lumma | c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830

Analysis

max time kernel
120s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
04-05-2024 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe
Size

327KB
MD5

1412042a6ccbe5ee52ec7c74817c5cc0
SHA1

5bddb6875ba766cdd1555822fdaa236077e458b9
SHA256

c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830
SHA512

1f0f97c6ffe3871a654e7980d83c56df352e8f1108ca70d22e4191ab9bc1f70b70ba3ec20e7e8ac21dbf8c914dfaa4bb29a95bf6f87572e301f541379899847f
SSDEEP

6144:2nPcZx74kpV067AWfRT0lX/ao/FP7b/a:2nPq74kpVr3fRT4vhb/a

Score

10^/10

lumma redline smokeloader logsdiller cloud (telegram: @logsdillabot)pub1 backdoor discovery infostealer persistence spyware stealer trojan vmprotect

Malware Config

Extracted

Family

smokeloader

Botnet

pub1

Extracted

Family

smokeloader

Version

2022

http://trad-einmyus.com/index.php

http://tradein-myus.com/index.php

http://trade-inmyus.com/index.php

rc4.i32

Extracted

Family

redline

Botnet

LogsDiller Cloud (Telegram: @logsdillabot)

5.42.65.96:28380

Extracted

Family

lumma

https://greetclassifytalk.shop/api

https://acceptabledcooeprs.shop/api

https://obsceneclassyjuwks.shop/api

https://zippyfinickysofwps.shop/api

https://miniaturefinerninewjs.shop/api

https://plaintediousidowsko.shop/api

https://sweetsquarediaslw.shop/api

https://holicisticscrarws.shop/api

https://boredimperissvieos.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5068-23-0x0000000000400000-0x0000000000452000-memory.dmp	family_redline
behavioral1/memory/1104-24-0x0000000000E90000-0x0000000000F0EFAE-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Downloads MZ/PE file

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

A277.exework.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	A277.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	work.exe

Deletes itself 1 IoCs

Processes:

pid process

3316
Executes dropped EXE 4 IoCs

Processes:

8A4A.exeA277.exework.exedwa.exe

pid process

1104 8A4A.exe
1004 A277.exe
4516 work.exe
4980 dwa.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3316

pid	process
1104	8A4A.exe
1004	A277.exe
4516	work.exe
4980	dwa.exe

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwa.exe	vmprotect
behavioral1/memory/4980-77-0x0000000000C20000-0x000000000152C000-memory.dmp	vmprotect

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

File opened (read-only) \??\F: explorer.exe
File opened (read-only) \??\D: explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

99 drive.google.com
100 drive.google.com
Suspicious use of SetThreadContext 1 IoCs

Processes:

8A4A.exe

description pid process target process

PID 1104 set thread context of 5068 1104 8A4A.exe RegAsm.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe

flow	ioc
99	drive.google.com
100	drive.google.com

description	pid	process	target process
PID 1104 set thread context of 5068	1104	8A4A.exe	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe

Modifies registry class 10 IoCs

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{F4332707-3C3B-4B29-B385-10882CA06CCC}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

RegAsm.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe

pid	process
2076	c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe
2076	c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316
3316

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe

pid process

2076 c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

Processes:

RegAsm.exeexplorer.exe

description	pid	process
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeDebugPrivilege	5068	RegAsm.exe
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	3316
Token: SeCreatePagefilePrivilege	3316
Token: SeShutdownPrivilege	1624	explorer.exe
Token: SeCreatePagefilePrivilege	1624	explorer.exe
Token: SeShutdownPrivilege	1624	explorer.exe
Token: SeCreatePagefilePrivilege	1624	explorer.exe
Token: SeShutdownPrivilege	1624	explorer.exe
Token: SeCreatePagefilePrivilege	1624	explorer.exe
Token: SeShutdownPrivilege	1624	explorer.exe
Token: SeCreatePagefilePrivilege	1624	explorer.exe
Token: SeShutdownPrivilege	1624	explorer.exe
Token: SeCreatePagefilePrivilege	1624	explorer.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

explorer.exe

pid process

1624 explorer.exe
1624 explorer.exe
1624 explorer.exe
1624 explorer.exe
1624 explorer.exe
1624 explorer.exe
1624 explorer.exe
1624 explorer.exe

Suspicious use of SendNotifyMessage 11 IoCs

Processes:

explorer.exe

pid	process
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe
1624	explorer.exe

