557e3fcd309ac9a2003f4a144fdb03e

SHA1
d2790373d5995b5a4c0a18086d004f377cabb85e

SHA256
e9c449d23ac3afd51e6b27e4d39ef6627a0326440dac2f3443816151f16bdcba

SHA512
eb71f9d8a2b22063cdc2090c329c904f8a43556308d5bc021f5a35c5ae70ff619e86a7615a9483c14c595e1617a34f6cd22f6b3339858175737dca2d429899c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
120B

MD5
797dd38d1df00d50fc25e5582bb17ed3

SHA1
d5f6733baafb503946d2a1520d089f21a61182da

SHA256
c8343fc02a036def3a3f95e1fc65eb10f2cbb093c45ce99cbcb8a05d660e57a8

SHA512
56e0a5fed625cb55bd67c29ac0d12da869a229f144dc49cb641cb8fb2bead0cd926db031b0ea5fb95c47f35e92bd12c15c6b58497800e16e9535c8f2f590bcb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
402B

MD5
af46b410d406c01bf7c19059c9195819

SHA1
c07932eeefd93ee2f75f7cedc1881fd06888ab8d

SHA256
be977dc30b318adaf9e5ab478fa1916328df15190799f6dbdac1bffc7d35c6cf

SHA512
5ef882ad5e6546f942591ffa262b14ec1bd50505de53458ba62dc04d215a3488e3cf4e1b781cd583e36fb4ac898a34e75362d9e2e6b711b44b113cafb11eab05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
16e72ae35b6875243a27f1d902b22948

SHA1
b4a14acf505172789f9ee6d8b6c6d9ae1a0290f8

SHA256
610b872fe6e3853da4aeb9d3fabacd1567288581f55c0ee7dbb733b00032de33

SHA512
58be6ed0e43a7e0cb93be9f3596f4559082b58ea07f17470d400286973b0289d4e318879c688509a4b0068cf4cd4b055035b9ec593a2438e4f9138db30f35099

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fb1d7f2a7184ed26accc5c03dc07a753

SHA1
4acba59589e939e338e70ea7370cbb72141c7e11

SHA256
e1ce05a849335279f8c516063a18ad8fb1a1feb8466ffeff8f8108a8c19e58d0

SHA512
546069a01ab963d38fbba6e9a06c0eb14c8213d1a79ce2bf0d600f9df0136e3838317330b2960499472e3a2bd83143c7326941f14b4bd7f98ab53ef500a60d8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0feef99b6a1f5d652d22b4bf3454e97f

SHA1
78654a8b42bb7363f4e5ef014ec6e3384d50b394

SHA256
85cbdeee49e0291e44b4ed0ef9dbe831e360503f91f2d4282408e8ec54dc39b9

SHA512
7586b83e5d8eee792266c76539e7c8f6520d473196033bbc43e455dc7a0f096f1d6502bb8a3f2bfae0915fe0d748a0d1603535f3431f42ac3944a3a704b12d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9e3a57ab86bad5e162fc61a35d6943d7

SHA1
b9fbb43d67a163a66c50e5c9e7af0d2769f2d994

SHA256
f25784454b6212f1146756267dfbdba9e430b2ddd5abab7d9b7184a0338fa481

SHA512
30d253e748ee8823aa38e88f2c55af07fad3ef255572d61241e68f2c90b5be522c83a0a4daee74f4e0364ec0c0f482d007ae6dd46b49e4af9fbbc52f634b5b46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d13a7d796e2c9acaed2dc9301484af1f

SHA1
a19ef9c8db8c27128a2a2f81808a3f2cc180556a

SHA256
12083511866799978c0577590214e750af650ddb986ef8d4ce875c73d2a6ffa4

SHA512
5bab0cac3eabb2c22efaf92728889581dbc15cef6873c56e454de7217f2305ebac02d218472f5927a55063a07f6de829a8422e1b88c3c344db92eab56a4e134e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3c92e68e18f1e7ead9a003d05ee83bb7

SHA1
fa739854fad962657af02390c315ab3fcaf8ba0a

SHA256
7e4478d7d9bc25613dea3ea7bd56598a72d810f782edbdc83525cb19d590969c

SHA512
a3bef01fdce23a7358f3ad32f2c4273b534b4694ee1e8e817cec24065ba9b4726b37afb9415c458abfdaf695991f4ca1b374ce3093fd2823c3410806510e90f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e74511effce75bc96f78e1dae3c635e

SHA1
84ee0f174b8e18dbcb95e263482cee8c90a545c4

SHA256
8f93d5a6efd83c86b70641e806b827c6f921f54175bf9bd1f67cb5bde7a5d04b

SHA512
55cef0792b3993cbc3fcdd3432ed6d6142544555aafa30a33cc0000ffe4be7af4c9cfb89a1e2e38eda21db1759acf9b161814b2501ce544d55499e1ccd4e1291

