lumma | hxxps://cdn-general[.]cyou/1-723628312/ng-32948238493-18-1-25[.]zip

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn-general.cyou/1-723628312/ng-32948238493-18-1-25.zip

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://aggresiwevommen.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
3256	steamerrorreporter.exe
2552	steamerrorreporter.exe

Loads dropped DLL 4 IoCs

pid	Process
3256	steamerrorreporter.exe
3256	steamerrorreporter.exe
2552	steamerrorreporter.exe
2552	steamerrorreporter.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3256 set thread context of 536	3256	steamerrorreporter.exe	117
PID 2552 set thread context of 4468	2552	steamerrorreporter.exe	123

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	steamerrorreporter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2860	msedge.exe
2860	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
5052	identity_helper.exe
5052	identity_helper.exe
3920	msedge.exe
3920	msedge.exe
2292	steamerrorreporter.exe
3256	steamerrorreporter.exe
3256	steamerrorreporter.exe
3256	steamerrorreporter.exe
536	cmd.exe
536	cmd.exe
536	cmd.exe
536	cmd.exe
5084	steamerrorreporter.exe
2552	steamerrorreporter.exe
2552	steamerrorreporter.exe
2552	steamerrorreporter.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
4468	cmd.exe
4468	cmd.exe
4468	cmd.exe
4468	cmd.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2956	taskmgr.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3256	steamerrorreporter.exe
536	cmd.exe
2552	steamerrorreporter.exe
4468	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	taskmgr.exe
Token: SeSystemProfilePrivilege	2956	taskmgr.exe
Token: SeCreateGlobalPrivilege	2956	taskmgr.exe
Token: 33	2956	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2956	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe
2956	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 2916	3076	msedge.exe	82
PID 3076 wrote to memory of 2916	3076	msedge.exe	82
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 3460	3076	msedge.exe	83
PID 3076 wrote to memory of 2860	3076	msedge.exe	84
PID 3076 wrote to memory of 2860	3076	msedge.exe	84
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85
PID 3076 wrote to memory of 4172	3076	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn-general.cyou/1-723628312/ng-32948238493-18-1-25.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd8ec646f8,0x7ffd8ec64708,0x7ffd8ec64718
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16976147092583032710,5789359053079897764,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1140

C:\Users\Admin\Desktop\steamerrorreporter.exe
"C:\Users\Admin\Desktop\steamerrorreporter.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2292
- C:\Users\Admin\AppData\Roaming\javastream_test1\steamerrorreporter.exe
  C:\Users\Admin\AppData\Roaming\javastream_test1\steamerrorreporter.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3256
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:536
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1360

C:\Users\Admin\Desktop\steamerrorreporter.exe
"C:\Users\Admin\Desktop\steamerrorreporter.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5084
- C:\Users\Admin\AppData\Roaming\javastream_test1\steamerrorreporter.exe
  C:\Users\Admin\AppData\Roaming\javastream_test1\steamerrorreporter.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:4468
  - - C:\Windows\SysWOW64\explorer.exe
      C:\Windows\SysWOW64\explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:4404

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
184B

MD5
d994fad7643b5cd1c7acf750b5ad427f

SHA1
54679756735bf2cf0be07cc0a27e4979a20657a5

SHA256
1265b602432d23e772ca18cacb0074201b301adfca7aefdd3237a2aee4e0cc4a

SHA512
4862355473a2b2017a2698c1de1e4fb319e28307ccf6751867f843bbfbe0cbacb8333574a0d55d9d1bfd5df865df597e8f2eeef2cc98f1512560c033b1da198b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f79f6068f4453782d07a78b3cbe07061

SHA1
611d2c4a5a9951a51c0fe5994faecebbeda0923a

SHA256
e1f53192a23fe0c333a07d302163625509c80aef5d63eeb90b2864bfb3c590f6

SHA512
0419e6035d54fce192a6e1e7c530e9e1d2de0155b4136060cf434f97d10c79b9c748bd15201617a99c7164274c1173a436b523351926a781330c1e4d5ba01f90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8a2716274f29bb9080c6cf51051ca815

SHA1
e6bac57c05cece265fe8c5878c492d738429899e

SHA256
aeed9fee8c71d59b9fd02115b93ea5e67109b18fa056fa069840d8d2824bc4c3

SHA512
c0c7e5ef442bd55fd1eb26fd88ada2b3cbc2acf450312b93ac88c1e372311a9afb749988b5c3a21ce00554e4faa1c11900c221bbaf8e41578f7a0b4cc2aae2b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d891d4b04dba2f5d603a3ee25c94034