Suspicious use of WriteProcessMemory 31 IoCs

Processes:

cmd.exe8A4A.execmd.exeA277.execmd.exework.exe

description	pid	process	target process
PID 3316 wrote to memory of 4352	3316		cmd.exe
PID 3316 wrote to memory of 4352	3316		cmd.exe
PID 4352 wrote to memory of 2620	4352	cmd.exe	reg.exe
PID 4352 wrote to memory of 2620	4352	cmd.exe	reg.exe
PID 3316 wrote to memory of 1104	3316		8A4A.exe
PID 3316 wrote to memory of 1104	3316		8A4A.exe
PID 3316 wrote to memory of 1104	3316		8A4A.exe
PID 1104 wrote to memory of 5068	1104	8A4A.exe	RegAsm.exe
PID 1104 wrote to memory of 5068	1104	8A4A.exe	RegAsm.exe
PID 1104 wrote to memory of 5068	1104	8A4A.exe	RegAsm.exe
PID 1104 wrote to memory of 5068	1104	8A4A.exe	RegAsm.exe
PID 1104 wrote to memory of 5068	1104	8A4A.exe	RegAsm.exe
PID 1104 wrote to memory of 5068	1104	8A4A.exe	RegAsm.exe
PID 1104 wrote to memory of 5068	1104	8A4A.exe	RegAsm.exe
PID 1104 wrote to memory of 5068	1104	8A4A.exe	RegAsm.exe
PID 3316 wrote to memory of 1004	3316		A277.exe
PID 3316 wrote to memory of 1004	3316		A277.exe
PID 3316 wrote to memory of 1004	3316		A277.exe
PID 3316 wrote to memory of 1876	3316		cmd.exe
PID 3316 wrote to memory of 1876	3316		cmd.exe
PID 1876 wrote to memory of 2664	1876	cmd.exe	reg.exe
PID 1876 wrote to memory of 2664	1876	cmd.exe	reg.exe
PID 1004 wrote to memory of 4544	1004	A277.exe	cmd.exe
PID 1004 wrote to memory of 4544	1004	A277.exe	cmd.exe
PID 1004 wrote to memory of 4544	1004	A277.exe	cmd.exe
PID 4544 wrote to memory of 4516	4544	cmd.exe	work.exe
PID 4544 wrote to memory of 4516	4544	cmd.exe	work.exe
PID 4544 wrote to memory of 4516	4544	cmd.exe	work.exe
PID 4516 wrote to memory of 4980	4516	work.exe	dwa.exe
PID 4516 wrote to memory of 4980	4516	work.exe	dwa.exe
PID 4516 wrote to memory of 4980	4516	work.exe	dwa.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe
"C:\Users\Admin\AppData\Local\Temp\c5f161d1f09521ff8fad1700cfb59d01122f544a2aca8145ebb031fc900f9830.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7C30.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\8A4A.exe
C:\Users\Admin\AppData\Local\Temp\8A4A.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:5068

C:\Users\Admin\AppData\Local\Temp\A277.exe
C:\Users\Admin\AppData\Local\Temp\A277.exe
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:4544

C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
work.exe -priverdD
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516

C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwa.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwa.exe"
4⤵
- Executes dropped EXE
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A7F6.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1876

C:\Windows\system32\reg.exe
reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1
2⤵
PID:2664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3944 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4984

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1624

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1372

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:4188

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:1996

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3276

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1924

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4348

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4340

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:3356

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:412

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1432

C:\Windows\explorer.exe
explorer.exe
1⤵
PID:1852

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4372

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
471B

MD5
b2be3aa06eca899c6add7d8e2fbe756c

SHA1
2a6ad86d85e563153ba679b3bb06723d6328378e

SHA256
6707a516b8275c19152e830b2df4200fad0a6c5e67dd74bf33716ca601a8f9c3

SHA512
dbec60514c87ed23f7a37ca57e5f12a35cf2dc3653c0a1ed7775c394a8bae242bff4ecb502a49f1635284d3a469ec5113318cb0313a72312804e90c81f4fdd69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
Filesize
412B

MD5
7d18194199e0315267054b86860cb60c

SHA1
4bd60830f4cf45ffe8bed3c88a3aec452ab12ded

SHA256
03e6e1bf6433d6d4c1a74ff71f59d56f965d78b4f1410fb16ef2c465c508f42e

SHA512
db916b5b48d0435a55bb7b9389c5d1924c672f61498b65403287660270a720f28ab138240d077735ec6bbcd565fa23c8eead8bc536c329082879d051b689a5db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat
Filesize
1022B

MD5
7b5058e4550fa36515c5abb454ba8a4b

SHA1
fb6f6d9acbe9dd98af89d4f52d305fc3b951201b

SHA256
031e1533a094b24157d505d6907a1ede907247faa8d7d4b8570d111fb3c1417f

SHA512
1fc9e878a24d4f73ca058daeb7962ff211017104752846336aadcc960df36b3d0fa169485205db41a13175153f844dfdff9c27106461c431b0ea9a70e5384c51

