lumma | hxxps://download2261[.]mediafire[.]com/zfahioe1u45gQVC7qUC5WRoIsSH-7oxekpiIzspVaT4NRy_CJ11FtI409DQuw62B-8Gkzr0cqqcWF4wVJ_b5IUBQ4HxgjbyYzcnSmuPp8PLmfCz4fT7bQd4dt6bycHuCx0v8JV_jLjPZvTnHINBOzi9iLR0PwhpJU17ofifwbrg25kk/jgvv6smyn19cphg/lnstalI_Offi%D1%81ial_6[.]1[.]1[.]rar

Analysis

max time kernel
210s
max time network
203s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 09:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download2261.mediafire.com/zfahioe1u45gQVC7qUC5WRoIsSH-7oxekpiIzspVaT4NRy_CJ11FtI409DQuw62B-8Gkzr0cqqcWF4wVJ_b5IUBQ4HxgjbyYzcnSmuPp8PLmfCz4fT7bQd4dt6bycHuCx0v8JV_jLjPZvTnHINBOzi9iLR0PwhpJU17ofifwbrg25kk/jgvv6smyn19cphg/lnstalI_Offi%D1%81ial_6.1.1.rar

Score

10^/10

lumma discovery phishing stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://nonstopshawk.cyou/api

Extracted

Family

lumma

https://nonstopshawk.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing

Executes dropped EXE 1 IoCs

pid	Process
220	Se-up.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Se-up.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1720	msedge.exe
1720	msedge.exe
1860	msedge.exe
1860	msedge.exe
3668	identity_helper.exe
3668	identity_helper.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5236	msedge.exe
5520	msedge.exe
5520	msedge.exe
220	Se-up.exe
220	Se-up.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	5008	7zG.exe
Token: 35	5008	7zG.exe
Token: SeSecurityPrivilege	5008	7zG.exe
Token: SeSecurityPrivilege	5008	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe
1860	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1208	OpenWith.exe
1208	OpenWith.exe
1208	OpenWith.exe
1208	OpenWith.exe
1208	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1212	1860	msedge.exe	83
PID 1860 wrote to memory of 1212	1860	msedge.exe	83
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 3580	1860	msedge.exe	84
PID 1860 wrote to memory of 1720	1860	msedge.exe	85
PID 1860 wrote to memory of 1720	1860	msedge.exe	85
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86
PID 1860 wrote to memory of 1540	1860	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://download2261.mediafire.com/zfahioe1u45gQVC7qUC5WRoIsSH-7oxekpiIzspVaT4NRy_CJ11FtI409DQuw62B-8Gkzr0cqqcWF4wVJ_b5IUBQ4HxgjbyYzcnSmuPp8PLmfCz4fT7bQd4dt6bycHuCx0v8JV_jLjPZvTnHINBOzi9iLR0PwhpJU17ofifwbrg25kk/jgvv6smyn19cphg/lnstalI_Offi%D1%81ial_6.1.1.rar
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbc44f46f8,0x7ffbc44f4708,0x7ffbc44f4718
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,6486522702606499303,12155604107474560869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:5720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5632

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1208

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\lnstalI_Offiсial_6.1.1\" -ad -an -ai#7zMap13797:106:7zEvent22114
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Users\Admin\Downloads\lnstalI_Offiсial_6.1.1\Se-up.exe
"C:\Users\Admin\Downloads\lnstalI_Offiсial_6.1.1\Se-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
878f727b92920f35ea84a7a7c93391d7

SHA1
e3d2fb45562fe56dc0003ca98551db04cf5fc4f0

SHA256
5f65f355a387337edd871f6d9b4bf67b6267b7f41a6c2529181631ce6a2af2c7

SHA512
1e33ea54907be32cf017a3ea3a89b2a8b17e6cf64da3e99288ab44d01ea021b3e77a0282391c3df1ecd7f113bb24107ef73d72b68f3145a44dfcec7a5c7e110d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f6c694d5c53c57e7cf219be1fdb05c2d

SHA1
4c2a82f183dec5fb3ecd2d6bed6694739ffd11a5

SHA256
99521fa5820b010d9f796916eba7abeb71994d6a5389ecb3b2e094cced38d909

SHA512
1a3d19a5985e0331c47faa98302d20d24d5e0f5155dd1a0e83420087e56f4635b89f8f776291cc56a6fc703408f7ded97497d7ae20b0de5845f1e073a418f69b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
671e3abae74d0382c1c4f282a3edf00a

