lumma | hxxps://sites[.]google[.]com/view/exlauncher69/download

Analysis

max time kernel
116s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/01/2025, 15:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://sites.google.com/view/exlauncher69/download

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://inflameopooi.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
3332	vs-game-force-sof.exe
3240	vs-game-force-sof.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	sites.google.com
8	sites.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vs-game-force-sof.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vs-game-force-sof.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4236	msedge.exe
4236	msedge.exe
3012	msedge.exe
3012	msedge.exe
2288	identity_helper.exe
2288	identity_helper.exe
5388	msedge.exe
5388	msedge.exe
5724	msedge.exe
5724	msedge.exe
5988	msedge.exe
5988	msedge.exe
5172	msedge.exe
5172	msedge.exe
3332	vs-game-force-sof.exe
3332	vs-game-force-sof.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	4072	7zG.exe
Token: 35	4072	7zG.exe
Token: SeSecurityPrivilege	4072	7zG.exe
Token: SeRestorePrivilege	5920	7zG.exe
Token: 35	5920	7zG.exe
Token: SeSecurityPrivilege	5920	7zG.exe
Token: SeSecurityPrivilege	5920	7zG.exe

Suspicious use of FindShellTrayWindow 61 IoCs

pid	Process
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
4072	7zG.exe
3012	msedge.exe
5920	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe
3012	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 216	3012	msedge.exe	83
PID 3012 wrote to memory of 216	3012	msedge.exe	83
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4976	3012	msedge.exe	84
PID 3012 wrote to memory of 4236	3012	msedge.exe	85
PID 3012 wrote to memory of 4236	3012	msedge.exe	85
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86
PID 3012 wrote to memory of 472	3012	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://sites.google.com/view/exlauncher69/download
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x9c,0x108,0x7fff553246f8,0x7fff55324708,0x7fff55324718
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,10077307614053610754,7896727437037173329,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7652 /prefetch:1
  2⤵
  PID:5404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2668

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:456

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\vs-game-force-sof\vs-game-force-sof\" -ad -an -ai#7zMap2876:132:7zEvent13800
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4072

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\vs-game-force-sof\" -an -ai#7zMap17346:132:7zEvent26109
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5920

C:\Users\Admin\Downloads\vs-game-force-sof\vs-game-force-sof.exe
"C:\Users\Admin\Downloads\vs-game-force-sof\vs-game-force-sof.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3332

C:\Users\Admin\Downloads\vs-game-force-sof\vs-game-force-sof.exe
"C:\Users\Admin\Downloads\vs-game-force-sof\vs-game-force-sof.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
20KB

MD5
760732f59eb4b6667ea7abb23565cd9f

SHA1
1091bb22993c329339b95a007b890fb68ad2aa1f

SHA256
09353aeed9bbcb92f5c59024b36912866cafbfd5fba5ba7f248a51817257396e

SHA512
0d3686556737c58ef71113a89e6a9cbdb698754a5c38d4399e213d97061d0c9a677e70131f4b3e4e6aa5a290be21408597206d7678ec626128694676d2158096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
20KB

MD5
bf19963f072b61208a423c95d2b0dbb2

SHA1
7b39999fbfdfc5f646c47e07eddff767a8f77057

SHA256
cc731c3775c0ab17bb6d658c01591c6aa240fc0fd4ef4872792389020f1ddc8c

SHA512
49ad4dd456ee69f86de1ef6dc6b8c48bf9e6652e0df7e3370ddf944867c7b416d3e7e3703f01831cafa845270f0af6a1b088b897afc6a48c67477c424fa6cbee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002c

Filesize
35KB

MD5
7c702451150c376ff54a34249bceb819

SHA1
3ab4dc2f57c0fd141456c1cbe24f112adf3710e2

SHA256
77d21084014dcb10980c296e583371786b3886f5814d8357127f36f8c6045583

SHA512
9f1a79e93775dc5bd4aa9749387d5fa8ef55037ccda425039fe68a5634bb682656a9ed4b6940e15226f370e0111878ecd6ec357d55c4720f97a97e58ece78d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
20KB

MD5
6408c37d09ecb7370b4d61ea51a15ad0

SHA1
8fa447851c7db6c2a4e20a13d769ed926daee5d5

SHA256
38c4bb35d2dc312b0e82bf8c5098495fd12d73029dedb6014c8f3ead635e641e

SHA512
5436d6204625fcc424989776d5ceb7fbbe286bd37bf077967289ce336ecea0e1db85f064d51d4a18877cd96be0d20557c682bbf2ccc6e34d6e096557aa357311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
1KB

