lumma | 5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3

Analysis

max time kernel
133s
max time network
299s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
16-09-2024 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe
Size

282KB
MD5

50f3f2766c704399745f68056e6d19e3
SHA1

e26dc9cf5dca4bac8f3d55ffcbd150dc4c43db00
SHA256

5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3
SHA512

08eefee1a5a9609b205dfa06bfd193feda33265eb95ed580025273d94e4b7b7374dab73aaae9b0d09afea133e9a2496b1febe7e6454e7ae4503ada8dc6fceca9
SSDEEP

6144:/IaNhC/ypbJQ3EdBksW7gUDvCtGKha1OX2x3UqCs9c9g2S2YEO:waNh40Q3Ed2sW7gtGOUw2RUHykDhYEO

Score

10^/10

lumma stealc vidar default credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

https://t.me/edm0d

https://steamcommunity.com/profiles/76561199768374681

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36 OPR/110.0.0.0

Extracted

Family

stealc

Botnet

default

http://46.8.231.109

Attributes

url_path
/c4754d4f680ead72.php

Extracted

Family

lumma

https://complainnykso.shop/api

https://basedsymsotp.shop/api

https://charistmatwio.shop/api

https://grassemenwji.shop/api

https://stitchmiscpaew.shop/api

https://commisionipwn.shop/api

Signatures

Detect Vidar Stealer 20 IoCs

stealer

resource	yara_rule
behavioral2/memory/1496-4-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1496-7-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1496-9-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1496-28-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1496-29-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1496-45-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1496-46-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1496-72-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1496-73-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1496-80-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/1496-81-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/5040-114-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/5040-118-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/5040-116-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/5040-199-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/5040-208-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/5040-234-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/5040-235-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3336-237-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7
behavioral2/memory/3336-238-0x0000000000400000-0x0000000000657000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
304	BFHJECAAAF.exe
2924	HDAFHIDGIJ.exe
2328	AdminDHJDAFIEHI.exe
2852	AdminBFHJECAAAF.exe

Loads dropped DLL 4 IoCs

pid	Process
1496	RegAsm.exe
1496	RegAsm.exe
996	RegAsm.exe
996	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3716 set thread context of 1496	3716	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe	75
PID 304 set thread context of 996	304	BFHJECAAAF.exe	80
PID 2924 set thread context of 5040	2924	HDAFHIDGIJ.exe	86
PID 2328 set thread context of 4052	2328	AdminDHJDAFIEHI.exe	94
PID 2852 set thread context of 3336	2852	AdminBFHJECAAAF.exe	103