SHA1
dd3ebeab91b9b5cfd64320192291f40a0a0e502b

SHA256
3491f7d8e7e861c98df4df566649a67f0d9367e6f54cde3ba372291a362ce54d

SHA512
d3b20d0b03f16744568714d0df025592320fd41efd0da40b363cb3b70d4108a6d0f1f47d6e99beda4d91c303fa7bdc2b6035573a171ecd17a04015552b339889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e411c1dd1f9f456098b16c76e796dbc4

SHA1
e1ab0980711f10c196a8d1d4799d7be7b4fbe0ee

SHA256
38677acdd25ab19903c90caafefe105154a698e5c8fc48fb3ea651ae669552ea

SHA512
b0a33487bff883799e07646c57c994e9112f23554a8e3238eaf1bd14f5ec25ccca77e8a070d88f8ed90820080fe6424674f733c6e0765b68b326313da5d5656e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
0a96b39dc074ca132243d8af4e53741d

SHA1
b5fb27ffec2ac57582c571da14aa135544c70d2b

SHA256
8c264ff8697f23ab913f571fe70afe3f6b645e361545ff46f404e28d0b41957d

SHA512
bce75760a633d1ffb30e18bd937d2672689762d3a82dbbe57743a795453f492440de0a4551bd7ad54130c2d2201b482d154e80081cfde6e67680bafce3555d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
50f25dc6bd2ab2ab7e41411f77107579

SHA1
7b1bb4d6cc1570dcbb063068eeec0e10a7850ada

SHA256
7e48b0003ea7b55ab5888d93f83f3e2f76416ca3cb658b6233848df227818d78

SHA512
7f615e12da8b8903d40415e3200216aad06a9baf63eb710bf387e05038cdc39d6d10d0a6012dc8419d79f32cfb61df49699e20aa818a1961dea6a5ed470d6ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
19d94d107a0d2066dbb516bc16fabecd

SHA1
d14ed7817a826cef6d63eb9d460273fe86764464

SHA256
efc0213118f047ca5ff78e6d9a3a4d182bc9a645c4c05cc5041a6e83d6f1389c

SHA512
90ddf6153fbc6e198ee6cf82cf69e332825a2337d60c60e79bec1b2491075fee1942ce991a0142a535608954dc77dcc956c506c9ef02f251fedee7f6eb8c584d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
bb88e011e33d7fb2989d9baccd0cf050

SHA1
bd275f596a5e649399eea1747f0acad13a8b21d4

SHA256
7dd7f31e833e49f35d93c57d5457b1f590c8192140473374d2bf09c1a030ade1

SHA512
aca59c303f04dc154ad8cc9e9f03771f6ef3d8965fe7793dc5844664d176d6d1cc5e27e43ad78d2d7683e529ee1b4c680e3cfb652b0ff1b6661d08a6657aef55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
eef2890cd5b362fe99478ff0b78fbafa

SHA1
0d8c6aa77df6e52ff8e16fd841a406adcb999b3a

SHA256
c86548d30ebfeb42ada055756b1da772f777749060a46c5f89e1d18a2e916a86

SHA512
469eef23be72890a4f8ceb349bf48c70c512c39d2f67416b58b990facd2f32b3ad19efb5f7db93658fddff1d96d6afd4b9480cb902926018646c3d61bb0e2a6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8b141a03a3abe386ba65e21fe3268eca

SHA1
799041624c28bad27ff85e2ee1bdd5f3291272de

SHA256
08b6b6074ce951cf9c6236d27857c7a0ee2d2d5fc17293aac498a4db7b2ccb2a

SHA512
18b6cb6315dbd4889e8a851c1e604ec4cea15f132708dd7644426476a6a3e45da9b484e5720df0910bb131bed6b2bc455abdc97a8264b4d4c512590d51c5c078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b19f7165e3245fbb5b1adbcbb7ed4dcc

SHA1
5827aae4fc1d77d9b5478dbe93bedee67e00fff5

SHA256
6768dd96d57bf53e10732dd14cd58d0ba3d416f34de62750e6e3cbff4ddb3fc1

SHA512
a021cce6810c6371782d7528fdff8727d2c2d80e05a5c060485e7299f12983af809ca47de2cde5fd659d857851fbf117092d3b71ca18dc18ebdf839134d18212

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b9765c35f19c5c5d18ed1a913c7644b8