MD5
163f2c023b94e0a5cf5761b6daf3dc0a

SHA1
6718939b57301f98b0972ee87c09fe417ce766fb

SHA256
48418e21a9f1101de34589396de8fbf6080e1d0d973ec23b1d1a41e42d1be2a9

SHA512
4edc881400b0a14077d92c054d3e317f3cffde9034f26ec6c341da6593c2803b0ac79ab74c0e7d734e4cec7724eb2431e0482e62e75f07571a685ddd678098f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
73cb6036337ebcc15685df82317550a4

SHA1
641678e20defd8315acef87c35b026ac10d5ee1a

SHA256
ff502158d6756c1a68d6704e72b60dfbf3af0ab733c9ab7f51586c7ed45590c7

SHA512
7e36fa011fa7dd052df7cdb53202346f0524362360d1805510d4faecaeb306f21343258880f39ad993349b1a30c96c16376f3d945f847f2ffd1b4f15b419e2db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
c6d4d224e74546ba1faa704edfc953b6

SHA1
5daa90cf850d8db452200529ee9dc7c24c93b8bf

SHA256
65cf5d2417e4db11781256c19e5f548304100b48f0dfb17497a6f64d7e96ba42

SHA512
d377050d5cb2a380a9384c72af131b6e54f0b4c79eca86524fa2e21118aaab0c2087a636d1b3595b58774597b5df85990db3351f985e5d6ba911894cfbe9aeec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
41eee19a8d08d3dd631dfe0730cbfbdb

SHA1
29e9beaaa0c4d3887bffbfd3ced153657146725e

SHA256
3d14d67e9354a49ae501af6f9525b2940e291dc329b1887b63df4d9deb3284ae

SHA512
604d2dd0126ebd5ac6be719354ee6f082c7873ab6034d11299deff9593c8e2d20588c87dfa3aae23407d847a37fa95095a5c946bbbd39325d873ec6fdf8b59d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
d3a3e4152ffd214c988ab1a9d5b3b43b

SHA1
43c19277c1c066ea68cf4bbd0c223a280a492a08

SHA256
31e6012b739d100566c4155054dc55157a0e7f7b997adb44d68014fef7611305

SHA512
59882ee97f4fecc7dc037bbc618c13a396f2df65e53ac8b1ddb230e435563b3f8c3479f2bdcd72aef6379b67cd5d8563adcd619a510829e82d8c92f77740015b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e1c7dd26c01b587d1c70dfa0d66dcb79

SHA1
88f3dadb64e2b0526f5f712a5245b9cc2aa9f8e9

SHA256
1cf1708f63730573496c391a3e1e7c487fcb3d46525713836c4089235a562f27

SHA512
2d68cc534f35d2343239b692efc968981f9ad25266b80e5ef9d7ede3590143f6e5a8869c05cfa65e8daacf069fd0c963ad34140c0c136598d72080f2e07f4373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
561d15241be2199892b2b840b21684f2

SHA1
fa9c79eac7497b91d20e4bc949878590f9b4079c

SHA256
ef8868426f208d7a799be977215cc03e2fe107085e8c40241fa7780cdebf8914

SHA512
30c747aa9ac241db6134cdfdf55375f392ca249315c498c95ff0a2b25b2a943d5de83044608ab63086d75ed2f061237aecafc7d84ecfb2712b9f1f092f564621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4377c230a7b9896e71d5f7211c52827c

SHA1
8e26f401abd24df9853b84a9d295e7e1791b359e

SHA256
ede9e8bb04dadc24ea1a454b14966408b0af9ce7fd03345d18f18f7e2cd443f5

SHA512
26112719346978e03feaa18139807129274cb91ad4419b749f4ac12373b04c0cf2c00455b95ff62b4b6124d6e65bd817197ab14f45b3dc32594d1aa932872bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b296c963b2ad99ffe371fbbadae8eb9d

SHA1
5203cf2909ac25ab16d6bff565b696df262f4f5e

SHA256
63d0e14824fa8c8111616e8f5b931c19621b9b1a8f8cecb50a0634daf600cc23

SHA512
e4b8cb9b90c464240e09f7e426cf71f7c9aa3e663c5db2dc9ba1d841c290ea5937b70754629cab084557b7b92af82dee01ab36fee76daa55226129389122110f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
50a3c461d834a82125794b74ba66a23b

SHA1
1498291b3cdaeda2bc3cf0583c3d5a2e1b17938d

SHA256
472270964bdb66188b26cdde61b868d27798be30cce644a568554d95b7b54499

SHA512
7a8899086d3f755e1d94522c2f15f576b5facbbc99d2ce28843022d6b6e4c1e07cc6c33393ac9c62a3652b21877b1722de86b2a31de5c75ff34e955ef56b2fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e201708c1999e57b97763f561600ce71