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminDHJDAFIEHI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HDAFHIDGIJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdminBFHJECAAAF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BFHJECAAAF.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
928	timeout.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
996	RegAsm.exe
996	RegAsm.exe
1496	RegAsm.exe
1496	RegAsm.exe
5040	RegAsm.exe
5040	RegAsm.exe
996	RegAsm.exe
996	RegAsm.exe
5040	RegAsm.exe
5040	RegAsm.exe
3336	RegAsm.exe
3336	RegAsm.exe
3336	RegAsm.exe
3336	RegAsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3716 wrote to memory of 1496	3716	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe	75
PID 3716 wrote to memory of 1496	3716	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe	75
PID 3716 wrote to memory of 1496	3716	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe	75
PID 3716 wrote to memory of 1496	3716	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe	75
PID 3716 wrote to memory of 1496	3716	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe	75
PID 3716 wrote to memory of 1496	3716	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe	75
PID 3716 wrote to memory of 1496	3716	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe	75
PID 3716 wrote to memory of 1496	3716	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe	75
PID 3716 wrote to memory of 1496	3716	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe	75
PID 3716 wrote to memory of 1496	3716	5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe	75
PID 1496 wrote to memory of 304	1496	RegAsm.exe	77
PID 1496 wrote to memory of 304	1496	RegAsm.exe	77
PID 1496 wrote to memory of 304	1496	RegAsm.exe	77
PID 304 wrote to memory of 996	304	BFHJECAAAF.exe	80
PID 304 wrote to memory of 996	304	BFHJECAAAF.exe	80
PID 304 wrote to memory of 996	304	BFHJECAAAF.exe	80
PID 304 wrote to memory of 996	304	BFHJECAAAF.exe	80
PID 304 wrote to memory of 996	304	BFHJECAAAF.exe	80
PID 304 wrote to memory of 996	304	BFHJECAAAF.exe	80
PID 304 wrote to memory of 996	304	BFHJECAAAF.exe	80
PID 304 wrote to memory of 996	304	BFHJECAAAF.exe	80
PID 304 wrote to memory of 996	304	BFHJECAAAF.exe	80
PID 1496 wrote to memory of 2924	1496	RegAsm.exe	81
PID 1496 wrote to memory of 2924	1496	RegAsm.exe	81
PID 1496 wrote to memory of 2924	1496	RegAsm.exe	81
PID 2924 wrote to memory of 3880	2924	HDAFHIDGIJ.exe	83
PID 2924 wrote to memory of 3880	2924	HDAFHIDGIJ.exe	83
PID 2924 wrote to memory of 3880	2924	HDAFHIDGIJ.exe	83
PID 2924 wrote to memory of 5052	2924	HDAFHIDGIJ.exe	84
PID 2924 wrote to memory of 5052	2924	HDAFHIDGIJ.exe	84
PID 2924 wrote to memory of 5052	2924	HDAFHIDGIJ.exe	84
PID 2924 wrote to memory of 2620	2924	HDAFHIDGIJ.exe	85
PID 2924 wrote to memory of 2620	2924	HDAFHIDGIJ.exe	85
PID 2924 wrote to memory of 2620	2924	HDAFHIDGIJ.exe	85
PID 2924 wrote to memory of 5040	2924	HDAFHIDGIJ.exe	86
PID 2924 wrote to memory of 5040	2924	HDAFHIDGIJ.exe	86
PID 2924 wrote to memory of 5040	2924	HDAFHIDGIJ.exe	86
PID 2924 wrote to memory of 5040	2924	HDAFHIDGIJ.exe	86
PID 2924 wrote to memory of 5040	2924	HDAFHIDGIJ.exe	86
PID 2924 wrote to memory of 5040	2924	HDAFHIDGIJ.exe	86
PID 2924 wrote to memory of 5040	2924	HDAFHIDGIJ.exe	86
PID 2924 wrote to memory of 5040	2924	HDAFHIDGIJ.exe	86
PID 2924 wrote to memory of 5040	2924	HDAFHIDGIJ.exe	86
PID 2924 wrote to memory of 5040	2924	HDAFHIDGIJ.exe	86
PID 1496 wrote to memory of 524	1496	RegAsm.exe	87
PID 1496 wrote to memory of 524	1496	RegAsm.exe	87
PID 1496 wrote to memory of 524	1496	RegAsm.exe	87
PID 524 wrote to memory of 928	524	cmd.exe	89
PID 524 wrote to memory of 928	524	cmd.exe	89
PID 524 wrote to memory of 928	524	cmd.exe	89
PID 996 wrote to memory of 3828	996	RegAsm.exe	90
PID 996 wrote to memory of 3828	996	RegAsm.exe	90
PID 996 wrote to memory of 3828	996	RegAsm.exe	90
PID 3828 wrote to memory of 2328	3828	cmd.exe	92
PID 3828 wrote to memory of 2328	3828	cmd.exe	92
PID 3828 wrote to memory of 2328	3828	cmd.exe	92
PID 2328 wrote to memory of 4052	2328	AdminDHJDAFIEHI.exe	94
PID 2328 wrote to memory of 4052	2328	AdminDHJDAFIEHI.exe	94
PID 2328 wrote to memory of 4052	2328	AdminDHJDAFIEHI.exe	94
PID 2328 wrote to memory of 4052	2328	AdminDHJDAFIEHI.exe	94
PID 2328 wrote to memory of 4052	2328	AdminDHJDAFIEHI.exe	94
PID 2328 wrote to memory of 4052	2328	AdminDHJDAFIEHI.exe	94
PID 2328 wrote to memory of 4052	2328	AdminDHJDAFIEHI.exe	94
PID 2328 wrote to memory of 4052	2328	AdminDHJDAFIEHI.exe	94

C:\Users\Admin\AppData\Local\Temp\5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe
"C:\Users\Admin\AppData\Local\Temp\5ee0d7eda49cc7bcf2e445c36be3253e971ce4e8147537a8d4a02918411777f3.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\ProgramData\BFHJECAAAF.exe
    "C:\ProgramData\BFHJECAAAF.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminDHJDAFIEHI.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3828
      - C:\Users\AdminDHJDAFIEHI.exe
        
