Analysis
-
max time kernel
134s -
max time network
116s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-uk -
resource tags
arch:x64arch:x86image:win10v2004-20240709-uklocale:uk-uaos:windows10-2004-x64systemwindows -
submitted
10-07-2024 21:57
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
lumma
https://sensitivyitszv.shop/api
https://bouncedgowp.shop/api
https://bannngwko.shop/api
https://bargainnykwo.shop/api
https://affecthorsedpo.shop/api
https://radiationnopp.shop/api
https://answerrsdo.shop/api
https://publicitttyps.shop/api
https://benchillppwo.shop/api
https://reinforcedirectorywd.shop/api
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
github.software.1.3.9.exegithub.software.1.3.9.exepid Process 4372 github.software.1.3.9.exe 4432 github.software.1.3.9.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
github.software.1.3.9.exegithub.software.1.3.9.exedescription pid Process procid_target PID 4372 set thread context of 3616 4372 github.software.1.3.9.exe 108 PID 4432 set thread context of 2484 4432 github.software.1.3.9.exe 110 -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
taskmgr.exetaskmgr.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
chrome.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
chrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133651222831542076" chrome.exe -
Modifies registry class 2 IoCs
Processes:
7zFM.exechrome.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings 7zFM.exe Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings chrome.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
chrome.exe7zFM.exetaskmgr.exetaskmgr.exepid Process 3996 chrome.exe 3996 chrome.exe 2652 7zFM.exe 2652 7zFM.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe 4220 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
7zFM.exetaskmgr.exepid Process 2652 7zFM.exe 4220 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
chrome.exepid Process 3996 chrome.exe 3996 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
chrome.exe7zFM.exedescription pid Process Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeRestorePrivilege 2652 7zFM.exe Token: 35 2652 7zFM.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeSecurityPrivilege 2652 7zFM.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeSecurityPrivilege 2652 7zFM.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe Token: SeShutdownPrivilege 3996 chrome.exe Token: SeCreatePagefilePrivilege 3996 chrome.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
chrome.exe7zFM.exetaskmgr.exetaskmgr.exepid Process 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 2652 7zFM.exe 2652 7zFM.exe 2652 7zFM.exe 2652 7zFM.exe 2652 7zFM.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
chrome.exetaskmgr.exetaskmgr.exepid Process 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3996 chrome.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe 4220 taskmgr.exe 3292 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
chrome.exedescription pid Process procid_target PID 3996 wrote to memory of 3272 3996 chrome.exe 83 PID 3996 wrote to memory of 3272 3996 chrome.exe 83 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 472 3996 chrome.exe 84 PID 3996 wrote to memory of 5072 3996 chrome.exe 85 PID 3996 wrote to memory of 5072 3996 chrome.exe 85 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86 PID 3996 wrote to memory of 1872 3996 chrome.exe 86
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/knightxanavsem/PremierePro20241⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fffa333cc40,0x7fffa333cc4c,0x7fffa333cc582⤵PID:3272
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1896,i,8666039224470492011,655430454624537333,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1888 /prefetch:22⤵PID:472