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
7e1626e73ff40b7087fbaedef8915070

SHA1
7213e9852abe89d9f345c96e65f4bf70e1783f74

SHA256
030b518a8e4cd05b00138dcd35651b8fa5d050864f70820d307ec70a96e00a3e

SHA512
2a2070a2f9e7c90f6a801423232a3cd18e58e8eeaf833934f6069aaedd3d5891c07377518e294234f591f4f51e49354f0b5dd37f5224e101371f7290cffe820f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
138abc536ec6c033c585d1b9037b55e0

SHA1
20fb78a3f2186720d24d08499012740d08818f7b

SHA256
5f9ccef9810b38eb60c545b050b195ef549e40cac523b59f3a7f8febb8a6dcf3

SHA512
18396711dd22c4a3f84c3c3589d330c5e0269c7a9fde61636cb16e9804cb15627b5278e44c0a7085e17e57fce9d16255f413137496b0b52690577b25f94a2a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58cc63.TMP

Filesize
371B

MD5
92cc616b7579413e493d1e77f028fc7c

SHA1
587ced4dc22fa5ce7883da5d2df0cc8b0023c659

SHA256
f46b28efc5243e8e5921e5fae81aababef15cc41f16f822b5e5578e4f94d3f5c

SHA512
2c95c677575b29ae3204893c65042c2de5135d20abccf3e9d9020c73e46243ee5cc8481da3f1d632a5b3f5be9581dcae22a41817280cdb1b37db63046e2b7b94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
508a2286e12f0cb9f156d15b596c633b

SHA1
270cc351117e2cdcdc0132bca0f9cab38f70ae91

SHA256
ee20fc027afedc82837df9b6a3b7b67ebfd44a4b5ec59c476a59f4154a52dbe4

SHA512
cb33151dbea8a136acca422920f7847e245e6206e9ad7f72bd5dcdbc58525bdfe240ecc96eeae0d4f5213a07d474974a369aa043a95601632c10fb64e3f220c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f1c243213ef05e9be3d6084cee117cec

SHA1
e47815b3e07c590861c208b9f1d9747acdbd2a81

SHA256
42a4aea11da4500d1644cc88cc9878c5d544fd086ceafdfc69a49df2b3c57eff

SHA512
e65f04dd58e5253a452c8259e96ce164d0ed42a5df2a2cb1ba0ceb0c31f61180c55211017625089e0421d9dee2842fec0081fbc9a23f9e52e62dda5d29b726d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
019e2433a5628e829cf706ab65b9cb11

SHA1
7a28528ca8e7bd1311ce180590d221ee36df9a8e

SHA256
d6a3100ca153252f22c5821aef3e2d820bf0ac9625f1b250fbe72322138a39c0

SHA512
6cc5f59a238687b260e6cafe976a49c5286e0536a988fb9b2977551584e1f9890c9af0c0bcbb397cc75c3ba94f5ab436961064bb924d8a273070f4c957b2ba5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
834cadee0e1553ceb82d3a5ca9e35ed5

SHA1
2ccec5a8ac6f4c28cced8705dfce4db42104b607

SHA256
d7c7aef210f6857a1f88637be0157632018ad73c8bb7f9d47204c57c7e8d877e

SHA512
338a75434b45c6c0f47b860230fc1cabc35749959673bc9bb0d18639f3f25948f29da7d471a8a56dd19c227803574ff4596f5afffc2f003cad27550868606d84

Download Submit
C:\Users\Admin\AppData\Roaming\gdi32.dll

Filesize
635KB

MD5
037bf337c4de4bc965e3200beb1a5be8

SHA1
317dc2ffca68cf71652cffe75d9d2a341a09cda8

SHA256
29c961ee9f77637c881d9193c6499a84b1320372f3edc9b8337ab03fb8b8f589

SHA512
10767a9b988843d5ed27c6509ce8801a2a604c5298cd602b4d26e1ab0957e837e1531f60dc37b3ec1de7ee0a1378e2250d3d737e58926f4d4b0e7cd1fb8275d9

Download Submit
C:\Users\Admin\Desktop\Loader\Loader.exe

Filesize
646KB

MD5
2ec18b257662dd107ae84263ecd2e5c1

SHA1
ce2efa8394c35b8da16428b10ece4a856c53dd1f

SHA256
539f0617a85a7a0773cf9e36d803c1a8ddf5c69dc003c80c1f3afac147b47554

SHA512
6cf6f83dbaca7f218f6add89de942bc6a8d83fef9ccbbb3f3ef3c03bba4233a25b18f1bc392da27b37b88bb649fecc7c05ed28a9dcf849de957103f03fa63342

