lumma | fdbf0f947dd93be677c6ee55919055be5375315ebb0ead48eda0a8103529787d

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kiddions.exe
Size

398KB
MD5

4d4809ac8b3629394ee4376ad28c4f41
SHA1

bd0ab274696f8d2947e9228bd3aa8646a5c46ebc
SHA256

fdbf0f947dd93be677c6ee55919055be5375315ebb0ead48eda0a8103529787d
SHA512

f41b0da436dd7b6e880a61b564f42638f9c82b039541fb798b57a1fe5c8c8228aeb24bfafde1068cbf2158e7f18edde7d7bff273baf3d44a345893c6709386b9
SSDEEP

6144:jY5Gcxhg93F8Yci7cRUNLT0t5VJm+wADNSWdSfUrMqkUOp97ZCQs307TEuCiHf9u:jY5GcxZi7cRU1T0tPBwBfT7Hk0Haig

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kiddions.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2752	msedge.exe
2752	msedge.exe
2972	msedge.exe
2972	msedge.exe
5028	identity_helper.exe
5028	identity_helper.exe
4308	msedge.exe
4308	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe
4548	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe
2972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3496	2972	msedge.exe	88
PID 2972 wrote to memory of 3496	2972	msedge.exe	88
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2292	2972	msedge.exe	89
PID 2972 wrote to memory of 2752	2972	msedge.exe	90
PID 2972 wrote to memory of 2752	2972	msedge.exe	90
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91
PID 2972 wrote to memory of 1296	2972	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\Kiddions.exe
"C:\Users\Admin\AppData\Local\Temp\Kiddions.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffff44146f8,0x7ffff4414708,0x7ffff4414718
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1880 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2088 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,14289872032575252974,8250717797782636421,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6356 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
192KB

MD5
38fa47a71bafaa418e88a8bb9822b16c

SHA1
81816b9d784803e7eaec2c17a223720d3d8f04b6

SHA256
ac4f7423798a9a9324a35c0c96dec3d7ea35f503cb1dcb358a764573b6d0632f

SHA512
3fa375d257d0688769067ff2d8b81b2f3673a139d7ac6fc35ea023155572639266bf3cb63f919e12bfd3ca0b276ee800aed441eba07dd5f038946046dbb317bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
53f2302116182b833792cd958a8c12b4

SHA1
c9ab56a6a10376073f443ed2563eef618ef9e030

SHA256
a807ed3d2702b88dccfac6ba98eba9fdc8c79bbcfe46af2d2b011e8b9882f145

SHA512
f6b0d4fa1d22200cc10467b3045db26e6a3a57e9b85f75a885c9c092a7290be357516cb9d3952f983e615ede6268b7d94237378fa79baa390217d81d418b6e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
7edbf7f4ecb61a1fe9875e9825f14dca

SHA1
a9a99b3d8c655be75b0de78868306c88ed5954b5

SHA256
36f8130674b6204457a4adee092db14a8118fd26f1aa6417224a0acbaa3ace1c

SHA512
e12391d8ba98a8f94a211ba5f8ce882b1f4c907fbc0a6ace5ad968ab350a976bc316d848421c505703e732c358cf93addb93b227caf6e8e2263f45f7cca830e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
22b65f9138628f80f39567c58491a9b1

SHA1
bf73692378e06375af29670515e3b380aa65bf11

SHA256
76b028b2cf22712552f46acb7c81ec9da488b213ddef2b9f85d3f2c60e224d4a

SHA512
38c4b1d188deb522669ceb9e7536f28344962886cd6a31eba0c678c562bf935a98e08a181528b628fecae12b60f36cb709198c8bdd9c1a6dd249e9a421b466e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
301222544746af2251af1ed3ec50e067

SHA1
a3f471d3cf477adf44acd9171d11d33d5d67d49f

SHA256
2804e2cb233a50ccc9eb1a4158871c982d7bdbcd4f8266331aa325b64a93d403

SHA512
b837a3423492fe6a46c34ba27d4a1bd8a461dc180fdf597172685dba5680c543eed937c852a3f74f44590e01f26438b83fb3de3b3fa774d059bcdf8aaf2f9ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1ce3cf22b95dfe69e7db7185aabcd45f

SHA1
ea79fe7646cf3bc82bef53a78a976194d58d0eb7

SHA256
c6abf090d1ef5708d64c8cb0476bcff42046fd1d4443d83e27d69045fa56cba6

SHA512
dc0835255b287475e533d6df959e15e0aa0d57448c9ade5aad73af55fce7723aa1e1ad99389027f770876cef5ef7918b446f2a01a3413148ff6ee0252482c8bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4468f0c5116136bd0a7641d5b963544c

