lumma | hxxps://www[.]mediafire[.]com/folder/f0tzfxsevhzq2[.][.][.]

Analysis

max time kernel
156s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/f0tzfxsevhzq2...

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

https://suggestyuoz.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
448	Loader.exe
3332	Loader.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 448 set thread context of 3332	448	Loader.exe	143

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1104	448	WerFault.exe	140

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Loader.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1652	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2096	msedge.exe
2096	msedge.exe
2196	msedge.exe
2196	msedge.exe
512	identity_helper.exe
512	identity_helper.exe
5020	msedge.exe
5020	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	4052	7zG.exe
Token: 35	4052	7zG.exe
Token: SeSecurityPrivilege	4052	7zG.exe
Token: SeSecurityPrivilege	4052	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2408	2196	msedge.exe	83
PID 2196 wrote to memory of 2408	2196	msedge.exe	83
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 3236	2196	msedge.exe	84
PID 2196 wrote to memory of 2096	2196	msedge.exe	85
PID 2196 wrote to memory of 2096	2196	msedge.exe	85
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86
PID 2196 wrote to memory of 2256	2196	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/folder/f0tzfxsevhzq2...
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebee346f8,0x7ffebee34708,0x7ffebee34718
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6948 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17657334786145255072,10481810738042132412,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4900 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1072

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Kapu\" -spe -an -ai#7zMap19859:70:7zEvent24075
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Users\Admin\Downloads\Kapu\Loader.exe
"C:\Users\Admin\Downloads\Kapu\Loader.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:448
- C:\Users\Admin\Downloads\Kapu\Loader.exe
  "C:\Users\Admin\Downloads\Kapu\Loader.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3332
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 832
  2⤵
  - Program crash
  PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 448 -ip 448
1⤵
PID:4832

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
1⤵
- Opens file in notepad (likely ransom note)
PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
807b752b2585dd163cc1c35622ffc63a

SHA1
d381370e8e6521c22290001fca2bfab0aa403ec4

SHA256
922da75cd471037fed48329d89ded156931aac497c77b8a850e25b44a3e165d4

SHA512
8dcf747ab30b06f96572d4e6963836bceaa3427f77f473283f43de544f9bf4ab00f864bbe5992d39ace6bfa2bf55570ab5d76c9df395122be9751bfc59453e71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
92f60483bc5fc7e8874611239bef07cf

SHA1
09a9ae54910fdbb7df6cea6f87915b1693cdac67

SHA256
352de0e5006710a38b6d374cad233eccd4d6a76778fc562413d165006a2b1f7a

SHA512
c22ddc56342116394d9404d918bf524f47aa89eb49c8c8b77dd4bb3da7efa65ffc7f5889e64e81375c05f8241cc22f8231b5a81034191356c4c812e9c487e0b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
0249b15d0292f26399ee13bbb35a5ce1

SHA1
bed943cc505b96199676e02dec0ea213df6ae0b8

SHA256
6bddb8de9925fb66d6e33e2603d7284dce2aa62dea725356011c76ab1cddf44f

SHA512
0db21027d06808743d6b662a8023dc5c9cf7a68cc0d52e00f310207b2ac3821a5ec8b859d3aba70f2be7f68f5a6fdf6763414e89e112b1bab33c13c86e8c96d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
879a9561e2b2ef6b67ba7b1b1ac139d8

SHA1
de480b54e8acc939e5e8b52e0e0cbe38abdfe1a5

SHA256
fab730a1bc464450941a11713aecdf52f36a6f09f8aa374231ee0f1d26a1bca4

SHA512
aedba20c9c58c8159f319691b0b61ce572bd01f31322bb5ed3f17db0cdf23f83d71d156111ad58b9440ff9b0f58cefe16a4fdb76c6717eac1fd6b69ff55461a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7eab35eaefda03e5c2d378b192ad3d2f

SHA1
ef1aae077066639ef790434c6aaa44b042d68fd2

SHA256
8d9ca686a856c6e93f8101b9b2a1a89da1b61ebce5918d5c08f59bf374022e6f

SHA512
dc7e68285b626533ba2663ad59c71936402b1b402fbe72842fe3d148fe0727effc82bb1ca65264b334290c648e68223b6e24f44efa0c7edf1cbb6c682b2b780d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
221a8c17119a35fe20d0b177fcd31551

SHA1
d1490ca78b9fb7436fe29cc6031c5a077a4cb188

SHA256
b0c22ab7a703d928c1fb4e8b91e275a368adef1dd3059ba5a398aa897a93edad

SHA512
308030e413c1712d56b0ae8c4b343a394a16fa33d047cf9a373952554115ffdceb83a440c89d6e341325a7d4ab5cd8553bd93521ed0820c6ec49d7bf34b7f172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
60b2b0fccfc0ee62c4dda62c9654afb2