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
Filesize
2KB

MD5
06dcbbe4f607c9aaed77f41d2884c128

SHA1
5b8e4343b290848247dbef7fb65216b2bc653788

SHA256
07b5bdde0595a67ffa0b0db15c66f4107af37c6ce2f2980ae3d795cf359e39af

SHA512
51e3a5ff24317e122fdd87d2648327d639050a72904dfc6d53db762751751aaa38539ff2731f68f5411f1540567dbfe2877ea681074f489d3ccde7c2f05534ea

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xml
Filesize
96B

MD5
84209e171da10686915fe7efcd51552d

SHA1
6bf96e86a533a68eba4d703833de374e18ce6113

SHA256
04d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b

SHA512
48d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C30.bat
Filesize
77B

MD5
55cc761bf3429324e5a0095cab002113

SHA1
2cc1ef4542a4e92d4158ab3978425d517fafd16d

SHA256
d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a

SHA512
33f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155

Download Submit
C:\Users\Admin\AppData\Local\Temp\8A4A.exe
Filesize
545KB

MD5
ac8c87b06b3277dc1ab65a81e1d19f91

SHA1
9359a041424647faeffe4554d8114d6f112973ed

SHA256
cc42f751ec0816fd8eec9a607e7406c6714a1a4f1ad978574910233ba85157f6

SHA512
b1f34810b34df8289f535b2d4941765899c3218891753ec4daa9f837a71edb49823b90be0d052e4d7495aff5db9408534ae640ab563b5320c0b352b1f26a35b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\A277.exe
Filesize
6.1MB

MD5
8b3bbefcc1c79c7e7cc5d989b1f46f95

SHA1
9e059da37d9ab011448339248b608d0c73b0032d

SHA256
f1e2c84c28fc4a49de9f8f0b82de6b097166bf14e1f6f2d12e7f4d9976d06b56

SHA512
d9fac53449690ea287f0c3faa8023bc2d13f74b591a18eb364997af21eb444c8571627560bb88c2f9e3b8a75fb21f39d490d55f6ddcfc6427f402a6cc14ee7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat
Filesize
35B

MD5
ff59d999beb970447667695ce3273f75

SHA1
316fa09f467ba90ac34a054daf2e92e6e2854ff8

SHA256
065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2

SHA512
d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exe
Filesize
5.8MB

MD5
103b10f2b1c2828cea24787c661ac0bb

SHA1
457c715cee1677b3213347ba6c1fd3c72afe77d0

SHA256
207248dd1ada9a917eb7377753822221ff333bde9a0e6830d19e4fa66557c057

SHA512
4b661382631c313eab9fcadf73b427b25467cbc18fbd54e02bf5bfb63dfba64cc218b2c9f62c083e301b50e86b9edc0d2e591f7675ba12644f5066687ba5fb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\dwa.exe
Filesize
5.5MB

MD5
ba28897557a8f155911c61f77afde9c8

SHA1
0bf1c8b6edc7740dc4ac33733096092c0e67535f

SHA256
df2f6c1829899219f7773563a8d2d5b5f836581bc91460943d80471d50fb2ed7

SHA512
25efecbde55c327dd60db2d0c9698a8c4bc387040ddb469a26592b3f758fc3969a588ac81dde7f9e8c25a1103a4a877abf8e1136dd45b524f942a65290f482b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpD04B.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
64f236a3a9b89c06ffc38b9b53bcf129

SHA1
90377e5694c073cab4e920c6d8089430055ce3cc

SHA256
d272c54e79e2bae0b4266936e7ac41bde4cc15a4a313444c8486ee00aa5d404f

SHA512
81baa0c7910302dc86db0d918cbb426555165b7c28e3491106b95d3db9dde9a5542d7cc685b1a4c98a0dbc96533732de22adb0536356036b740491fb4f91d235

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
dba4c9da0667b893c996fe4158a6283c

SHA1
4a39bc4dab3997076369f623d2a7506ced7b88ce

SHA256
e6cc8c1bfa559ffdcb62d40a704206c2d3fa404f2dd94357a14a623b00d04d07

SHA512
5496d4a33c35482e80eab0c22336fe67f51b5f65a37c63305833a741cb8365b6d0dcff3ededcfaeab2f85dd7a8e86b8186b37124fcdf594fb752990729c7e405