SHA1
a4c757a67e9953bf46152c4506b5e2b1bc563b4c

SHA256
1e2fb6af0f3f61465ac6558d96d7392588683602040cf2883e6a3f6b4f3f2eb6

SHA512
f82ff5f428966e9ccfe7faab509faa91576b66f03ecaf33f6cf1bff24dafa0c788a971e4a80b016c2c471168e3171f7b058df5896007f58c3d175425001277ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f291eeb3f0e60b8cad9eea367cb17bfe

SHA1
7a580a0650d96050061db9c118f46c91f42bca8a

SHA256
69987838aefaba44477d53d03f105c6259706a7a29bd780f804124c4f32cc2b0

SHA512
5ac8411363173e00ac025c50d444f9ad8cd1770087805c076aff4a76477cd3df8496a07c194f1933d7335b5206df94b05fc50231de3b74b8f1e0bcc1ddb45e05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5449b8da5869b5f806f0e65dc9aaf630

SHA1
e274e5f560b9ddd316e94187e84ac57269a7d5ba

SHA256
ab4ea27f19c078a03d7c36a945d7ec7713f71a69f31f422226978c2eca1cda14

SHA512
e764d52aee926f8cb103918ef48a7dfc60080b9b38f6bedbce9fc4c087cdb827e53a237e756a6598118d2ee80fcf2e1d9b0568648161344638182b0a4bfeafbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6d9015a80ef8cdcff7fb2d7fbbbb2e3d

SHA1
55e22f820901922333f8226c2c9b927796f94d6d

SHA256
8b91d52b1facf2b91f5d372af80dbb4d05f76c49b21ed96e2187a7714b49b814

SHA512
c7eb759d3f3c5deaa6814153fb35de3143071a2953f424a9d86ba63ee795ea4441d00f66263b3b83f9965dcbda2842334652347b9310b562a1527cf4610e64ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f932b9685b8b4c15328f82ad13a4bf75

SHA1
5281da3edc6bf5ea24458c71ddc2e0ae85ffeedb

SHA256
76c23aa92b65856640895ce8c3d78c2df95c4b743c895fa074a3e005cf54ce80

SHA512
37f0ac3f01260af6485532b3afd3465520861182c5362b94c08ad3dc3f40dd6482f92201cfa80cb7069b5219f8b1da47a7e73a2b9b26a5ae6bdf072b5713292f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
87cc6aab604b61da279bc753d8f4a059

SHA1
a0252d1f1244360cb4edcaed2002e5d73790614e

SHA256
96109cf206ba4b33ab86c2228d9f0aa6193ca323e5e4769ec51c2290cf2215f8

SHA512
508149874d16fbcbb4bb26047549d93adeb4a6d3f54f8b2a85aec4810b00b77fbc7a9eba584782e822c5da94e6527641f718f0e75f0ee8bc94f36350ecdf13dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588095.TMP

Filesize
538B

MD5
3e6461fc29dac49006057beab640ca8e

SHA1
976ad7595c31ae16401ff16035278a9e5c7048cc

SHA256
52885cc295bbe2800082c228244081efde3b618a21498b791f1821270b94e332

SHA512
76f9c2421d85694c0884e3556d5093b0eaf923df6ce964907fdc22339e65c253b9a6be45f99b6d1c81a52bfc01f84226c9c0ac4747cdc48ab4a184b90160d80b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a2289f37d7aeb7a50a2b8d705a34a9f6

SHA1
83174c653572b23a020096b978cd2db62dbaf204

SHA256
c7c95ed18370012e380b67be068475e2610532ae7e98d28274f0e20894486992

SHA512
5b59989528aa0a875b687fd63de21a2e1f28e7c1a7e425751fa780837ad9469ead051dbed141d1891de847c6b56de96289aae508efe1bbcef1c7dde688d0e76b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
449147ee369b0752b7186643d4d9b049

SHA1
e96ec570e94aef2c56a1574690ed3cf4b982efe6

SHA256
3ce168f3ffc882fc9f56ff94d35e86a158e5e9e332bef9ddccac296d55cf90ff

SHA512
b062e93d628840d27aee6c8f2612fe63e3894767b214f8188bc9105c856e9c5ef99b5166c5e3898d2c9b40747c6f39489e894677cee300f942aa6fdb51f6e45a

Download Submit
memory/3796-0-0x00000000010C0000-0x0000000001118000-memory.dmp

Filesize
352KB

Download
memory/3796-7-0x00000000010C0000-0x0000000001118000-memory.dmp

Filesize
352KB

Download