lumma | 00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a

Analysis

max time kernel
35s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe
Size

404KB
MD5

4f828f95c11479c61692052d9254022a
SHA1

68f1fbe839f2d41f434bdde176ccc3e6f38ec503
SHA256

00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a
SHA512

91cc6dc01a62337c542c31337057653c5e41ae7b88621bc1041786a260a5b78fb834869ce8aeca05ab8263c45a41fa7833ee262440d157206b1ddae675d814f5
SSDEEP

12288:V/Cb1GLhpCd9pwh7vCOT1VVx3nH8fwxa/bEO:VD6MPTHVRPxqt

Score

10^/10

lumma vidar 8b4d47586874b08947203f03e4db3962 credential_access discovery spyware stealer

Malware Config

Extracted

Family

vidar

Version

Botnet

8b4d47586874b08947203f03e4db3962

https://steamcommunity.com/profiles/76561199780418869

https://t.me/ae5ed

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:130.0) Gecko/20100101 Firefox/130.0

Extracted

Family

lumma

Extracted

Family

lumma

https://questionsmw.store/api

https://soldiefieop.site/api

https://abnomalrkmu.site/api

https://treatynreit.site/api

https://snarlypagowo.site/api

https://mysterisop.site/api

Signatures

Detect Vidar Stealer 14 IoCs

stealer

resource	yara_rule
behavioral1/memory/2616-8-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-11-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-20-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-17-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-15-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-9-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-161-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-180-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-214-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-233-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-364-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-385-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-426-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7
behavioral1/memory/2616-445-0x0000000000400000-0x0000000000676000-memory.dmp	family_vidar_v7

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Blocklisted process makes network request 2 IoCs

flow	pid	Process
41	2616	RegAsm.exe
47	2616	RegAsm.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
1632	IJECBGIJDG.exe
1040	FIIIIDGHJE.exe
3052	DBKFHCFBGI.exe

Loads dropped DLL 11 IoCs

pid	Process
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2992 set thread context of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 1632 set thread context of 2456	1632	IJECBGIJDG.exe	38
PID 1040 set thread context of 2304	1040	FIIIIDGHJE.exe	39

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IJECBGIJDG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FIIIIDGHJE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DBKFHCFBGI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2872	timeout.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2616	RegAsm.exe
2616	RegAsm.exe
2616	RegAsm.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2992 wrote to memory of 2616	2992	00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe	31
PID 2616 wrote to memory of 1632	2616	RegAsm.exe	34
PID 2616 wrote to memory of 1632	2616	RegAsm.exe	34
PID 2616 wrote to memory of 1632	2616	RegAsm.exe	34
PID 2616 wrote to memory of 1632	2616	RegAsm.exe	34
PID 2616 wrote to memory of 1040	2616	RegAsm.exe	36
PID 2616 wrote to memory of 1040	2616	RegAsm.exe	36
PID 2616 wrote to memory of 1040	2616	RegAsm.exe	36
PID 2616 wrote to memory of 1040	2616	RegAsm.exe	36
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1632 wrote to memory of 2456	1632	IJECBGIJDG.exe	38
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 1040 wrote to memory of 2304	1040	FIIIIDGHJE.exe	39
PID 2616 wrote to memory of 3052	2616	RegAsm.exe	40
PID 2616 wrote to memory of 3052	2616	RegAsm.exe	40
PID 2616 wrote to memory of 3052	2616	RegAsm.exe	40
PID 2616 wrote to memory of 3052	2616	RegAsm.exe	40
PID 3052 wrote to memory of 2544	3052	DBKFHCFBGI.exe	42
PID 3052 wrote to memory of 2544	3052	DBKFHCFBGI.exe	42
PID 3052 wrote to memory of 2544	3052	DBKFHCFBGI.exe	42
PID 3052 wrote to memory of 2544	3052	DBKFHCFBGI.exe	42
PID 3052 wrote to memory of 2544	3052	DBKFHCFBGI.exe	42
PID 3052 wrote to memory of 2544	3052	DBKFHCFBGI.exe	42
PID 3052 wrote to memory of 2544	3052	DBKFHCFBGI.exe	42
PID 3052 wrote to memory of 2544	3052	DBKFHCFBGI.exe	42
PID 3052 wrote to memory of 2544	3052	DBKFHCFBGI.exe	42
PID 3052 wrote to memory of 2544	3052	DBKFHCFBGI.exe	42