Download Submit
C:\Users\Admin\Desktop\Loader\dmxmlhelputils.dll

Filesize
259B

MD5
9abd95d760a752257bcb7f5ee3c14008

SHA1
29c4a0b474ef189b2f6a267d560b103ab5f4b323

SHA256
d9050e97477cfe7be44992a505c2cdad8f0f43a3c0bf0e1e1a3d1f175d92ac51

SHA512
f39a345e695d42d81a35b71923da8dd1907a0c48da24f580a102600fb72bcf259ee817414e736d67b0f1196dae0610a00926b1aa94640171e6f5cf09b6830da7

Download Submit
C:\Users\Admin\Desktop\Loader\mqutil.dll.mui

Filesize
1KB

MD5
cb3a5f54d475674a55d0a326a1cb1124

SHA1
7a7a817f76a27e1529c617bdb96fd06325d6c873

SHA256
5a23c3e2186af35842be09ed51b3e073685b0c812e2ce671f084b38f5e894751

SHA512
88f1c72aacd2e7c1d0086abb27116fb10acdf2052408589914794d88e0f738859df82c2a6f93222ebcf62e71dc390756b1ecf3362008a96ba3acf6c63ddde083

Download Submit
C:\Users\Admin\Desktop\Loader\samlib.dll

Filesize
9KB

MD5
f3078d7cbe7d330f06c51dc177f58e6f

SHA1
bb191e939d938b6fd9145473b4fb16cd48e33595

SHA256
83b293af5ae8fa2f226dc86c4b9aeb5f6af41880eb72c55c895c2ab445b0bbd9

SHA512
1749bbc37baa46aa95a883029ac52a366fbbe26963ac38e34dc5f6eca150a6a6158f8657543d4ecef59dae3570180bf472c981b1473c98be9c570b42aab0e897

Download Submit
C:\Users\Admin\Desktop\Loader\wdi.dll

Filesize
86KB

MD5
7d326b235ab064ff70376f1d015cc084

SHA1
3b394e93ef206d30fafbf3202a5a63a4b6667580

SHA256
404dda0bdf9a6c1c61653cf7e965f504b3a3a3b662f88c906aaa19a9c3df160c

SHA512
f33face04507edd462b40dfd0771da3f241374c99fc956def9678a05c15bf5f8c945579006ab250646120a7f983fe4a57b55c93bdf921142f6464bc74fee2347

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 790048.crdownload

Filesize
356KB

MD5
9cdb64fc1bf6d4703410b2acccc3850c

SHA1
398b3598206a36bb455535a8ef753f581d78f8a2

SHA256
54c847c93bcc25fbb25d341063a1e83d90382a709222915dd2b1b9b972f8919e

SHA512
213a2ee4e8d33076c2856df7d2fa976488c57c15d2b5975acd64baaa8a1cea57abd068dde44eec662162e4715aedcb5ac3c288b0864c9345792c763192ba43cc

Download Submit
memory/1112-115-0x0000000000D20000-0x0000000000DC8000-memory.dmp

Filesize
672KB

Download
memory/2852-127-0x00000000748F0000-0x000000007494F000-memory.dmp

Filesize
380KB

Download
memory/2852-123-0x00000000748F0000-0x000000007494F000-memory.dmp

Filesize
380KB

Download
memory/2852-122-0x00000000748F0000-0x000000007494F000-memory.dmp

Filesize
380KB

Download
memory/4024-377-0x00000000748B0000-0x000000007490F000-memory.dmp

Filesize
380KB

Download
memory/4024-374-0x00000000748B0000-0x000000007490F000-memory.dmp

Filesize
380KB

Download
memory/4668-363-0x0000000074990000-0x00000000749EF000-memory.dmp

Filesize
380KB

Download
memory/4668-366-0x0000000074990000-0x00000000749EF000-memory.dmp

Filesize
380KB

Download
memory/5112-379-0x000001A153940000-0x000001A153941000-memory.dmp

Filesize
4KB

Download
memory/5112-378-0x000001A153940000-0x000001A153941000-memory.dmp

Filesize
4KB

Download
memory/5112-380-0x000001A153940000-0x000001A153941000-memory.dmp

Filesize
4KB

Download
memory/5112-390-0x000001A153940000-0x000001A153941000-memory.dmp

Filesize
4KB

Download
memory/5112-389-0x000001A153940000-0x000001A153941000-memory.dmp

Filesize
4KB

Download
memory/5112-388-0x000001A153940000-0x000001A153941000-memory.dmp

Filesize
4KB

Download
memory/5112-387-0x000001A153940000-0x000001A153941000-memory.dmp

Filesize
4KB

Download
memory/5112-386-0x000001A153940000-0x000001A153941000-memory.dmp

Filesize
4KB

Download
memory/5112-385-0x000001A153940000-0x000001A153941000-memory.dmp

Filesize
4KB

Download
memory/5112-384-0x000001A153940000-0x000001A153941000-memory.dmp

Filesize
4KB

Download