SHA1
291db7bdf09dc9af9698ddd594168bafa5495e1a

SHA256
3aca5072628b0df476ed056286d45179f3cf8e46effbc65c283f4c23c3efa968

SHA512
bd7a2a3d4bca1c9d099b740c9168ed58accc82523d2c0af00368e08b900537b471df7196753129284df726f37a2175c49fae815e79d6b6cf89038f2bc0e5be64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cb569a2713e7f5a19dd7c86b9db0d527

SHA1
20dd66f574e9894486254155a6455d4c47b7ab52

SHA256
f3c352743a61d2a3293459fd072a819893ba50052b8007be3d95566c6cfc9d8c

SHA512
87e1ce797646e0e50af2366961b07391327c2b4f4c1ced11ead85756f474aed6a0d542ea8d536fb2bf607c1f801b774c00d353b43568d0c26d80d54113903092

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
002a39e5dfc0b884956b5b4554d25594

SHA1
e1f49c6a3cc4436705ec1f6434e345c64cd3c629

SHA256
592f337a535500d6eeaed476b5be63e169b8baff338501e2e5edac519653dc17

SHA512
83d633680f7b6a0db12bfb49be421e283bc53a7ec34f7c316ed7c3cf921548bc29bd70703205b2c2dd38b28904a4d883c66b8ccccef1e64a453e6999e1cc9595

Download Submit
C:\Users\Admin\AppData\Local\Temp\7a086897

Filesize
1016KB

MD5
9ee163b3d972a505ec5baa2c087b9f49

SHA1
f3012b4a9d10879ad9c78c0b48b017428bfdbd4d

SHA256
d257bead59e9736606a337129b2380cc9a2f043c65566b9fc75277d4bd3a77d2

SHA512
81a11eacb0d0364598938ffbb088e0cd33c2b7a57e7902c16f3ba13289b6e3711c61eafc814f9f44e038607f83f8fa182c136b85419ef2baba67849151d6db40

Download Submit
C:\Users\Admin\AppData\Local\Temp\9f492f2

Filesize
1016KB

MD5
a796869455f1c6694fe753d90e9bb5e9

SHA1
448a3fbb83c82d2449219abd72aa59379c15fbfa

SHA256
0a83504fdded73daa6cd7fe77725b0970c325d0f7c11e9e2d472eabfe346c718

SHA512
9859b5e1ccd5419641ecdc6784bec33ed2f9f916b7224b34805edf3c788cceee6ddef58f7186f053d152a19a125171ae4bf510fd0cadfbba13743d632894800a

Download Submit
C:\Users\Admin\AppData\Roaming\javastream_test1\cochlea.torrent

Filesize
55KB

MD5
495344e71846d9e9f55219dd173b8bd8

SHA1
728a127f624ffd35a65e63f9a82c2afe4c622be1

SHA256
4e07702ab4eb53cb3932dea092905b10bdc0299e0b8b3ac98cf7f213f12ad3c5

SHA512
dd77bec78b5b1d457bda9dd4c44175916fce42934a6a30a4bdfe8561ada05ef00aacd05aa366288baa943b3ef2fc7fd6ac1ea5a617d493072e050fd937fc2435

Download Submit
C:\Users\Admin\AppData\Roaming\javastream_test1\steamerrorreporter.exe

Filesize
560KB

MD5
dc1681b98049f1df46dd10d7f4c26045

SHA1
4c7f5cf7c00b6139979f8aa41f46979666369224

SHA256
594f9853124e0a81deeaaecb8ec3d192169e7393778214ef6d8f6460450ef080

SHA512
c9a2086326acbab8aba801da0d8bd2aa06951ec7fd7f32a3150f9521498c0b6711552695fbf9d0de7668503630c508bcd68e1d715796ef34f9945035da3fe1ed

Download Submit
C:\Users\Admin\AppData\Roaming\javastream_test1\tier0_s.dll

Filesize
341KB

MD5
884013332bf332e4dd8cbf0109a8cfeb

SHA1
c01789d661d465ca29d20174d8f5d29afb1fcffa

SHA256
8ed104f6d7a50f95d515005bf6bd5569cd2dc0107119aa3d91e21dd7ba777e98

SHA512
ea18f416b1295edcfc197c685d56030246097bf95ffffa46f13a16753d05d95a1adb83b5ba0669eaa1049856ea2486ca0fc49507df7d41572de80701e9852f64