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2172,i,8666039224470492011,655430454624537333,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2160 /prefetch:32⤵PID:5072
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,8666039224470492011,655430454624537333,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2368 /prefetch:82⤵PID:1872
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,8666039224470492011,655430454624537333,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:4116
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3160,i,8666039224470492011,655430454624537333,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:3068
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4464,i,8666039224470492011,655430454624537333,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4728 /prefetch:82⤵PID:5080
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4668,i,8666039224470492011,655430454624537333,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4728 /prefetch:82⤵PID:944
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"1⤵PID:2636
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc1⤵PID:4208
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4388
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\git.software_v1.3.9.7z"1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2652 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zOC5AEE748\Read me.txt2⤵PID:4036
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3292 -
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /12⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4220
-
-
C:\Users\Admin\Desktop\Setup\github.software.1.3.9.exe"C:\Users\Admin\Desktop\Setup\github.software.1.3.9.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4372 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵PID:3616
-
-
C:\Users\Admin\Desktop\Setup\github.software.1.3.9.exe"C:\Users\Admin\Desktop\Setup\github.software.1.3.9.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4432 -
C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exeC:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe2⤵PID:2484
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
Filesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
Filesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
Filesize
2KB
MD5ed3c8846a87da368e58134a298dfc1a4
SHA13b932b4c263ba2eace0c49e6c1a632bab55e0803
SHA2562258cb7950a7df9928ecf67deb61d419e961209f476ddb295989f7c135badaae
SHA51294f727d281a2f8d8a80f6569a134ec1779d6fb5ae57d1bcca3c105289fbd51bda7d20f5b1478f7f1cfc4a363767a8da2589693bfa16217835b1882cb982e0120
-
Filesize
2KB
MD5a3b370d22dd8b349a1390c62e1e889e6
SHA1d8a6fbed2ef778693d7174891b5a16b01aaf3bbc
SHA256dcc202e8b5b9968701ccaba876f6a26a63182814a65d48e9dc60a1bd51865721
SHA512e983cbfbefce9b5d5c749a22fdaa13014b92a3f29e688a3aefc0284fb18a01318250ec167c3f8ae7b4369df9927e85ad34032048b54bb65a13e4aa1c8834c554
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
1KB
MD5299744f942bfbffb31143f5187c8d4b0
SHA10d1ff1c17007e3d1e0e034ec882e621ca945155c
SHA2560f4604c2cf8640f569b064ca0f6a70c828846635f172aad70b875d820f09eea0
SHA5127bdbdfc13b4653cae0ad3c742a844bc378be9a5c4428d0e071db63b7e7690104fec4c3ad185ae56060ed5e3ecfdd5881ca571cda31ac73cf3b6bfb5ad96e5e43
-
Filesize
1KB
MD51e86d8e5bf22b325594ab16aea706bec
SHA1f2712a82bbe0e301b9962b992b041e26c0b0100a
SHA2560307db303e0876e3e494b66df2c827d3f5d16206428c574b3349976710c6c9b6
SHA512d496387926512a65c4ae0a5ddd9ba738afa6f4fb749e8da8c32ac69a0be49b1c69cfb39e8c7e5a53be7b64ba61399e95feafe31a6050153c39c4cebbaf9a218c
-
Filesize
9KB
MD5ac6a736377068e321f092d06952a6789
SHA120f50602e3472940c694ac685204fd140fa44895
SHA256c2dfc9622e4a8b5a7758390f0f85d8d774877aeaafe10697ab5dab3d38ba8c90
SHA5122047518e8e3b099ceaed09812beefebe8999f20f6896111ee7cb49a6a476eaf52e9df9d4dcaf77c5aad8fb6a2752e5a0158af696a9487709583589311d81acc5
-
Filesize
9KB
MD5405f5648bcd16d7206eff3cd473f20af
SHA132bd75bbd294c1f1956fa445b35923f82264f87e