        "C:\Users\AdminDHJDAFIEHI.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminBFHJECAAAF.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3380
      - C:\Users\AdminBFHJECAAAF.exe
        
        "C:\Users\AdminBFHJECAAAF.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3232
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:3856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:3336
- - C:\ProgramData\HDAFHIDGIJ.exe
    "C:\ProgramData\HDAFHIDGIJ.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:3880
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:5052
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2620
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:5040
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\AFBAFBKEGCFB" & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\BFHJECAAAF.exe

Filesize
207KB

MD5
cd6646d9eddb6ed8900b5bd9da0597f2

SHA1
d87cb53b2b10d804721c80894bccbc989df5acae

SHA256
743948a05fa7b9a001b346699bc9fd4d645b755bc7ef73802b2a139288910f24

SHA512
39060c059137fd3fd00405043e97608481bf2035090a0f5aafebec84975c701296e9227f3e61977a14d9767830be4cdf1b2fd36c443643b73ec135f438b8a8b6

Download Submit
C:\ProgramData\CGIJECFIECBFIDGDAKFH

Filesize
6KB

MD5
cfca3b738515df705cccdbde7b87a558

SHA1
9105f681f71e218d3fa2b797f01ed1319f232e15

SHA256
36de790a6b92b2e72bb848afaca58a872995ac1833799b205e8331c24f30907a

SHA512
b9f2cc7494123b1826bcf6386f5601aeb4b37d03620a19c9d8f27df01b96565c9fcc4cd4012a9e93b28ed1c2524ce82a3e219f614061ccecff4e32b6fefe2ea5

Download Submit
C:\ProgramData\HDAFHIDGIJ.exe

Filesize
283KB

MD5
449d3f0970fc9cd91a8f4bea664a0cd6

SHA1
2a2624a79afaf0fcb01c44f8106c8bf8933106e0

SHA256
33da286e78538e3f5eda7b23c70578a1fda8a5b98069bd269b8a6035babe2b23

SHA512
e7888f333695f9fe1cda7db15f154a1261ec7cb1b67e6efb9b5c19183f5b092bea736ca768a60a5f102982a3c8e5ea1bd79035ab15f3db37c104dad9c5a48d33

Download Submit
C:\ProgramData\HIIDGCGCBFBA\DAKJDA

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\HIIDGCGCBFBA\IDBAKK

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\KJJJJDHI

Filesize
92KB

MD5
dc89cfe2a3b5ff9acb683c7237226713

SHA1
24f19bc7d79fa0c5af945b28616225866ee51dd5

SHA256
ceddefa824f1dd6e7e669d4470e18e557c22fe73359f5b31edf4537473b96148

SHA512
ee5d047e1124351997ecfaa5c8bd3e9ce8a974ac281675cda4d0a55e40f3883336a2378b9ebf3d1f227d01b386c26473c32e39bcab836da2b392bf778a6cf5c2

Download Submit
C:\ProgramData\freebl3.dll

Filesize
150KB

MD5
53a3d6abd6480cefc29706c7e4d97c0f

SHA1
09c388645598d35568268db177bdff4027d03745

SHA256
4b1af36b6b32d6ba4853859d28ec2b55c9acb4997bd8bf596104643c638e4486

SHA512
20e5e8c420e4fa8d90b5dd04e85647c36bef55a9102398a19d969a20d659652d4dac4d04bec2d0bb3157c03b3aeb8c92b289b8d2205fa41783454d3d4c81d460

Download Submit
C:\ProgramData\softokn3.dll

Filesize
3KB

MD5
73e041df8bf801a8003ceb28b87e7e08

SHA1
387d0766dd76f31285f9354c1a7a92ad78253336

SHA256
44499ae5442abd53b4426c6ca04590a3a30d81b3ec55a26449bef9012426647b

SHA512
fb838b4d7088114961234fdaac1b2cde26e37d5b914e45386b436c9dcd99f99b2f8e36cc194d8df55863d9f92171324ec2816ded8e433dd865edcd36104a61ab