C:\Users\Admin\AppData\Local\Temp\00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe
"C:\Users\Admin\AppData\Local\Temp\00c39991e9994d94f4fc657f7072c7e4137baf5aa27961cf5451daf6b3cda75a.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\ProgramData\IJECBGIJDG.exe
    "C:\ProgramData\IJECBGIJDG.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2456
- - C:\ProgramData\FIIIIDGHJE.exe
    "C:\ProgramData\FIIIIDGHJE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1040
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2304
- - C:\ProgramData\DBKFHCFBGI.exe
    "C:\ProgramData\DBKFHCFBGI.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:2544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminKJEBKJDAFH.exe"
        5⤵
        
        PID:3036
      - C:\Users\AdminKJEBKJDAFH.exe
        
        "C:\Users\AdminKJEBKJDAFH.exe"
        6⤵
        
        PID:2280
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:2092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\AdminIJECAEHJJJ.exe"
        5⤵
        
        PID:2616
      - C:\Users\AdminIJECAEHJJJ.exe
        
        "C:\Users\AdminIJECAEHJJJ.exe"
        6⤵
        
        PID:2852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\HJKKFIJKFCAK" & exit
    3⤵
    PID:2028
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 10
      4⤵
      Delays execution with timeout.exe
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AAKKECFBGIII\BAKEBA

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\ProgramData\AAKKECFBGIII\IJJKKJ

Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\ProgramData\AAKKECFBGIII\IJJKKJ

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\ProgramData\AKFCBFHJ

Filesize
92KB

MD5
e248975fcae2fff4649630d9421bd44e

SHA1
283f382e83b0767a0cd6b2d54bce3c1c315c60d6

SHA256
2e7470ccd25b6d7e9606f29643dbda3e3a4ef3f0575b2d074986c80cf8b148d2

SHA512
9bd5cf49a7773811d72be905cc8dfc2310f82899553c6f598a52b5dc261fc26191462855fdba8b3a83c8a317faed71a1a134df83f338c6c9442ee792cdf7428f

Download Submit
C:\ProgramData\KECFCGHIDHCAKEBFCFHC

Filesize
6KB

MD5
2b9274dd843e7a9d0eee263432d63094

SHA1
6463b9b1656355a2ead939fa39ed7a8e886a77ca

SHA256
e5489faf538f6e7a946d31450f8e0a9e16a21b8f1554b3a8805a2853c0d09610

SHA512
70864cdd7c1b44c928d6c2011f4fb065fcd4e11d10e8d2d064f10b31c0a1f26221c96bcec96a6423c3d9729895a97a3c7f72d87771be2ac0918bb689fbcdac4e

Download Submit
C:\ProgramData\freebl3.dll

Filesize
9KB

MD5
7c207c576e5ea86bc3797e7eab6ebb6a

SHA1
189309b3d3f81b1cd492683f256c14de5ac0e1f8

SHA256
e9eb9e241d28ef0f6bb79492f6bcb7dbf1abcbd9e440d7418af07ca5fbcd8a67

SHA512
1180b2718aa2c22f66a1f71a4bc691367f12678745063c616df856a4b5f9eb6dfdada42751290176b006977f90bb545abd6fcc1206fce1337955aaff83fee641

Download Submit
C:\ProgramData\mozglue.dll

Filesize
35KB

MD5
1cd9d2c10ff45742397de89a3fa4221b

SHA1
8926266efc4ae5d9e432f80c262d0a11a9b4ae89

SHA256
4498f099e14387aed3abbfaeffde77de5d794b96eba197f7977d7ce866f12ca8

SHA512
a1f8af6061411b93fa5114bc6c7bcf27c3444510fc7147cf0eec555a46a61282ac7e653c9319367ee6bfa700e681ca7ede9d0bdacf0d930351c9bf1fffbbf382

Download Submit
C:\ProgramData\msvcp140.dll

Filesize
22KB

MD5
766fbac1c241637acf06ee77b7b6d4eb

SHA1
91480a35874ad7c97dd7cb0adbe1cad3f84a54df

SHA256
4166d2b77fbd96582c043d61872c0fbbd34db4514e20cd0b6c2e2be2ab396ecc

SHA512
c0fd14ad2fb511b125ca5f8ff8efbdfae6f99dadbf5b70e80ccbbb5052d86bda65988d0b85ebb5856a5b2e38b4f1e4bfd8351d1be0a48bb9cf5b0ee246010a57

