lumma | hxxps://github[.]com/benali15/DiscordTool?tab=readme-ov-file

Analysis

max time kernel
179s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/benali15/DiscordTool?tab=readme-ov-file

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://harmfullyelobardek.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 5 IoCs

Processes:

github.software.1.2.1.exegithub.software.1.2.1.exegithub.software.1.2.1.exegithub.software.1.2.1.exegithub.software.1.2.1.exe

pid process

680 github.software.1.2.1.exe
3460 github.software.1.2.1.exe
4212 github.software.1.2.1.exe
4144 github.software.1.2.1.exe
2924 github.software.1.2.1.exe

pid	process
680	github.software.1.2.1.exe
3460	github.software.1.2.1.exe
4212	github.software.1.2.1.exe
4144	github.software.1.2.1.exe
2924	github.software.1.2.1.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

github.software.1.2.1.exegithub.software.1.2.1.exegithub.software.1.2.1.exegithub.software.1.2.1.exegithub.software.1.2.1.exe

description	pid	process	target process
PID 680 set thread context of 1776	680	github.software.1.2.1.exe	RegAsm.exe
PID 3460 set thread context of 4528	3460	github.software.1.2.1.exe	RegAsm.exe
PID 4212 set thread context of 3140	4212	github.software.1.2.1.exe	RegAsm.exe
PID 4144 set thread context of 1416	4144	github.software.1.2.1.exe	RegAsm.exe
PID 2924 set thread context of 332	2924	github.software.1.2.1.exe	RegAsm.exe

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
988	680	WerFault.exe	github.software.1.2.1.exe
4980	3460	WerFault.exe	github.software.1.2.1.exe
1472	4212	WerFault.exe	github.software.1.2.1.exe
4948	4144	WerFault.exe	github.software.1.2.1.exe
3140	2924	WerFault.exe	github.software.1.2.1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133640198580878949"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 13 IoCs

Processes:

chrome.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\tmp_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\tmp_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\tmp_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\tmp_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.tmp	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\tmp_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\tmp_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\tmp_auto_file\shell\open	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\tmp_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\.tmp\ = "tmp_auto_file"	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

2052 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exechrome.exe

pid process

2308 chrome.exe
2308 chrome.exe
4664 chrome.exe
4664 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

OpenWith.exe

pid process

1876 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

2308 chrome.exe
2308 chrome.exe
2308 chrome.exe

pid	process
2052	NOTEPAD.EXE

pid	process
1876	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeRestorePrivilege	2376	7zG.exe
Token: 35	2376	7zG.exe
Token: SeSecurityPrivilege	2376	7zG.exe
Token: SeSecurityPrivilege	2376	7zG.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe
Token: SeShutdownPrivilege	2308	chrome.exe
Token: SeCreatePagefilePrivilege	2308	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe7zG.exe

pid	process
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2376	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe
2308	chrome.exe

Suspicious use of SetWindowsHookEx 18 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid	process
3232	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe
1876	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2308 wrote to memory of 2584	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2584	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 2992	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4068	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 4068	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe
PID 2308 wrote to memory of 3228	2308	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/benali15/DiscordTool?tab=readme-ov-file
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc001fab58,0x7ffc001fab68,0x7ffc001fab78
2⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=1916,i,10096605411674874352,12794336286450937394,131072 /prefetch:2
2⤵
PID:2992

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1916,i,10096605411674874352,12794336286450937394,131072 /prefetch:8
2⤵
PID:4068

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2192 --field-trial-handle=1916,i,10096605411674874352,12794336286450937394,131072 /prefetch:8
2⤵
PID:3228

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=1916,i,10096605411674874352,12794336286450937394,131072 /prefetch:1
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3056 --field-trial-handle=1916,i,10096605411674874352,12794336286450937394,131072 /prefetch:1
2⤵
PID:396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3008 --field-trial-handle=1916,i,10096605411674874352,12794336286450937394,131072 /prefetch:8
2⤵
PID:3240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4800 --field-trial-handle=1916,i,10096605411674874352,12794336286450937394,131072 /prefetch:1
2⤵
PID:1896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4724 --field-trial-handle=1916,i,10096605411674874352,12794336286450937394,131072 /prefetch:8
2⤵
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 --field-trial-handle=1916,i,10096605411674874352,12794336286450937394,131072 /prefetch:8
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 --field-trial-handle=1916,i,10096605411674874352,12794336286450937394,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4664