SHA1
10285166d8a1913beb1b0e7472de192f78e498d9

SHA256
b156463354c6ef209ffc91ff73c1dadec956caa5b54e054aef5991dd7df9903a

SHA512
f4b2ee945ef861aadd278692fe58e98ca0a1458412e8763f1fa2af9cd7c698f7f9b82dcc2223f3740ed165106eacf3d69ad9dbc2695abb24401d6afe4ef4b8cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
43014e8fa8119e0ebbffc5176a1813f5

SHA1
449d98a60986b3c612ce0debbe502ef1b51bbd4e

SHA256
3fa629d60c0b312814d01298893602edae2b30beda0eccb38c88755f18323872

SHA512
4ce83de3b8f1bc31723f65ffeeff3f5653ed86ea33e62917a01de1e5d2aa4c23c51bac9dc1e4761accfa14dce57d86a5f1c710fc8eac5cada3381f102f9cec2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7b02ba93c88f2d9d028687c8cdf4a4c8

SHA1
9f26556f1ba3fef9cd510d8eb24c9277411fbd26

SHA256
08f92477bb100adfcd92f2e9b889a18d960934b6bf549b47544cc08ca3c88839

SHA512
791616a8a5197db31dff4df20b5987ffb2db50f69127d27b2cadb075723a32b11bc00ae3bfbfa45ea721ba672432f284c8057858fa5ed0bc793a8e70f93ba4c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eb7db95a075c44f5d074524edba6876d

SHA1
2589169f83211ed5ae1c613120c0ab0754beb187

SHA256
e31a8dcaa5dc54316070dae37745330d256795ef91bc0f9d33938bc7eafde342

SHA512
e1e3b4c5ce71f2e9b4f3b244263ce24e21ec72471acbf197297408fb7ab6c34171f7ecde4d7f16266d2c399a7dca06850c0a8d16a714e224b9f5edfe0b520a25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57df92.TMP

Filesize
1KB

MD5
9e449f8eca18f72329d9089bc106836b

SHA1
6551868765c69ed37479d0e0102ba2832b733e6e

SHA256
f13af98f2f667e03ded4d4118b70fbed7110cca6f6e4189392a11c4701dd6f0a

SHA512
348f8c827de3038c4403e6d799437b64c3c22e7b71ce9cb059bc8e887bef6e631d148c3d87bf094304d44879ccb888880b548b0ec3d36918029b19bd33ec672a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d22b830cc6293bc14d2c7ac534a496b0

SHA1
8c77bbbea13e4ed4a675ad981e2cf942928efa50

SHA256
a9e9770af35d6a74b0f447aa5914503976fb8d1806bdbe59300cc9ae9c901163

SHA512
399de85a1057373e60dd4d77288d73a26dc2f596322a4bfeae7a52ad43a329d5eca425b8bb5d3c187bb4bde0a23c9061010cfe2e5ad3358cb08711203305cd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
00c2f61a64407ea20bb439e0edb3e62d

SHA1
1f7ca380f80bd3a61ac271bf2b7a528fa4835c92

SHA256
92332c9b6f4ba91aac787c9764ab74c6b2b80bfd41f62a622a0bc8c2bdfea2e4

SHA512
a20f4fee2730f7ac92625c0491447cf15018c0a2a6abb0a0534acbe08817bc4419938ce93e5d3967f4e64f364ddca86a4bac88f8ccf68b2cf55822951f9bc741

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
189cf6a85ae2d69c80f655012554ac62

SHA1
d3d53920d282a34f393544ccbd178f79732eab50

SHA256
dd8f817f0b0402192899fd0f1587c5a3cd0237f94e477ddf8e9e8f11edec7173

SHA512
fd5a47dd7a25b9b073144d2bdd53962f063787e90edced812a1ea1bfbfa1a1be64789da0675310281a272934f53bd6fc93840fb713e36ed7c2cf0fa53d22d071

Download Submit
C:\Users\Admin\Downloads\Kapu\Loader.exe

Filesize
498KB

MD5
2d7852adb979b0ddd951ffa2f567a580

SHA1
33e4aa75d3b687c772c311e6267db4fddc1718c6

SHA256
b121075020862981aa58718752f4e1e1d93f859f6281076b8b08cde3fa73fe3a

SHA512
21a65b29a529be90bfb6268ef8ed0bc2991078d2bc41c1b09c28e9db812442fcd15123851a23cdd374fde9bb347ff63b7b1f746f8ddcac1fed743f70d9e84aa2

Download Submit
memory/448-440-0x0000000000970000-0x00000000009F0000-memory.dmp

Filesize
512KB

Download
memory/448-441-0x00000000058D0000-0x0000000005E74000-memory.dmp

Filesize
5.6MB

Download
memory/3332-443-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/3332-445-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download