lumma | hxxps://github[.]com/beautilife4niko/Fortnitehck-sebi/blob/main/Click%20Here%20To%20Download[.]md#download-hack

Resubmissions

04-07-2024 15:52

240704-tbcatayelj 1

28-06-2024 15:07

240628-shj4kaxhmr 10

Analysis

max time kernel
51s
max time network
53s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 15:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/beautilife4niko/Fortnitehck-sebi/blob/main/Click%20Here%20To%20Download.md#download-hack

Score

10^/10

lumma stealer

Malware Config

Extracted

Family

lumma

https://closedjuruwk.shop/api

https://potterryisiw.shop/api

https://foodypannyjsud.shop/api

https://contintnetksows.shop/api

https://reinforcedirectorywd.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
Executes dropped EXE 1 IoCs

Processes:

github.software.1.2.4.exe

pid process

6080 github.software.1.2.4.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

github.software.1.2.4.exe

description pid process target process

PID 6080 set thread context of 4284 6080 github.software.1.2.4.exe RegAsm.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1648 6080 WerFault.exe github.software.1.2.4.exe

pid	process
6080	github.software.1.2.4.exe

description	pid	process	target process
PID 6080 set thread context of 4284	6080	github.software.1.2.4.exe	RegAsm.exe

pid	pid_target	process	target process
1648	6080	WerFault.exe	github.software.1.2.4.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 19 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3E0FB929-3560-11EF-86EC-FA8F9E8C279D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

2900 msedge.exe
2900 msedge.exe
3028 msedge.exe
3028 msedge.exe
2340 identity_helper.exe
2340 identity_helper.exe
4060 msedge.exe
4060 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

3028 msedge.exe
3028 msedge.exe
3028 msedge.exe
3028 msedge.exe
3028 msedge.exe
3028 msedge.exe
3028 msedge.exe
3028 msedge.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description pid process

Token: SeRestorePrivilege 1584 7zG.exe
Token: 35 1584 7zG.exe
Token: SeSecurityPrivilege 1584 7zG.exe
Token: SeSecurityPrivilege 1584 7zG.exe

pid	process
2900	msedge.exe
2900	msedge.exe
3028	msedge.exe
3028	msedge.exe
2340	identity_helper.exe
2340	identity_helper.exe
4060	msedge.exe
4060	msedge.exe

description	pid	process
Token: SeRestorePrivilege	1584	7zG.exe
Token: 35	1584	7zG.exe
Token: SeSecurityPrivilege	1584	7zG.exe
Token: SeSecurityPrivilege	1584	7zG.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe7zG.exeiexplore.exe

pid	process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
1584	7zG.exe
5592	iexplore.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe
3028	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

5592 iexplore.exe
5592 iexplore.exe
5656 IEXPLORE.EXE
5656 IEXPLORE.EXE
5656 IEXPLORE.EXE
5656 IEXPLORE.EXE

pid	process
5592	iexplore.exe
5592	iexplore.exe
5656	IEXPLORE.EXE
5656	IEXPLORE.EXE
5656	IEXPLORE.EXE
5656	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3028 wrote to memory of 3764	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3764	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 3500	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 2900	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 2900	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe
PID 3028 wrote to memory of 4052	3028	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/beautilife4niko/Fortnitehck-sebi/blob/main/Click%20Here%20To%20Download.md#download-hack
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0xe4,0x7ffd15c846f8,0x7ffd15c84708,0x7ffd15c84718
2⤵
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
2⤵
PID:3500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:8
2⤵
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
2⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
2⤵
PID:2732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:8
2⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
2⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2184 /prefetch:1
2⤵
PID:5764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:1
2⤵
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
2⤵
PID:5988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:1
2⤵
PID:5996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1936

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4796

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\github.software.1.2.4\" -ad -an -ai#7zMap15195:102:7zEvent29428
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1584

C:\Users\Admin\Downloads\github.software.1.2.4\github.software.1.2.4.exe
"C:\Users\Admin\Downloads\github.software.1.2.4\github.software.1.2.4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:4284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 276
2⤵
- Program crash
PID:1648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6080 -ip 6080
1⤵
PID:2896

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Downloads\github.software.1.2.4\Data\trusterBourns\factual\anaxial.xml"
1⤵
PID:5516

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\github.software.1.2.4\Data\trusterBourns\factual\anaxial.xml
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5592

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5592 CREDAT:17410 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:5656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
445ff78d4b4dfe0cbbf217fe785d8fb3

SHA1
35d8a7193a0a69a3114fd3225e15aaee54493687

SHA256
59f825e96e34297987bf0775d9d1731b14e122293a414ca2844ac64073c316d9

SHA512
aa0681d71f92caaeb75b22e87d1694edcda7c8b902d6df86d48a8568ae0954984162d6c227b9ef74cf3008d176ec6c236ffdd6bfb6ca3539728ca9a861a2eba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c46dfaa1407bb58af01ba1455d6625da

SHA1
dbf1a74d60d2988cd350e6096afc84af84095813

SHA256
74087c5c764837f3eee360c442a8e0d0497cf0cd6ed18a8cb079e4ac156d1b58

SHA512
5b2f71442170c1d04a4ddb8d293ec01215153831089123c7c30d8b99dc52e9a607639af578140be6f2b9348539fe4fb4ecb56348bc92c7c9b85993c253e43dd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7e245909f0c72de331a1f7fb06c0a431

