Analysis
-
max time kernel
51s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 15:07
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
lumma
https://closedjuruwk.shop/api
https://potterryisiw.shop/api
https://foodypannyjsud.shop/api
https://contintnetksows.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
github.software.1.2.4.exepid process 6080 github.software.1.2.4.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
github.software.1.2.4.exedescription pid process target process PID 6080 set thread context of 4284 6080 github.software.1.2.4.exe RegAsm.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1648 6080 WerFault.exe github.software.1.2.4.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3E0FB929-3560-11EF-86EC-FA8F9E8C279D} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2900 msedge.exe 2900 msedge.exe 3028 msedge.exe 3028 msedge.exe 2340 identity_helper.exe 2340 identity_helper.exe 4060 msedge.exe 4060 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs
Processes:
msedge.exepid process 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
7zG.exedescription pid process Token: SeRestorePrivilege 1584 7zG.exe Token: 35 1584 7zG.exe Token: SeSecurityPrivilege 1584 7zG.exe Token: SeSecurityPrivilege 1584 7zG.exe -
Suspicious use of FindShellTrayWindow 35 IoCs
Processes:
msedge.exe7zG.exeiexplore.exepid process 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 1584 7zG.exe 5592 iexplore.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe 3028 msedge.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid process 5592 iexplore.exe 5592 iexplore.exe 5656 IEXPLORE.EXE 5656 IEXPLORE.EXE 5656 IEXPLORE.EXE 5656 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3028 wrote to memory of 3764 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3764 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 3500 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 2900 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 2900 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe PID 3028 wrote to memory of 4052 3028 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/beautilife4niko/Fortnitehck-sebi/blob/main/Click%20Here%20To%20Download.md#download-hack1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0xe4,0x7ffd15c846f8,0x7ffd15c84708,0x7ffd15c847182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2980 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5560 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5772 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3452 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,15493992418424521428,11056233247565909879,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2112 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\github.software.1.2.4\" -ad -an -ai#7zMap15195:102:7zEvent294281⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\github.software.1.2.4\github.software.1.2.4.exe"C:\Users\Admin\Downloads\github.software.1.2.4\github.software.1.2.4.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 6080 -s 2762⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6080 -ip 60801⤵
-
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\Downloads\github.software.1.2.4\Data\trusterBourns\factual\anaxial.xml"1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\github.software.1.2.4\Data\trusterBourns\factual\anaxial.xml2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5592 CREDAT:17410 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
2KB
MD5445ff78d4b4dfe0cbbf217fe785d8fb3
SHA135d8a7193a0a69a3114fd3225e15aaee54493687
SHA25659f825e96e34297987bf0775d9d1731b14e122293a414ca2844ac64073c316d9
SHA512aa0681d71f92caaeb75b22e87d1694edcda7c8b902d6df86d48a8568ae0954984162d6c227b9ef74cf3008d176ec6c236ffdd6bfb6ca3539728ca9a861a2eba2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5c46dfaa1407bb58af01ba1455d6625da
SHA1dbf1a74d60d2988cd350e6096afc84af84095813
SHA25674087c5c764837f3eee360c442a8e0d0497cf0cd6ed18a8cb079e4ac156d1b58
SHA5125b2f71442170c1d04a4ddb8d293ec01215153831089123c7c30d8b99dc52e9a607639af578140be6f2b9348539fe4fb4ecb56348bc92c7c9b85993c253e43dd2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57e245909f0c72de331a1f7fb06c0a431