SHA1
64ba6603bc547dccb9efe9698521b1fbab99bd08

SHA256
0f6bf28706397865e46b5a9ddad1f5a6b284075cc35f2480c0ba194dabe4175c

SHA512
8e47a8bd47f8b0cc2d3a44a17c4e4b429811f14454167a49baa1024fe4031c3d58d4ab739f9d4deb81804aac780e5aac6b003ab7bb6de08469d70ee72d2b087d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
129f641326fb4d4b70afaa45f6e940e2

SHA1
0ae8632909b4ce75cc9da92be26ae53bab80a734

SHA256
37d5cbc2a717e619e09daa3263c383f780a78f8b68b2062b2960de59b4edada6

SHA512
fef35b0a5f2f4da747f02b779a6ef0e872b26418ff4cc3ec059675c08a79571d6b8a8b4933f5369aa6bd16849cc3235c7480952e3b4a73678aae6be5d22ef61c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e14c521850c66ad2d5df72a710fcadb9

SHA1
a651a900df86be7f04696a51ea5aaf4da9aa949b

SHA256
136431f15a8ee46ce16706a097639a254ecdd66ba75d519990f0c42e38b6bb48

SHA512
f546c5092d50436b67a6e4e35e9fbf3cc337949965cc1bcfd2bda7065c22ec06fe27df5822e82f0a9c3a0de26131fdd2fb773d74a254e5a3b2e2fb7d5f373f05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
99972421c7cf0ff6309e9238e3605da5

SHA1
d62d27cf6dfe567578af696dd41363358bbbd61f

SHA256
eb1c840bd98f8ae64899b3bbf4afea2511fa10eb55e3df7137141466864bf024

SHA512
5a7b9c05ba4f69c6ad4bcf7e2d05cc0006d658e283c4c82180f2b381a69f3757fa6aec7226d0b801d1ff543f3971a2408fbd376d7d4eb1929d88fc303a49c151

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584c17.TMP

Filesize
874B

MD5
e7d0fc16cbe14a582c4046c7f2c94408

SHA1
253538d90f97e9ef0af7e42ec61647dc6768539a

SHA256
5dc7c11966c8aacfce495d4db7561f8dd3e85ea17e0f2c2d5e052799d65e4371

SHA512
99329576b043311f7372831e07c7c7f2d789ef6540c6ebc04a75683e712879ccc67984a25dd1294248a542f724bf42b5674180fc3294017620f1d1862dd21f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd58660d22e66ecf63508b0596845f1b

SHA1
603b393ded44547ce4a8cefe25e374fed1f854cc

SHA256
65ae53a009f8e0271fb8f403a8e91e15f8f9ca8a79c1f958c4f1220cdf3e1bf8

SHA512
facc020385d43cbbad46c762a3255630213d4b29afd3b1ea0b4684f574c1c9bc0b5af3b08f17649fda686497255160d74e3341e8b9462027470422511b032631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ad557e786bdbc1bc43828ff19ffbc5a9

SHA1
a11936d548b01e0d5b65d8bc35983a4429eee75e

SHA256
ed8e1328ce142854172423c77b0d9385a7ab239d2a2922d33e19e74efb8457e4

SHA512
910cac423d51b183b794182afeb0351765cb625524c16753cbbb57a7093559efe23b29ed4f180f69f0e4073843dddca285fa3177c860e4e1e6df111ac2850eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5556291e07f76f71cd177757883e457c

SHA1
e55fe23526bf7a30173231e2cd69c5628b7a2337

SHA256
df64afaf82ce1d7f30b7b9531b03bc2fb8eadb407bd8e71b187db6b5250445a7

SHA512
fcf674e26e8f49aab23e0a3a8bd31da29138fbb64b06fc0d5b68c857bbf5743f165e977c77116e2ce4ca3d27dcd0687202018133ddc3384a475d62da5d2e1717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
64174296003ece659e52762fb80ad940

SHA1
01fc3c2533c9e9130d2ab0c6bb28b567b7ebaf09

SHA256
d48be523c8e65e41e2999fdeef354a10058238fe684716e2bef89dea3c082ac8

SHA512
440c9c91a3808fa6cba98eb28877856f85813f7e3d3b9bd7d038043dccbd653fa9941009d1182335c4740a7d6b2bb706bb6638a9a7f30d5aab60b31eb8a78491

Download Submit
memory/220-692-0x0000000000830000-0x000000000088B000-memory.dmp

Filesize
364KB

Download
memory/220-693-0x0000000000400000-0x0000000000689000-memory.dmp

Filesize
2.5MB

Download
memory/220-694-0x0000000000830000-0x000000000088B000-memory.dmp

Filesize
364KB

Download