Download Submit
C:\ProgramData\nss3.dll

Filesize
15KB

MD5
5efc6257cda2ca6662c7326a1ecb0eeb

SHA1
3ff29c824318163fb86ea4a30df9d2eecdb1398f

SHA256
af8b73dd4cb131b0deee81f5f8735bde267881c234b37faea3d72f671adcc534

SHA512
623d5045c74107706861836848bbaf53c7a6f0b45e08a49d6bbe50ccf2df8872af05d59c3e83732ece9d7b4f9f8257c26bd00f5653f8d702f77c39748c0cf2a7

Download Submit
C:\ProgramData\softokn3.dll

Filesize
48KB

MD5
8cdca4e147764cc95630089147b785e0

SHA1
a6d08dd220163b264ae5145df640ae168418c3f0

SHA256
d71ae9f4578d9c1517d2c8cc909afbcaa8fd3ac731097b1b5e8dc7e2cb55e2e2

SHA512
771ef179b46c12ef1ca40651a9550e5b6bf6c68cf8839d91add7b331b6d3ae3b2405a92c35e0254d30cf48caa1e68a956579841a6dbbd137f92811e013926983

Download Submit
C:\ProgramData\vcruntime140.dll

Filesize
52KB

MD5
5dcbca63388d1d734a83c1b864976232

SHA1
e48fcf925294b2134db1e22953836d08caaff97f

SHA256
ca92984e762dbd8f735be137e5a5bef83b853b96400eb6464dffd35a0fc15221

SHA512
43e295d1215901a5006c8dcba32524283cf92c7b2dc2df644c1444ffc09ec94b075d89a81afc015a194319e65e0e4142e95deba5669c11b3404b7398b6ea4d19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
471B

MD5
c7f2d90f5c90ba421c96700249027a64

SHA1
826e331f623ac31cb6d8c470b2b4b64417a69fec

SHA256
83957f6b41bae1ee8467d9ba21754f82212b733b2496be9b8fdbe88dda46738c

SHA512
8fe79d5578b7ab3ee4b24a130d50a7bb167ffb343f425ccaa26da89c94bed281c9a7dde0a716c36c472bc305330ae6477314c3275b00a877a4d0a3d313182dd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be4848bbd888a3268ed3677e7e341c6c

SHA1
bd456fedee3efede21e80ef5b645e084a32d3a78

SHA256
2ed96f7cc2b4f1ae7bbbd089199f6d39fadbfe75272fd8b049088cc9fa6b094b

SHA512
b2b8d40ac3e7b9b4c0a8c28b25ddf24084b72522b8c42c736ac8eac3333d9621c40cc2b18cb4f0aa7ed918fd6fdc74606de197af8f49a54cd324c2dcc8ad3f32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f4843987b96e952d3acfc320f0055c2

SHA1
6240eff10a89d871b4ed15cbece18111a98bbfd9

SHA256
e6d874f1bb553f50fd271f2b85bdf4293155ed9018e76ac6a0462bbb757469df

SHA512
252b3c3517b0e07613f10bf9516828bf097a667a77c4a909d34fbaf26818a1c7bb8d9b0812c4ab794767ac6f2c5eeb34373e452b3045fe3bc2b614f192d9bfb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619

Filesize
400B

MD5
306ba48dc8948649fa6febd14671f86f

SHA1
13c5f3db38f4ff78c87ac090102c6e94ebc89524

SHA256
7a2346f3550076b232a091b23ce39ac32d7bab20aad38d44a7cc1083e089462a

SHA512
8a53a697234f74332d80c9cbf884559f9758ec03e5745d2800f8644148b9dbff736cb45c2e8f0c680831dd467e03e7113f18e956bd4195f64a261d20c4c858bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1646b9a46e8995a63df0d145f6233477

SHA1
04898aeacbe9df03a2a78b9a50b179a109824f0c

SHA256
abb76895cf81567765d8930342c003e610ff176e7ecdbb57432de7a491440a53

SHA512
e7037f1dca638c0a0cf7ece97ec111bf7856ee384653837665acc720beae5c1fe220fd8da1c5fa328bcd443baf4391ebeb3e5a985ea87600682760974866c685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\56KJ964X\76561199780418869[1].htm

Filesize
34KB

MD5
165ff27884833a32ec12327276ba2aa1

SHA1
1b812fca38010ba7e24129e82d67aea2a412ab10

SHA256
0f1598ac9d08b660b71b43e0a0f74d067d2265dcbb9b98b07a2a61608c5d6519

SHA512
a36f8eedfdd8ddccd3d3138fa871aa2aebeddadbac709a94076610f4f2ab9473160185beede5ec1663ed31ecdb40ae8369baaa260467dad4bd386e30c6427496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8H7UVK5L\76561199780418869[1].htm