Download Submit
memory/1104-22-0x0000000000F0B000-0x0000000000F0C000-memory.dmp

Filesize
4KB

Download
memory/1104-24-0x0000000000E90000-0x0000000000F0EFAE-memory.dmp

Filesize
507KB

Download
memory/1432-441-0x0000028BD31A0000-0x0000028BD31C0000-memory.dmp

Filesize
128KB

Download
memory/1432-410-0x0000028BD2DC0000-0x0000028BD2DE0000-memory.dmp

Filesize
128KB

Download
memory/1432-440-0x0000028BD2D80000-0x0000028BD2DA0000-memory.dmp

Filesize
128KB

Download
memory/1432-404-0x0000028BD1D00000-0x0000028BD1E00000-memory.dmp

Filesize
1024KB

Download
memory/1924-253-0x0000000003FD0000-0x0000000003FD1000-memory.dmp

Filesize
4KB

Download
memory/2076-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2076-2-0x0000000001AB0000-0x0000000001ABB000-memory.dmp

Filesize
44KB

Download
memory/2076-1-0x0000000001AC0000-0x0000000001BC0000-memory.dmp

Filesize
1024KB

Download
memory/2076-3-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2076-6-0x0000000000400000-0x0000000001A1B000-memory.dmp

Filesize
22.1MB

Download
memory/2076-4-0x0000000000400000-0x0000000001A1B000-memory.dmp

Filesize
22.1MB

Download
memory/2076-9-0x0000000001AB0000-0x0000000001ABB000-memory.dmp

Filesize
44KB

Download
memory/3276-112-0x0000011884700000-0x0000011884800000-memory.dmp

Filesize
1024KB

Download
memory/3276-117-0x0000011885500000-0x0000011885520000-memory.dmp

Filesize
128KB

Download
memory/3276-131-0x00000118854C0000-0x00000118854E0000-memory.dmp

Filesize
128KB

Download
memory/3276-113-0x0000011884700000-0x0000011884800000-memory.dmp

Filesize
1024KB

Download
memory/3276-137-0x0000011885B70000-0x0000011885B90000-memory.dmp

Filesize
128KB

Download
memory/3276-188-0x0000011895FE0000-0x0000011896000000-memory.dmp

Filesize
128KB

Download
memory/3316-5-0x0000000002F40000-0x0000000002F56000-memory.dmp

Filesize
88KB

Download
memory/3316-101-0x0000000002EB0000-0x0000000002EB1000-memory.dmp

Filesize
4KB

Download
memory/3356-403-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/4188-110-0x0000000004330000-0x0000000004331000-memory.dmp

Filesize
4KB

Download
memory/4340-256-0x0000022B84300000-0x0000022B84400000-memory.dmp

Filesize
1024KB

Download
memory/4340-254-0x0000022B84300000-0x0000022B84400000-memory.dmp

Filesize
1024KB

Download
memory/4340-259-0x0000022B852D0000-0x0000022B852F0000-memory.dmp

Filesize
128KB

Download
memory/4340-276-0x0000022B85290000-0x0000022B852B0000-memory.dmp

Filesize
128KB

Download
memory/4340-291-0x0000022B858C0000-0x0000022B858E0000-memory.dmp

Filesize
128KB

Download
memory/4980-77-0x0000000000C20000-0x000000000152C000-memory.dmp

Filesize
9.0MB

Download
memory/4980-75-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/5068-27-0x00000000050C0000-0x0000000005152000-memory.dmp

Filesize
584KB

Download
memory/5068-97-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/5068-95-0x0000000008CC0000-0x00000000091EC000-memory.dmp

Filesize
5.2MB

Download
memory/5068-94-0x00000000085C0000-0x0000000008782000-memory.dmp

Filesize
1.8MB

Download
memory/5068-93-0x0000000005430000-0x0000000005480000-memory.dmp

Filesize
320KB

Download
memory/5068-90-0x00000000068A0000-0x0000000006906000-memory.dmp

Filesize
408KB

Download
memory/5068-89-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/5068-88-0x0000000006740000-0x000000000678C000-memory.dmp

Filesize
304KB

Download
memory/5068-87-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/5068-86-0x00000000065D0000-0x000000000660C000-memory.dmp

Filesize
240KB

Download
memory/5068-85-0x0000000006570000-0x0000000006582000-memory.dmp

Filesize
72KB

Download
memory/5068-84-0x0000000006630000-0x000000000673A000-memory.dmp

Filesize
1.0MB

Download
memory/5068-83-0x0000000006AE0000-0x00000000070F8000-memory.dmp

Filesize
6.1MB

Download
memory/5068-78-0x00000000064A0000-0x00000000064BE000-memory.dmp

Filesize
120KB

Download
memory/5068-74-0x0000000005E20000-0x0000000005E96000-memory.dmp

Filesize
472KB

Download
memory/5068-42-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download
memory/5068-36-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/5068-26-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/5068-25-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/5068-23-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download