Download Submit
C:\Users\Admin\AppData\Roaming\javastream_test1\vstdlib_s.dll

Filesize
519KB

MD5
5c245a8bc2765f02b838db613a2cdb49

SHA1
0952a9edaeebcb4afb1f746cc08e044ac2f2a4e3

SHA256
411fe1b7a84923e849be6844768240da54122f02dbe9611aa18f33e765ad108a

SHA512
ca2235ea5c01b173106cd33ead51ba4877cd85dcf978fe5468ab1b85b173ce2f85d2e846c4bd278cbffebd82b35674f3b2497271c25658536623f1d7aaee0f8f

Download Submit
C:\Users\Admin\AppData\Roaming\javastream_test1\wharf.indd

Filesize
775KB

MD5
3ea96a50807b3a6bb83557d94c8f9086

SHA1
1e3f8ddfd9eef1e3b73d228f3da3ab154514f381

SHA256
f56b4dc0c747d09582debee8014ba7c915b7c0b3888e1022795547a983d83c10

SHA512
31b417c4f21a4fdaacc87df63d63822f99b1d64406b979d11d3c70026c602846470270508c419faf3ed3106654df55be6ee9d8323b0777d1765d92ad8f65cce4

Download Submit
C:\Users\Admin\Downloads\ng-32948238493-18-1-25.zip

Filesize
1.3MB

MD5
8ef10cb39cf040535382e7fbe0cbd17c

SHA1
4beccbef5a235de2c6305946c2200f768fa81ca6

SHA256
5f01f121168983ab53d3e4e523e344e3a78abdc3ca66cc2be0b54c8f755d8fbb

SHA512
84169105a3af1bb44735bd3ba25de2e9704593f626d439e1f978a1b12eeb17faffe4fa89dd02778406101d6193932a0d6304e895340f8a0ae06104474590d843

Download Submit
memory/536-103-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download
memory/536-113-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/1360-184-0x0000000000110000-0x0000000000166000-memory.dmp

Filesize
344KB

Download
memory/1360-158-0x0000000000110000-0x0000000000166000-memory.dmp

Filesize
344KB

Download
memory/1360-135-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download
memory/2292-81-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download
memory/2292-80-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/2552-129-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/2552-130-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download
memory/2552-132-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/2956-142-0x0000022819A00000-0x0000022819A01000-memory.dmp

Filesize
4KB

Download
memory/2956-144-0x0000022819A00000-0x0000022819A01000-memory.dmp

Filesize
4KB

Download
memory/2956-136-0x0000022819A00000-0x0000022819A01000-memory.dmp

Filesize
4KB

Download
memory/2956-138-0x0000022819A00000-0x0000022819A01000-memory.dmp

Filesize
4KB

Download
memory/2956-137-0x0000022819A00000-0x0000022819A01000-memory.dmp

Filesize
4KB

Download
memory/2956-148-0x0000022819A00000-0x0000022819A01000-memory.dmp

Filesize
4KB

Download
memory/2956-147-0x0000022819A00000-0x0000022819A01000-memory.dmp

Filesize
4KB

Download
memory/2956-146-0x0000022819A00000-0x0000022819A01000-memory.dmp

Filesize
4KB

Download
memory/2956-145-0x0000022819A00000-0x0000022819A01000-memory.dmp

Filesize
4KB

Download
memory/2956-143-0x0000022819A00000-0x0000022819A01000-memory.dmp

Filesize
4KB

Download
memory/3256-100-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/3256-97-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download
memory/3256-96-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download
memory/4404-187-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download
memory/4404-188-0x0000000000550000-0x00000000005A6000-memory.dmp

Filesize
344KB

Download
memory/4404-189-0x0000000000550000-0x00000000005A6000-memory.dmp

Filesize
344KB

Download
memory/4468-157-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download
memory/5084-115-0x00007FFD9DB90000-0x00007FFD9DD85000-memory.dmp

Filesize
2.0MB

Download
memory/5084-114-0x0000000074690000-0x000000007480B000-memory.dmp

Filesize
1.5MB

Download