lumma | hxxps://www[.]mediafire[.]com/folder/mgbqt4sv8xmd6/Ai

Analysis

max time kernel
279s
max time network
280s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/mgbqt4sv8xmd6/Ai

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://feerdaiks.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NewIn [v1.1.0].exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NewIn [v1.1.0].exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3560	msedge.exe
3560	msedge.exe
2432	msedge.exe
2432	msedge.exe
2280	identity_helper.exe
2280	identity_helper.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5632	msedge.exe
5632	msedge.exe
5316	msedge.exe
5316	msedge.exe
2004	NewIn [v1.1.0].exe
2004	NewIn [v1.1.0].exe
2724	NewIn [v1.1.0].exe
2724	NewIn [v1.1.0].exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe
2432	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 4332	2432	msedge.exe	85
PID 2432 wrote to memory of 4332	2432	msedge.exe	85
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 2080	2432	msedge.exe	86
PID 2432 wrote to memory of 3560	2432	msedge.exe	87
PID 2432 wrote to memory of 3560	2432	msedge.exe	87
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88
PID 2432 wrote to memory of 4476	2432	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/folder/mgbqt4sv8xmd6/Ai
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb77bc46f8,0x7ffb77bc4708,0x7ffb77bc4718
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6316 /prefetch:8
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6492 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
  2⤵
  PID:5740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5700 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,11963817116857771849,10929958256024800107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7208 /prefetch:1
  2⤵
  PID:5088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:824

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5980

C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Release\NewIn [v1.1.0].exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Release\NewIn [v1.1.0].exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2004

C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Release\NewIn [v1.1.0].exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Release\NewIn [v1.1.0].exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
769c4099920d6b203346d7fac437e09f

SHA1
13b20db3e43daad134c8a79b356408b90a82c96b

SHA256
d7a8ccd050c8376a49b82c3b955e663de45f82c94f84c34e80aaaa44ee5f7629

SHA512
ddcbbd193475cc5accb3a79cd9f68cddc4e1b28c8623a75a279f19ac3d3d667f50f56d4911c2e24a6da1de35052bdeb5f17080152dd6f5e87ea93c34213d0355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
f1d3a23e85497a54944b1e880de83720

SHA1
ef0bd4d16496bcbfbad7a633b3735de6c0ac7b2d

SHA256
21c834af2e36d8e162b6e897e271464507f31bfd9adb16d220bf9e7c1499390e

SHA512
af64a3f0647c515c64cef5e5a492374d986845c18b05b88f69a0e8ec14435ae032dc6f02e3b6500f559630f7d82c00934127ef5d28eaa68394cfe8fd3554267f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
e45dd9715e39d3e36c80166d4d737cdb

SHA1
36f720ec181643097c1c6acbd415f42f951346bb

SHA256
455139d6a91282f3c1376235fbfaf92c56a8d927f32ccc94168a327e9bf0c1ff

SHA512
4e728c8ee91893cefcea948dabe81ee7d4d7e7e990ae764d8f0e19fdb4efce3e1e52f0dc8ae427fc765d6cb8b9d9de11ee857241e0677ef0c09a5c2c9fff1ba4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
469f4a11871bee122079e95a9d127581

SHA1
40d75a52ef7b0051995e35b050371ca913a4230e

SHA256
57d3a303b0ab6d2d5d048814bf6205616d6409344c724d3f9236bcc215922a8f

SHA512
0ffb9e1297694ddcb011448e8b37c64c4ea7cf1d797482fa695fff66746795e4c8b9182544e6621c4f0991b502c572bead71ca6b179346e729ecd0b64cb2d4ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fd727db7bc1cf2be6179471af12390be

SHA1
20d3524fca16485a22f82cce2b8fa70275e0468b

SHA256
4b560c3d1010068663b0c5dbbd08a1ba3b8a6bcf3b7dbb051cac7cfeea094500

SHA512
fa4cfb92db190d5f9d6186b2471a1d1625139a200098650a1d10cb482a0018e9bc15f0107c7cbc622012243585a3dfbb3a0084335d3824faacde046ad80a8669

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
df6efb0ed3d667ecfd6b0bd8e97caced

SHA1
e59890a209e2da521b95d6d9f3678252af739852

SHA256
6c68ce01cf63855844daa5b0809a47dd23536f034e8ea7edb3be8a0c00a5f13a

SHA512
f153a612c6bee4ea31e0faf7fac39f3b6598386fa3d05d0772cc95473965bce889ad495114920575aef0d4af88c0560be0b0c24503c3ee69974d8d371eb92f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
badfd2cc1370be9fc38e57be5b420421