SHA1
0515a510db4254d814ac6f4d2105ee01538bd044

SHA256
da2bc14c4ed0cb4155b97d09db3907aa056f098f64bc915358d68936874d6dcf

SHA512
db9bbf7ab613ed0daf4c67fdc2dd428da789f5d8a0b2656141a2c08f6e5c9256929525f1b192779afe911e5352e3431560764953d20c54ac1598f3314070f970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8b86e71c852d7556fb22994da8551776

SHA1
54c5e78107e51b0cc66dc2c022a7c6354b3a9d89

SHA256
8049202f7e8bb065bdbeefddc41b1e3ec01469ddc5dc91f46b6e92c9dd2d462b

SHA512
c50791c1f292295f8c56d7ebede13b7f8d6026d8c30353b901fb580507765cd731f994c539e2c3068a51880198ba6c9430abf7bf269719fc41af370e8b56b0a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8f76484deb7732f50368d6107a58f912

SHA1
39998a57deec77dcf3230665c69a2501d0a92681

SHA256
e48d0b880678842d955975eb4f85235379efcf5d18ee38030ce9c229e32bed12

SHA512
128d1f2baf3c21bb74b6e12ad5251e2c43b97524aae81fdd4465806884f5565418d1035b1f50fa46ac307fe9d6566eb6cb781301bb3944ab0208c4325877d554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e5bc.TMP

Filesize
1KB

MD5
9b6bc9d477e2d6aef2b6dada8616846d

SHA1
e233ce3625655ce955b956b0be6f2bbd66a5490c

SHA256
007988d369b62694bf87e2ca6864e06358143a5ecc809655499e6f48cc5752c1

SHA512
6bbc0340f47005cc5cc940f020f238d3e87c797c22b4f56c816d1956e8a7f26ee9f2ce2e01534b4507948e2cc2c7d87e117a97d484c85fb29e4cc6d26e6b76e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4d2ab42f95cd17491f8036fa4b942381

SHA1
b8ad8dcc8378cf59cc531041773d84d17fa2d9d5

SHA256
98ccb4c21aae8d0bc48bf21b76a6eb4e5ffbe5e38e9fad40e327f1e18aa20a51

SHA512
24db284c023e73e61537ad67e03b8db6dd19901aba17b9f4e588252f99c6cfdb08c9b00d210605d29438254a10eae80d810e08e9bc45267935367051e691ec43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2018c6269bbe3f38532e7918abdeca13

SHA1
e6359fe7bab5ec961d51004c3b3d6a6dc0b77a93

SHA256
42965c060777d74509941dd74afcb66562d2b078a624e98654f4db0b9c92cd0b

SHA512
5f522751edfc0f58fa581abca958f2fb8dac3c9712dcc4f52ecfb406d0424e0883fa530dca63a27939969ee4ac7604a1fa1cc7b99bb3f52bc30dfa9637422934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\fc98d1c4-0ec2-482a-84ef-ecebc6a6c5e1.tmp

Filesize
10KB

MD5
a28a1147d357ca5a144590b3c67edd31

SHA1
2ee7c5d4e897f507a1a7af16dec82f7aa6e6613d

SHA256
084a5176ea21ad08af3d46f8d28c9216c8c95192d5724e767a32040efcbd13a4

SHA512
9f0476343e806502b37e6ae9c910acc5871bc8af3e8d386d96838d519c701a162576faa950ef4e6f89ca3efad6fb430354e7a7af864f7afa773a08c92a4ef8a3

Download Submit
C:\Users\Admin\Downloads\236b6c66-8558-430a-ab6c-87b5ab27dc91.tmp

Filesize
8.4MB

MD5
6fe73c8cc8c7b5d5817022c53779d547

SHA1
16a8c5c1bca86b64a7e90823f19af40bfcf1590d

SHA256
dfaca0b7dffb83c75470cd4e018fdfce420f6c2880c84c652ef56b8d9fcf249b

SHA512
32828ab2fd1f60e6cf1825c5bc710bb3962b684f69d2d47915ff40356a9ee595620ac96a175e9002eb70d153efb019c4d213fbb6a23cdb39d53c2071d22faa18

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 769553.crdownload

Filesize
397B

MD5
eee81886e76dfaea3e6d351cffe50095

SHA1
1c714fa01fbf556b853014ee59fca4b0adb0c85d

SHA256
db6e0d4e2a9757f05c03d658a07882da2fa95774d0b490c8f65c3c795528bf1f

SHA512
2f0d13edd0d9fc2284ab5d4baa7a522f8c75124af03c5672f00e96d177c249ded4e7a41fb48ed6313f72b9679da40d57306c2a2fe51a56d66f4bf28216b5dc11

Download Submit
memory/3332-749-0x0000000000400000-0x00000000007AA000-memory.dmp

Filesize
3.7MB

Download
memory/3332-750-0x0000000002670000-0x00000000026C0000-memory.dmp

Filesize
320KB

Download