Filesize
34KB

MD5
cfb641c7d0d1853fe7e82003e4fcf9d9

SHA1
d8a5df266bbc6ee78fc29b453a9cf0eaa760da8c

SHA256
0f3b833e5363f053ecd789296ca500d2325b998dd6a74babb5155e3aaa186b03

SHA512
e96240e6f60462e6e4483fe58247268fc1489bec1dbf481ed5368ba64621bd7492e6425888f5da548d32f26dcdeedb64e4514e485fc968842c610372fca7b4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9704.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9774.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\DBKFHCFBGI.exe

Filesize
336KB

MD5
022cc85ed0f56a3f3e8aec4ae3b80a71

SHA1
a89b9c39c5f6fcb6e770cea9491bf7a97f0f012d

SHA256
bb28bb63ed34a3b4f97a0a26bda8a7a7c60f961010c795007edc52576b89e4d3

SHA512
ac549b9cf50e631bae01152db4523fdab55f426ee77177af900b088244665e28de03c10784fe9db33a2478bee0d96bd50e5a668d2a2bfdff3e8706aa8f5d71a2

Download Submit
\ProgramData\FIIIIDGHJE.exe

Filesize
413KB

MD5
237af39f8b579aad0205f6174bb96239

SHA1
7aad40783be4f593a2883b6a66f66f5f624d4550

SHA256
836ce1411f26919f8fb95548d03c2f4dfd658fc525dfe21c7be8ed65f81a5957

SHA512
df46993a2029b22cbc88b289398265494c5a8f54ea803e15b7b12f4a7bc98152df298916d341e3c3590329b35a806788ae294bae2e6832f2a2ac426d0145504d

Download Submit
\ProgramData\IJECBGIJDG.exe

Filesize
381KB

MD5
c7e7cfc3ed17aef6c67c265389593ee3

SHA1
44aaea45a59f194f33ff435a430fcbd9e7434ad5

SHA256
0ddebb36beb37631df17f68a14c90519f93ba7c200c62003527273119442e1ff

SHA512
6c5f7a6626aac4b583d1165c4ea3bc69e315cdce94d3e1d3442dc9643e0983f2a80e0495bac79d4aa0e4db309f0aab373d917e6af12ffaad333aba21e16249d2

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/1040-533-0x00000000010A0000-0x0000000001108000-memory.dmp

Filesize
416KB

Download
memory/1632-517-0x0000000072BE0000-0x00000000732CE000-memory.dmp

Filesize
6.9MB

Download
memory/1632-515-0x0000000072BEE000-0x0000000072BEF000-memory.dmp

Filesize
4KB

Download
memory/1632-516-0x00000000002A0000-0x0000000000300000-memory.dmp

Filesize
384KB

Download
memory/1632-568-0x0000000072BE0000-0x00000000732CE000-memory.dmp

Filesize
6.9MB

Download
memory/2280-931-0x00000000000A0000-0x0000000000108000-memory.dmp

Filesize
416KB

Download
memory/2456-549-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2456-547-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2456-557-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2456-555-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2456-554-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2456-551-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2456-543-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2456-545-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/2544-633-0x0000000000400000-0x0000000000661000-memory.dmp

Filesize
2.4MB

Download
memory/2616-233-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-15-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-5-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-385-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-445-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-426-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-200-0x000000001FEA0000-0x00000000200FF000-memory.dmp

Filesize
2.4MB

Download
memory/2616-180-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-161-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-7-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-6-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-9-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-214-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-17-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-364-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-20-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-11-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2616-8-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2852-938-0x0000000000F30000-0x0000000000F90000-memory.dmp

Filesize
384KB

Download
memory/2992-2-0x00000000749B0000-0x000000007509E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-4-0x00000000749B0000-0x000000007509E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-18-0x00000000749B0000-0x000000007509E000-memory.dmp

Filesize
6.9MB

Download
memory/2992-0-0x00000000749BE000-0x00000000749BF000-memory.dmp

Filesize
4KB

Download
memory/2992-1-0x0000000000B60000-0x0000000000BC8000-memory.dmp

Filesize
416KB

Download
memory/3052-612-0x00000000008A0000-0x00000000008F6000-memory.dmp

Filesize
344KB

Download