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4484

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\github.software.1.2.1\" -spe -an -ai#7zMap21663:102:7zEvent75
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2376

C:\Users\Admin\Downloads\github.software.1.2.1\github.software.1.2.1.exe
"C:\Users\Admin\Downloads\github.software.1.2.1\github.software.1.2.1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:2360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 680 -s 300
2⤵
- Program crash
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 680 -ip 680
1⤵
PID:1876

C:\Users\Admin\Downloads\github.software.1.2.1\github.software.1.2.1.exe
"C:\Users\Admin\Downloads\github.software.1.2.1\github.software.1.2.1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 280
2⤵
- Program crash
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3460 -ip 3460
1⤵
PID:4432

C:\Users\Admin\Downloads\github.software.1.2.1\github.software.1.2.1.exe
"C:\Users\Admin\Downloads\github.software.1.2.1\github.software.1.2.1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4212

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4212 -s 288
2⤵
- Program crash
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4212 -ip 4212
1⤵
PID:1444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7c138cb9-2ef2-4253-bc38-fb881ed78233.tmp
2⤵
PID:4488

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\A9R1m6v24j_7dafhs_3lo.tmp
1⤵
- Opens file in notepad (likely ransom note)
PID:2052

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\8cd70bed-4110-40fb-a043-51642bf860d7.tmp
1⤵
PID:1540

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7c138cb9-2ef2-4253-bc38-fb881ed78233.tmp
1⤵
PID:1304

C:\Users\Admin\Downloads\github.software.1.2.1\github.software.1.2.1.exe
"C:\Users\Admin\Downloads\github.software.1.2.1\github.software.1.2.1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:1416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4144 -s 288
2⤵
- Program crash
PID:4948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4144 -ip 4144
1⤵
PID:3272

C:\Users\Admin\Downloads\github.software.1.2.1\github.software.1.2.1.exe
"C:\Users\Admin\Downloads\github.software.1.2.1\github.software.1.2.1.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2924 -s 288
2⤵
- Program crash
PID:3140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2924 -ip 2924
1⤵
PID:3268

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
8939d57aa1fb1bed12f1049d80574148

SHA1
5651684126506eab322261991ccbdb9ec272df46

SHA256
02baff1539a024217689d6dc82d475f606557a7764f2628248c9704bc236302b

SHA512
558269d80456f8250b9ad911aef8abe5074869a2ce40cbcdef17b259e5fdd0c31af20d9c1382f55e1bc2f58f7ade34358721ab29267e649f814809783ad5ecd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
875ac4483ae829c5965dfe783e76ee6c

SHA1
adfa9e549c927059b57babdd2a0e4abdd35e434e

SHA256
7f56c0808e6d2c1e6366caf0db4b68d14b25be031ffb439f84ec651dc60c24d6

SHA512
4bd6d009e994683fd7212b225dd3df2609c5afa802ae6dd6c44da2ac672d336a5aff6fcdeceee0f2556a39bc5a197fea3f025eb069d2264afa6894d9d99a31a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
d579f2a3e045d5a95f6a8c35ff4aa914

SHA1
e5277f240494a5985b473d702f6435c42a50e0e6

SHA256
614e2eb092f0a52b0823ebec6d50808978825a10c3706c0e77dd872d306bb9dc

SHA512
7b40ad8ae2b8550db1a51ba1c714b519b48faeba5442aa4342c40369509c78296474adb03a57a9a5a3c63b1dd2b087f220029c4b2b15a0c729eb2c22a61faafa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
05fb914bfc508de3ffb719a419560467

SHA1
47266d872c46d08f3de823ffd6a07bd387b27e26

SHA256
113c1983a203dac63f113a6a9f9d375f915bc047c933033bec6b284744fe6d04

SHA512
9835bfc48184b504640b0e582eacb10f7655a67d27b81c3dcd830745d58259c9cb9e434ff48cbde2c1bdba2babba38ccd3894fa400977c7a499342c4756d3022