SHA1
3760974a1791752f9009f0e174685b380d531193

SHA256
54199b3fd5e2958e10becc89b431aea86fd899d5911a1a66bbd4aef1f868b1d5

SHA512
a43f57d61256d25b0c4d097dd0683dbb6921052322f5b6a7da5550d842aeb1a4ca4ca3d9e4afd767a8d8d4f9705018cd089cdacb1db54b2d5795986ea124b89a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
06355f2045f6f44db6c2b6969692d7ca

SHA1
99f86097ecb7f54e7ccba923c8161caae3c7a93d

SHA256
99c898d7d299d3880a0d26115e8c39d08e898dc4c3ef73634b9418fb6c8dcd17

SHA512
493984a5e36c92858b75e2929614a1ef8787de67424a6a947d322d6b91490210ac0f51001cf798c9f711c56781b71147d269729bff427df728446b277a26785c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57f8c7.TMP

Filesize
48B

MD5
4c53a56637ab0ab796879c478fae7257

SHA1
71c9e8423998300d84a27b7f5250edb61742dc59

SHA256
7979f8f05b9cf5ff0928c74ff3321e424bebd8bdee9c685729d030712b6ef729

SHA512
6f859c00067078bfea0afc1813fe804bbb27581fd9ca416e71b01ba5191faecc298a9740528b0d17cc855f3b2b90baef2c6d36183e4748de79150369627ff659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
72dba3cffbd689458a16e3a61a8da96a

SHA1
457abcece633ed633a9dc2c255aac29468c2c4d4

SHA256
23321cdde89346dba218b634db2cdda1770fa013ec20fe9d5f3ef6856f703f78

SHA512
8f1e532b40a795a09a383591f24a2fa6fadcf6cc45dfc26da004563e03a3b1b22128a55d142fef7e01d8f0b18d4576e4ab72d691a339801314d33424f293164c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ca74.TMP

Filesize
1KB

MD5
7e108cf0aca729111d0d62f25d5b4ba8

SHA1
068183985463678d2f9f997bbcc0ae58d0c26f03

SHA256
f51ef8ff33c515bcce65cfd171bb02bbad3f17d7c0c8352016c02ec921864008

SHA512
698b0b8ee19529cfcbfa29053db1edfebe4c0a0845cb5cc761451f65dc6bb4f6a74a1590fe12a2bb2974414af4a6d76074251f24d2eeda0c8c66eddcf080edfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2f9bf8a71406ac8d34878b7e7a8b0161

SHA1
564625a75fa8925b913a118c819816134f33c83f

SHA256
7ec960a33bbaaa14c38bd629b5c3584fbac637ecc9ef1b37fdad1276ebc2ef16

SHA512
bbaf050883387ba7784f0daa8b6548bd51fb8854d7f2adfd9a8b6e2613096a8d9cb647e69c403f21d0bfa2f924610acd2f66c9e0434457935d9059973780766f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c610b59bb03db615c184fd070bf05b1f

SHA1
2ef1f396d6ca4b1205b1f341634fe1c91561d841

SHA256
0427c781b70dc31d3eeee4d786019d8d0989e64bd53f486ab938a57bda35ed58

SHA512
73e236fd59165637c3a5d6200569bca8fd94cfd23076986bd045683a9a2a466b1de61fb4d28793434cde2b0a0db3e0e1b658c6c96a9cd1c23bd4e7014c2f6227

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e6bbe413a36028ef46bfa32e0c307316

SHA1
b0ea66336ae81c98efdbdacc01fb763c1abf4900

SHA256
54d8cd2badfe08eeb18105e38d3adfdfb06806891abcefc212c9c8bcc1746fad

SHA512
c307e8fdf0df6ee38eb0c5e8408ec97e90d5af0484e53b87674ef90d378b2af02771d46908c46c8c5f193a94bd1d3e689c482c50e6a19ce655aa5a516bd2ea2b

Download Submit
C:\Users\Admin\Downloads\New [v1.1.0]- UNC.zip

Filesize
30.0MB

MD5
783fd18b09dac65d20c4a792c300ec9d

SHA1
e4ec1e7ffb892238b75050c38ce39ab4057e70e6

SHA256
87a3163d456f089f5af7a5975b101e1edb04536ca9e97060a6df35560e75d190

SHA512
369763b5475d0d96171d4fdba26dc80d8a255a0d9ea7536a1cc679e5d1a6b9d1729d2f31c7835a73ec063f6b9c6beabc15d1d9adfb6ebad8029672617140d330

Download Submit
memory/2004-466-0x0000000002430000-0x0000000002488000-memory.dmp

Filesize
352KB

Download
memory/2004-467-0x0000000002430000-0x0000000002488000-memory.dmp

Filesize
352KB

Download