SHA1
416338766d16f699cd328a236a9d9199a91551c4

SHA256
d0f2131d4ad3d5f2034b80892004e5eb351ae607a2800ded13e44ae9d135ae2f

SHA512
d8e058359cc4d5ac10861731d5a4ca2607596534f2075ebdc1d682a7d040bd1465a79058317c9350906ae30a8ae5123a0be17fec34746de6e627e2a28e8bdc31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f97e388d1b93c8595c73b071381fbd79

SHA1
f900e22d2fab378c8dc99d6f61fe448a6d9d6397

SHA256
8256701784692a8c95b70115f7b51ff41ea47f961ace0fc655ebb83af3b8d89f

SHA512
b29237527d71a381a6df8b22f050a4afc93a21e0e88bd938968ad878ca10947153659641b88feef4daf140983dc9cc4e0c5db0f48a7e0bc5d2079ff9bc09ac6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57efee.TMP
Filesize
1KB

MD5
a2f86a03e74cef93f2a04fc3c094eaf1

SHA1
89801fb713383461e5c3bd2381a1f9f5ed7faa24

SHA256
fb5dcecc85a36d45d44640a08ee29621a265a0d6828f99875513acb378029e92

SHA512
a2b9011bdb7f0e65e1dd83cade13b6489d34c8a9301cbdf40058cdc0775a19beb96204a4674e13a312de098502d321330825e0b279381f51b4a8c05d88b9c653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ba55d6b3-c3c3-48fe-aa0d-737faf8ab59e.tmp
Filesize
6KB

MD5
7c362cb2cec8d9f853833cb680ec0774

SHA1
483b48896a3919e8780880a8b7d58a11d925d9d2

SHA256
13c5ef7b765e75eaa1dd8628197c0958d418a5236fd2bd24b650383965d2eb50

SHA512
1609ad22d7df7962edfebdd96d460ba00b70c1ab316631dbaa46b717eb2a79be6491c48bcab7782d889eadaae9592d18eef670bc24e5017b9d964264a64616ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4417200f0c849b1fd001401a2159c77f

SHA1
01b111dbdad8505132f3fd185e103969b90465af

SHA256
e4f66064299fb0b127fa8b4c4b0906c67f1b7ea385e09cf8e72658f031430a85

SHA512
aaf021726487fc7d7bc92827ac10ac4dba5fcbd94d10e15bc58d089cc6f30ea302c2e188cac8abffa218dd0310faabf60515ac949ae2484cddfb4354183d1931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2284bfe0c81d6ba9c6384bfeb28ff5ca

SHA1
7057de9cb189b681f0d8cb304de1e3f5c72220d4

SHA256
66570b01f50a06011c67b69c23a923a997e9f7ce6844de15c8d3f4bfeae73634

SHA512
c687f90651ce7cac58f1e0153a02a5e5060da01fc13c5c68f4ce3249bc44497e008cd2f2b9a7586ae633759d2715124c8b081d44916e7713f30d8005612d90f7

Download Submit
C:\Users\Admin\Downloads\github.software.1.2.4.7z
Filesize
2.2MB

MD5
68dd8a9d1c8f94c6133f6c154f0145e6

SHA1
5d6c0691fd9d2285a02638e5345df7a11c399a9d

SHA256
71345103a31733f2ba1b7417917e6cf1e108c003aa6688b387981174fb380d93

SHA512
b0549f25668f5037ff2162714af85c92b88c9acb5d151d4cecc4371c2fe57c5eaa9484392c10a17b1c0e2755af7eafde5ef4950d0592c5970ec7e2207a91fb13

Download Submit
C:\Users\Admin\Downloads\github.software.1.2.4\Data\trusterBourns\factual\anaxial.xml
Filesize
12KB

MD5
b76fd1efb6cc722c10507c442fc11faf

SHA1
2e329af3d3313b19adc5e80d7e01920311029b8c

SHA256
17091b0f4373e2ebd528dab3f5868c22170d4e8550ae4bebb74987c7f4eaba46

SHA512
71d60805be0ec8227e0949c7dcba32db51adead904e8cac44af43b7fd38451b962140a3edba760e21e79efb81827ded463ab75c606613156b9809474aee785c7

Download Submit
C:\Users\Admin\Downloads\github.software.1.2.4\github.software.1.2.4.exe
Filesize
520KB

MD5
b285aefc199a1d8630b2a325829c6504

SHA1
4326e4e97668bee90d7258250157d74ede45426a

SHA256
e28ee1216fcec55364effa71193510b42fe4bf48b2bf161a5deac24099a10ba1

SHA512
895b83ee3ab6071b3417010c9aab6d1819ecca41ad3613353742d6b1d9133864c7e2f6ed1ff1fa898786a17bfd9f68bcaa756a3a8534e53d044621c97b767cc4

Download Submit
\??\pipe\LOCAL\crashpad_3028_EPPTZJISJNSSQTTG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4284-1522-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/4284-1523-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/5516-1526-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmp

Filesize
64KB

Download
memory/5516-1527-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmp

Filesize
64KB

Download
memory/5516-1528-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmp

Filesize
64KB

Download
memory/5516-1525-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmp

Filesize
64KB

Download
memory/5516-1533-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmp

Filesize
64KB

Download
memory/5516-1532-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmp

Filesize
64KB

Download
memory/5516-1531-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmp

Filesize
64KB

Download
memory/5516-1530-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmp

Filesize
64KB

Download
memory/5516-1524-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmp

Filesize
64KB

Download