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
2KB

MD5
b20ab20e66674e9e90ab34e7194f9ba0

SHA1
12f4001c266ba1d19b8d4296f306d1bcdb328c27

SHA256
67a1e0fc68a7c7a542062ada8ff78a72ce74e2e3f7438608f20661a57e7a9486

SHA512
52739c35c4a8586b67f33b6bfc637b21fcd457f4a28740ea7ad255851cfdd8f6a04e5d8b0b8f63593e5140efaa13bdd38d346d3467e259b1a158333c804188a0

Download Submit
C:\Users\AdminDHJDAFIEHI.exe

Filesize
321KB

MD5
5831ebced7b72207603126ed67601c28

SHA1
2ba46b54074675cc132b2c4eb6f310b21c7d7041

SHA256
02097348db100eb22d46dc474a1078b5ddbb56ee916cc81f24fadd0a6938ac58

SHA512
a9924ef2373851156d981bc3c5b5d533e8b510abf6c3f12e62af0c019e740f0d077efb8f7f93699d797335df33013c72fd9ead3b2253dd82f14b7b330faacb8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
2KB

MD5
375415776602c95039b112490beef7b8

SHA1
60c665ce93548d1634b3b86419a0b31ed2ef267d

SHA256
7adb9f2f9214814e7d669a867636b029862d5840cbfde3805be93d04f37a8939

SHA512
f6f26f2b52be8f8815f354da5e1fd50de93e6b40a79ca6535b055e03db7cf01ef3a5017e1d857f2a3b8f5ec27103e3f053f613ec7343da1d3fb008894db73939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
2KB

MD5
4f28f91cf083663dc10c8c83d7fec78a

SHA1
4874e9a130dfa66257800c7e4c53f370fd29db84

SHA256
fa6b9ac9ae1c57705c63fb5fe4cb721582f236dde25668a5f63a59769cb99287

SHA512
e27e3df78d6c0bd6dde4479ef8538e7da4d907fcb2c31ae792b4bb7190465ff6a8f4651281a9a2bbad4939b4d0288feb22666945675b51f99b35611e2c8a8244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B84E13677C80694CBFF0221DAF79ACF3

Filesize
504B

MD5
86950f5a653e1624573277324dd5f88b

SHA1
771a75f62e942505dd4eb449dd8f090d2ee04183

SHA256
77595f3804a8300e7712e3f88ab1dd47bea3596ec5f63178dedadb21da21af7b

SHA512
3678d88496e446a04ffc5103e0a08b250b256729d93c68f26e6840d455c5bf084baf99ea506d27f0f63fb3ef0a2849179dd53032a5f5fa8b46b9da97d3c18b1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
1KB

MD5
30bbf79a5d8e291a526458c43603682c

SHA1
0d9a5f1a13a800b416cb803da570a1e82a2e40c1

SHA256
1c045ef45ff87b7422faef763da35e239c0d278f0d3d8fefa86f44d3b753da21

SHA512
2a415850423404cca839f5202a74799f17ab25f623d3b8d9e622e97488b769ced88f72ff1f2fc8101b0c7dc299d6329c10442b247b4c0a408cace5428f97e98a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
811f9d57a9c8d6d0284574ad250a92b3

SHA1
8f8f5c6b91f4758879bab5e9ed6cfdb882b35905

SHA256
e705b2b14f60e9d73eba2617ec2a669b037ed46e07ea2ec53bb463ee3b2dff65

SHA512
9ed0e5531c4dbd1c9e05db5c53ba4eba599806f4334908254e7e52b34f98198850a3ae9bdb84934a45124aae430293cd06a4fd37b79a88ede3697e1a92ba0d66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\156887258BBD6E1FEF562837733EA04E_5BBC02CEDFD3F7AC9E268D830CF231EE

Filesize
458B

MD5
86f44d3eb181befc8c7d6c5d44f12727

SHA1
4c272f229002d4ffa09692da4aa8e5e6001a095d

SHA256
3bd8bd32534015152f90e40c3c187fa43784dd02021e70a3f709cd630250090c

SHA512
69d0d73507ae5b996257f0a76115c8b760110e387e9f1fcf6777ae596332a33d38b29898b59eb3b65013a459cb90d230e2e9894e14a35d28d64104706eeae7cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
fa46033e9e1f50846c79355fff466fd0