SHA1416338766d16f699cd328a236a9d9199a91551c4
SHA256d0f2131d4ad3d5f2034b80892004e5eb351ae607a2800ded13e44ae9d135ae2f
SHA512d8e058359cc4d5ac10861731d5a4ca2607596534f2075ebdc1d682a7d040bd1465a79058317c9350906ae30a8ae5123a0be17fec34746de6e627e2a28e8bdc31
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
1KB
MD5f97e388d1b93c8595c73b071381fbd79
SHA1f900e22d2fab378c8dc99d6f61fe448a6d9d6397
SHA2568256701784692a8c95b70115f7b51ff41ea47f961ace0fc655ebb83af3b8d89f
SHA512b29237527d71a381a6df8b22f050a4afc93a21e0e88bd938968ad878ca10947153659641b88feef4daf140983dc9cc4e0c5db0f48a7e0bc5d2079ff9bc09ac6d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57efee.TMPFilesize
1KB
MD5a2f86a03e74cef93f2a04fc3c094eaf1
SHA189801fb713383461e5c3bd2381a1f9f5ed7faa24
SHA256fb5dcecc85a36d45d44640a08ee29621a265a0d6828f99875513acb378029e92
SHA512a2b9011bdb7f0e65e1dd83cade13b6489d34c8a9301cbdf40058cdc0775a19beb96204a4674e13a312de098502d321330825e0b279381f51b4a8c05d88b9c653
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ba55d6b3-c3c3-48fe-aa0d-737faf8ab59e.tmpFilesize
6KB
MD57c362cb2cec8d9f853833cb680ec0774
SHA1483b48896a3919e8780880a8b7d58a11d925d9d2
SHA25613c5ef7b765e75eaa1dd8628197c0958d418a5236fd2bd24b650383965d2eb50
SHA5121609ad22d7df7962edfebdd96d460ba00b70c1ab316631dbaa46b717eb2a79be6491c48bcab7782d889eadaae9592d18eef670bc24e5017b9d964264a64616ba
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD54417200f0c849b1fd001401a2159c77f
SHA101b111dbdad8505132f3fd185e103969b90465af
SHA256e4f66064299fb0b127fa8b4c4b0906c67f1b7ea385e09cf8e72658f031430a85
SHA512aaf021726487fc7d7bc92827ac10ac4dba5fcbd94d10e15bc58d089cc6f30ea302c2e188cac8abffa218dd0310faabf60515ac949ae2484cddfb4354183d1931
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52284bfe0c81d6ba9c6384bfeb28ff5ca
SHA17057de9cb189b681f0d8cb304de1e3f5c72220d4
SHA25666570b01f50a06011c67b69c23a923a997e9f7ce6844de15c8d3f4bfeae73634
SHA512c687f90651ce7cac58f1e0153a02a5e5060da01fc13c5c68f4ce3249bc44497e008cd2f2b9a7586ae633759d2715124c8b081d44916e7713f30d8005612d90f7
-
C:\Users\Admin\Downloads\github.software.1.2.4.7zFilesize
2.2MB
MD568dd8a9d1c8f94c6133f6c154f0145e6
SHA15d6c0691fd9d2285a02638e5345df7a11c399a9d
SHA25671345103a31733f2ba1b7417917e6cf1e108c003aa6688b387981174fb380d93
SHA512b0549f25668f5037ff2162714af85c92b88c9acb5d151d4cecc4371c2fe57c5eaa9484392c10a17b1c0e2755af7eafde5ef4950d0592c5970ec7e2207a91fb13
-
C:\Users\Admin\Downloads\github.software.1.2.4\Data\trusterBourns\factual\anaxial.xmlFilesize
12KB
MD5b76fd1efb6cc722c10507c442fc11faf
SHA12e329af3d3313b19adc5e80d7e01920311029b8c
SHA25617091b0f4373e2ebd528dab3f5868c22170d4e8550ae4bebb74987c7f4eaba46
SHA51271d60805be0ec8227e0949c7dcba32db51adead904e8cac44af43b7fd38451b962140a3edba760e21e79efb81827ded463ab75c606613156b9809474aee785c7
-
C:\Users\Admin\Downloads\github.software.1.2.4\github.software.1.2.4.exeFilesize
520KB
MD5b285aefc199a1d8630b2a325829c6504
SHA14326e4e97668bee90d7258250157d74ede45426a
SHA256e28ee1216fcec55364effa71193510b42fe4bf48b2bf161a5deac24099a10ba1
SHA512895b83ee3ab6071b3417010c9aab6d1819ecca41ad3613353742d6b1d9133864c7e2f6ed1ff1fa898786a17bfd9f68bcaa756a3a8534e53d044621c97b767cc4
-
\??\pipe\LOCAL\crashpad_3028_EPPTZJISJNSSQTTGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/4284-1522-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/4284-1523-0x0000000000400000-0x0000000000459000-memory.dmpFilesize
356KB
-
memory/5516-1526-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmpFilesize
64KB
-
memory/5516-1527-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmpFilesize
64KB
-
memory/5516-1528-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmpFilesize
64KB
-
memory/5516-1525-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmpFilesize
64KB
-
memory/5516-1533-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmpFilesize
64KB
-
memory/5516-1532-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmpFilesize
64KB
-
memory/5516-1531-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmpFilesize
64KB
-
memory/5516-1530-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmpFilesize
64KB
-
memory/5516-1524-0x00007FFCE4AB0000-0x00007FFCE4AC0000-memory.dmpFilesize
64KB