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
9dbd6ad134b6756e89d305fc8d4ca90a

SHA1
706870e4560d5916cbb3158ce2ad53a0c02ef445

SHA256
2d50b5027966df179129abf569f911ad4862b20142bec40b3a53729b47effb7b

SHA512
b89b0cbb142c03bdba04cb08745cc1b76a6e4d104532f66b6c4ae51eb5521c41d4c0fe529d3f50a27a31d0260c40a0a3c73f27bd2657d0132f917dbdb3c388ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d881d4bf63a49c8844db1d9f079efb9f

SHA1
24e8b3576538694040f04c7ea95203de99a6a7e8

SHA256
926c84cbce685f6b77282f55653b2c6cdf23acc1141cf2843bcde6adbe61878b

SHA512
669bc06059a0db9ea35c1408cf1b0056af4a0e93f0c5a60a16c812e9347e3775ba92055e18e92f4a3f7c7e21683ffe02d8be611b5f16de66bfbdde311a8c8ef5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
5f437940827cb7d6d607895e22e58034

SHA1
5a2262536615aea2fd865ddf3efa1fa4213ce693

SHA256
5296da6f2ff5fccf2ba77501da4c0d19242419c91c28f3ab95ee7c8b590b532d

SHA512
a427d67bb2bff78d6d51de601c73c2adf38669141aa5a4aa43213655ec0d941c3f4e7b2a2d01c575faa5b5db7e7ee3b73d4a2c2b4deabce9b522bfdc8ca3cb0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
7fc6b3423e0695192f3c4f388241c81a

SHA1
732b5c22f5f132f5b941da4c91b63db5a6ff6d7b

SHA256
c1120398ca780a09546f420a389e635f869ff638f1a7cf018017d156c41df90d

SHA512
ea1ab5dda28ed6da15d1a26d723b7026a15c2195400c5c44f743860da401468c0e6e897f2c201a81c434334a17bb9e6b49186ebc01312b96068fde890235a818

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
255KB

MD5
adbffd21b9f0c89fdf081f3104eea6fb

SHA1
9414a1e3906b8c618d9f02a8460f0d7b70a0b747

SHA256
cbe8d77000712c0d0fb24d6994956a4ea2ab666abc6a7f9ead0510b0538df935

SHA512
2c5472fc8645abfb36bcc43a01b1e6f64a6940c1c7790a3beed720ee67a33b63ae1646d3c6985fa331c06ec2f88ef772a099301acc90898de3c0583fcdd6c9ca

Download Submit
C:\Users\Admin\Downloads\github.software.1.2.1.7z.crdownload
Filesize
2.2MB

MD5
a8ef328ed14126da1793c3b9f18e882a

SHA1
b95aaf6d819e6f1782dae5d31dace9a922d6ee3c

SHA256
84d7e17aefdb163bd50d8677700ff6f108944a820622260ac2c6f4bebef68002

SHA512
72175d90877505333b91165fab1fefdeb4910224d0131e21f3fb01266912c0de42ce05186286ddf8d91c499ecc188869f7215ec8e0a53bb33cb369871b51b37f

Download Submit
C:\Users\Admin\Downloads\github.software.1.2.1\github.software.1.2.1.exe
Filesize
524KB

MD5
8767a5ee5dd54a95857c626f01053ca4

SHA1
eb4eb27c757d3c955d79403dfda7148053ed77e6

SHA256
dde41dbf4e674e2cf049caf0bb6334c0d80604dbe58462cd45ddb5f82355d540

SHA512
a83a33fa7c644413b66efb6cfa9b0013b25b976a7667cfdc26dd5e8c6a73e7d2c043b1a2dc39884df71a3c41bb3ed22f23c93f3789b9d02dd44fbe956ca959bb

Download Submit
\??\pipe\crashpad_2308_SBTJFLHVXWAWBFRA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/680-1567-0x0000000002800000-0x0000000002801000-memory.dmp

Filesize
4KB

Download
memory/1776-1571-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1776-1570-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/1776-1568-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download