SHA1
10d548d67369a0c9c64aeb22c35267f0ab91ed1a

SHA256
5f17f6ada1b4e4762b21027c4b5a83863b41c4f87d86681e0e8365b01aef01d2

SHA512
eb0614d673e23d443a0d6cea386367bb044c54e9a76d51ea906a639c66e57f09f81303d80d569aa35f4393567d2d8a481bdc0cb6e64e24a1ee569d9f2ebb8867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B84E13677C80694CBFF0221DAF79ACF3

Filesize
550B

MD5
5e6d0cabc64cd3b2f7f1e9f24cc67e33

SHA1
e1b046c594d1a15e9f47caa21dfe71b38f977dc6

SHA256
c35583e644ba8fb936ba8a18d9ddc60c6658604c6395aedf1d254a498b6f3871

SHA512
e7b190c6a70394c887ded249d888e17d46d5b770264b45ad4b9e0935ee9b94d9e9c43d0bac8e97e403231a4470693e2b8218587a9c8558872dc337aa4136978d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D

Filesize
458B

MD5
a9c7bce4e0af096c41de16b16261e56a

SHA1
002a5847f8b85f969c5ce885e8ceb5477506aa6d

SHA256
64a74531bf24e0c758c597ac82ebd38dde0b97be8d263511e2f4cae8ff702ab7

SHA512
9cb05af40f6d9eb9af49ad71bdb1f44cad2d33658c637c57ad60c80f7c0e6d5044bd461a800e5ffc7d1a92068afc77f37fa6a8c8503a59b671cbb8b3d4a20213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\O530NRTM.cookie

Filesize
103B

MD5
f1d5c13f0dedcf6572497200cd3322a5

SHA1
7be9202b087e612ae1ef34f107b48acf0267b040

SHA256
b2ea03d7390226323d9c16f6d3a334b619fabcdc629e41099f85e2cde3a85af8

SHA512
d85d9693d92e5756278ca21bdb9298599cb63574e58397a16ae891cee48de09e3991706e31b356aef77ce002f05cfebfda270a576be10cf13e754f50af0ef96e

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/304-95-0x000000007240E000-0x000000007240F000-memory.dmp

Filesize
4KB

Download
memory/304-101-0x0000000072400000-0x0000000072AEE000-memory.dmp

Filesize
6.9MB

Download
memory/304-97-0x00000000057E0000-0x0000000005CDE000-memory.dmp

Filesize
5.0MB

Download
memory/304-236-0x0000000072400000-0x0000000072AEE000-memory.dmp

Filesize
6.9MB

Download
memory/304-96-0x0000000000B70000-0x0000000000BA8000-memory.dmp

Filesize
224KB

Download
memory/996-103-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/996-104-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/996-214-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/996-121-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/996-99-0x0000000000400000-0x0000000000643000-memory.dmp

Filesize
2.3MB

Download
memory/1496-45-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1496-28-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1496-80-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1496-73-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1496-72-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1496-7-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1496-9-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1496-4-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1496-46-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1496-81-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/1496-30-0x0000000022700000-0x000000002295F000-memory.dmp

Filesize
2.4MB

Download
memory/1496-29-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/2328-194-0x0000000000A00000-0x0000000000A54000-memory.dmp

Filesize
336KB

Download
memory/2924-112-0x0000000000530000-0x000000000057A000-memory.dmp

Filesize
296KB

Download
memory/3336-239-0x00000000200D0000-0x000000002032F000-memory.dmp

Filesize
2.4MB

Download
memory/3336-238-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3336-237-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/3716-0-0x000000007371E000-0x000000007371F000-memory.dmp

Filesize
4KB

Download
memory/3716-54-0x0000000073710000-0x0000000073DFE000-memory.dmp

Filesize
6.9MB

Download
memory/3716-1-0x0000000000E60000-0x0000000000EAA000-memory.dmp

Filesize
296KB

Download
memory/3716-13-0x0000000073710000-0x0000000073DFE000-memory.dmp

Filesize
6.9MB

Download
memory/4052-202-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4052-205-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/4052-207-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5040-224-0x000000001FEC0000-0x000000002011F000-memory.dmp

Filesize
2.4MB

Download
memory/5040-234-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/5040-199-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/5040-235-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/5040-208-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/5040-116-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/5040-118-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/5040-114-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download