SHA256733c2536a8fafbbda490bafef915aeaa4d4545446fc5ef236e2a3a157953f190
SHA512dbbd14dc8f8d4c44a3056153a7b54755a0e56e94c713b0dbed7cafc20edcbcbf8a4aad516cefefffc1fe123a17a7f77689651e69c2650592189aade929192008
-
Filesize
9KB
MD5fb1656be15a2422379c78305f1ce937e
SHA14fc3d8ca502dc19255491d502157540b2d7e4524
SHA256a9d3e93f7865cbd53dddeaa05e5dc810738d5d62d51a94e66c69cdb0609b6a00
SHA512e4352d45faa911d98e571f5980d41e6793d4ed17a1996150d84c276d78c61a83efbdc77431725f1b0a725432fcf5972290f1d08e8718af4f5ba7d475191a8e86
-
Filesize
9KB
MD5a372bd25d99bd59bfe7dc14de7b04809
SHA1499b00a9059901064041c86f79c59ec8adfd2c93
SHA256dc30b98fe11f8c9c9fc5cf882161a6958315d6dd05ece2c56140931228e7d40b
SHA512ca271d9fe3cd088c3c95e383b02df231ba4daba202492f45469e45d17af9d3b189cb636e23bed572e1bb94e5f66bd8a3904dec1cee543ef6327e27ab8aa63a11
-
Filesize
9KB
MD5923be145a2c35a0067e7cc30af3cf394
SHA116b8f867e00f21ded8cfb8f696336affd7f72020
SHA2561563283e40036936b3cbca53592af36567936dc5e06c89c0e89b904d2ef90947
SHA512df3d7a52f15b87467ef5042e0e6df9a110f4231c3804150d5bba9e0d9aeb3c0a637935df10d16da726720ee52ea67670c3d08689054102fa7924854c6ed04f74
-
Filesize
9KB
MD5d5731d7e35118697577606d581f108df
SHA1bd8f266d3aeab6c2638d2148002e653545a44d91
SHA25644a3f09b7a4aa075d75e73faa9366e63753a4d980e9ea96ad4e01f01026c4f55
SHA512a34e7aef580121cd8aeb5c1b38367054586b19c6574742b169cfe68231097d232076a26fabf80216f759c657d4cbf86c175f9a0a1667f2d1d043c7e5dcec6121
-
Filesize
181KB
MD5b912ac6e3b949eb88a921b7c91c7248a
SHA17f196eb7bcb093ec304c011cdda056f8fea5c2c3
SHA256440f6adc742f2835c513b8e8e100f0573a4ab41beb403843fc235ee5d1bde012
SHA5129c836ab809c16b7cb6b466b46c42161be1b4800972d5ebf9c0302a193916118df089226cf84c25ebbe401e8606497d909efc37d9c4e582395fa3f0c4c0babb05
-
Filesize
181KB
MD5b249929ad2c83c4ac0beff82bd02d85c
SHA1320fc8e215e6eea41e2f6224af76c56aa35a704a
SHA256784c7fda46698df2ee4e868e440a99689e193884823074fb6ee70faa71742166
SHA51202cb94d13cdcd825bed949e16b250f0abb2ddd7b58182beed2e7d3b18cb3c6d62c00620127f7910245d67454ba2ec2e1932ff897dbf92a8d09e11f9be93c0ad9
-
Filesize
181KB
MD5d9f10b7d25da53cf4af08f62ba4d1eb1
SHA11db1aebcd5d2013145eadbc2dea43ad89769a165
SHA256713f9400ba5c4dbf898c2ef793747e4c1cc4f6e0d70ea3ea32b26b80ff4de51d
SHA5126d4ce5c4b13c875a1b1b3adf4559e1989a43e65a3585d258510fef3629e7d89f8e95c61d1461582a39f2f7e5200b107ec8a7c912325fcdbe133ad85161f24416
-
Filesize
264KB
MD571a06f0f86b81ee9c16062eb93f8ad5c
SHA155398378951975c01757aeaebac856769e448a5f
SHA256d6e1b0b6e8515fc2b02e8d94702235dc2fe0b613d294df830aaa6057ea32910e
SHA512319246f2cda60de80cf46be2fa891d2aabb3118d9301fc1b4919f12f1a7ba37191654fc070c5083f46b5907bf2c8be1caedb44b62e8fc471acd98e6917724f2e
-
Filesize
21B
MD51b1001b50ec2880a656a82884ea99075
SHA117d5379e1443cde363639d8eb7787db842307aef
SHA2569e47d314de104ec433194891d99eac4b24344730d4b87c5ecc85b49b0f645794
SHA512d6e42565573e64be48741151019ba1240f8676cd8102f18fa029be91b3d315865535768d7fee783882c3be9642c818223606e2d1d352955093276498955b1777
-
Filesize
344KB
MD50af58abd8a3fd21eb8c012a05a58ad0e
SHA11725c9a836ff1aa112b84cec370fa973a5e8f7ce
SHA25612a537681364542407e0e1a7bf52d51b213335f28bf8253a4871c2599ff55602
SHA51251dcbcd971f9d5a1f4b0967f9f6a277af0361698d436869c0d167567d5bf4188c6cf3e3bbe1095d9901b9e5524efc0db3e59b54a0e8c191eff40956ebf211002
-
Filesize
20.6MB
MD52c096c46d1011d83c1617dfc1da3c4ef
SHA1afe98a6b8d9a05b8e7eaa5d5eb36ff5abd1bf645
SHA2563ff74f5275a2ed06959e63a3e321d051da4d7167efc3f6f3d80fbc134a187b3c
SHA51269cc2076efc119e4ae4ef0afe5d48ff8cbb0034caa78943f42a220a2929afd11a5d9f9a15710def565958973105d377b185d064d675d4e87a066040e7eb5b298
-
Filesize
7.9MB
MD53207a4ed7ff4c038327e18671b46a729
SHA19c3df43214b54fdd365c89b0c0fecba478635775
SHA256134ed02afe18b6c871113ec40ade8e67497e875da6492e4a04a896ddfe498556
SHA51258625db8c8c6f84592c6b0c8bce689247648854898ef5cefd61c5b422b751446502a86063c8baf7b6225009e317d42c597f820dbedfba59be78479148c95ec6c
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e