lumma | hxxps://github[.]com/maybell91dickieaq/Discord-AllinOne-Tool/releases/download/Release/Discord-AllinOne-Toolt[.]zip

Analysis

max time kernel
71s
max time network
74s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 19:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/maybell91dickieaq/Discord-AllinOne-Tool/releases/download/Release/Discord-AllinOne-Toolt.zip

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://encirelk.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4020 set thread context of 3636	4020	Discord-AllinOne-Tool.exe	135

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3396	4020	WerFault.exe	132

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord-AllinOne-Tool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Discord-AllinOne-Tool.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
444	msedge.exe
444	msedge.exe
3692	msedge.exe
3692	msedge.exe
3724	msedge.exe
3724	msedge.exe
4384	identity_helper.exe
4384	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 3996	444	msedge.exe	83
PID 444 wrote to memory of 3996	444	msedge.exe	83
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 1440	444	msedge.exe	85
PID 444 wrote to memory of 3692	444	msedge.exe	86
PID 444 wrote to memory of 3692	444	msedge.exe	86
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87
PID 444 wrote to memory of 4120	444	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/maybell91dickieaq/Discord-AllinOne-Tool/releases/download/Release/Discord-AllinOne-Toolt.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96a2446f8,0x7ff96a244708,0x7ff96a244718
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3536 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7132 /prefetch:8
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7132 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:5512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3084 /prefetch:1
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,16142923347400028464,7124675377884938716,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1968 /prefetch:1
  2⤵
  PID:3492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4092

C:\Users\Admin\Downloads\Discord-AllinOne-Tool.exe
"C:\Users\Admin\Downloads\Discord-AllinOne-Tool.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4020
- C:\Users\Admin\Downloads\Discord-AllinOne-Tool.exe
  "C:\Users\Admin\Downloads\Discord-AllinOne-Tool.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3636
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4020 -s 820
  2⤵
  - Program crash
  PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4020 -ip 4020
1⤵
PID:5508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
1e5b0aa244e5826595b2b04e8e65be04

SHA1
4078edcb7a1cc50d3141a26622021300cdc6de88

SHA256
e6c418a255f7b967bc5a55050eacb02d3819c74ac5dccd29fce7520b11562d8b

SHA512
af47db556d79f8fe15d4877db38c3196abb23bc05f73390ea22870229271d0577765bba230a4305cb367fd7f751e6e4bfbcc535b3c94659ba1010267ba994dd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
8abb2f4271686a74d1e91f1759afd2ba

SHA1
f42bc560f702bc5129895bcedd5cd819068fa441

SHA256
f5f6c47795fd5eeee853f9bf87725dfa1e9598f4c4a605a2c4d65b4d39a2fdd7

SHA512
c740e901d6ed601f7f5a684db07824ec0102745526b163d9786544773ac5bc816f9e9af247b2b9b0bd1576b1794a429a9dfdd259e0f101fb3271515b1e78f20a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d2cef64176e3b365f90ce953bda5ad0c

SHA1
796bc9da236cf078bd05855600a676761b104f9d

SHA256
f23d0d8cc85342da9525805c7f273d7f6599608681a3bb24352e680cb84afd0f

SHA512
665008c68000f4d4ce09e1e3920fbe4ca4732dd4ad5ab6b1c064ec67685ffaad4f8cf76d85626252ab097d06c9c6172b7e83c9e554dc835cca100ac5284cc393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9354ad63e8fdba2d47878d0990e9f61d

SHA1
50622c6315000604a6b9bab9165029d1dd16a158

SHA256
b8528bb74b41687c8881e6288f38ca0fa6667cfb763f89a115191b193280f986

SHA512
433fcc0d0f47dec271eb6883792a48a5d27c2c05d256ea304504d79293883420e3d1b398ffa6691e89b16ae9a16598da25879d45a0a6401e34a00eb48e838eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5745760329aa7ba11989233283b36fed

SHA1
8ad2c950dce33cff24ff4f4580bfc7828f8bc15a

SHA256
b408fd22e4f08be241f0453383bc6c01cf758dd752cda81ea30d8e6973339db8

SHA512
54e752d573ea130a8991b5a54bbaf4b301b88209286cb0cfad6a63da7b961840ab8b03a65ba03a4bfaf3cc532f2637581d93d05c721e97e3d71bcaa0a7e0989c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7af21a92b2f37c43f7dbb7a17c981ff2

SHA1
0dd2f914b8d0c6b9104470e7b3292fce3d8abb17

SHA256
b0df959297906dd5a50e73baf342cdb4fe7885b01a47922b065e662c2d5e11a4

SHA512
3f49b8cf991905b783c657fc9a5ea9d5c6e4bdd978b97615a6b3bc3eebc4738f53e123691dbebbd6d9ef96a129dbfac11e11fd3da385df5f73dbed2687f7333d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
faa96cc5d7c882686f0ca45540606137

SHA1
0185410be487ac0f380d626ad7f00e5f0721dd91

SHA256
548e1d15df476c6c707ab3fb6fbeb624b3d7c7b15b6c3a44513b2e38c2d50436

SHA512
7837f7c4b404aca317f412d39bd3e36680e47a4bb8e9804df5f543e68c46aa2e1fecd874793fe09ebb24e0ab342fd50421ee1f6209b6ae946be3ae2547046b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583b6e.TMP

Filesize
203B

MD5
da3993ef5bc9f71837fa224e92c78693

SHA1
2b94edb8ee8c6241dc8d2d3292d07a649b50d249

SHA256
c856103aeb05a89c7883c89b37d2ebafec094c353944fef40ead3d144196dc49

SHA512
bfad9ed581d53d80d3c02f96447ab64688167c0d70b50b83b28a97e11f9fceb19ad8db1bdfeddae45d65bbe85d3ce1930f913aea7bb7befc317f3811aa18fd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c1b667486e9c33cb9e0262d362b26fd2

SHA1
78201cfd534f3bce3e6925a13a07da2778f5aea5

SHA256
39e0025e9b124387d09d0bbd83911a08b0331a498933f55a08a172b1bc100a96

SHA512
0a71dba3c2ebd36ad28f8f3e1e27044dc9ab8291570d11a104cdfa681922d64fbdde188b9645441fe84e0c3112b99b9e3a776ca19cc01aa82acf5e9819d0930d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
720e1d4aba9f7d46ac503cfcbba7f096

SHA1
4da92744823aeed059eb58926b5b1ee2d8023bbc

SHA256
bebd3ebd725f062916a4ae0c414f6437e87520f04223188175b87c603230c119

SHA512
7391b3f346f699df7047ac00b1a43e5d5814593637159eb8d116903a2ecf56de0627c0ec65d7c22718378ebe49d29334f0b674f560c68bba0ab6250b9d7c90ca

Download Submit
C:\Users\Admin\Downloads\Discord-AllinOne-Toolt.zip

Filesize
18.6MB

MD5
3ead33e1c07ec50c06140bad474d2b27

SHA1
a52982222b6991e459d0dc89c75828a312200a52

SHA256
5c3f5cb822e18e98919f21d067519b72785c37f9600d02abe7395d6377423e9c

SHA512
73fd62c6befe588c8ef2c8775261d070026aa5bd907235917a17e2d6ab06e523bc7b9b2ba42c5f50d806009c6b0766a96d0bc3ad6579586257da5b201787870e

Download Submit
memory/3636-202-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3636-201-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4020-198-0x00000000004B0000-0x000000000050E000-memory.dmp

Filesize
376KB

Download
memory/4020-199-0x0000000005340000-0x00000000058E4000-memory.dmp

Filesize
5.6MB

Download