lumma | 1aa5e6d6344ab746bafa98782b941f3ff7cf60d98a38bd50111789000597c75c

Analysis

max time kernel
119s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-12-2024 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

appFile.exe
Size

819.2MB
MD5

4fcc72c433dddb6c3458ff947f423c10
SHA1

8469e0b7b8ce20ff0721676097b9e1d20e1eb2ef
SHA256

3bfa35907c5a97cd0d26478f3afd84286bf7655ce27adf245a83eb10cd70307c
SHA512

896b5257818ba053c07d1061d24d82aa79046b902d8f79ce38a4a72617fed476dfc856c93a466713f9df2e09b3d56e3a4bc33ec1984f92a5d6529f1738518270
SSDEEP

196608:1cfuoGxnRoht78USnoSfgPSulo5Ud3334MznYNRXgXq+e5wXlFYcpwEYEa7QMDJt:+fthfSnPqwhMty9T5ZHO24+72ceyf

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1464	Altered.com

Loads dropped DLL 1 IoCs

pid	Process
1168	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2700	tasklist.exe
2764	tasklist.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SevenPlots	appFile.exe
File opened for modification	C:\Windows\MiceMeter	appFile.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	appFile.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Altered.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Altered.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Altered.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Altered.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Altered.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Altered.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Altered.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1464	Altered.com
1464	Altered.com
1464	Altered.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	tasklist.exe
Token: SeDebugPrivilege	2764	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1464	Altered.com
1464	Altered.com
1464	Altered.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1464	Altered.com
1464	Altered.com
1464	Altered.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 1168	2156	appFile.exe	30
PID 2156 wrote to memory of 1168	2156	appFile.exe	30
PID 2156 wrote to memory of 1168	2156	appFile.exe	30
PID 2156 wrote to memory of 1168	2156	appFile.exe	30
PID 1168 wrote to memory of 2700	1168	cmd.exe	32
PID 1168 wrote to memory of 2700	1168	cmd.exe	32
PID 1168 wrote to memory of 2700	1168	cmd.exe	32
PID 1168 wrote to memory of 2700	1168	cmd.exe	32
PID 1168 wrote to memory of 2192	1168	cmd.exe	33
PID 1168 wrote to memory of 2192	1168	cmd.exe	33
PID 1168 wrote to memory of 2192	1168	cmd.exe	33
PID 1168 wrote to memory of 2192	1168	cmd.exe	33
PID 1168 wrote to memory of 2764	1168	cmd.exe	35
PID 1168 wrote to memory of 2764	1168	cmd.exe	35
PID 1168 wrote to memory of 2764	1168	cmd.exe	35
PID 1168 wrote to memory of 2764	1168	cmd.exe	35
PID 1168 wrote to memory of 2716	1168	cmd.exe	36
PID 1168 wrote to memory of 2716	1168	cmd.exe	36
PID 1168 wrote to memory of 2716	1168	cmd.exe	36
PID 1168 wrote to memory of 2716	1168	cmd.exe	36
PID 1168 wrote to memory of 2616	1168	cmd.exe	37
PID 1168 wrote to memory of 2616	1168	cmd.exe	37
PID 1168 wrote to memory of 2616	1168	cmd.exe	37
PID 1168 wrote to memory of 2616	1168	cmd.exe	37
PID 1168 wrote to memory of 2452	1168	cmd.exe	38
PID 1168 wrote to memory of 2452	1168	cmd.exe	38
PID 1168 wrote to memory of 2452	1168	cmd.exe	38
PID 1168 wrote to memory of 2452	1168	cmd.exe	38
PID 1168 wrote to memory of 2680	1168	cmd.exe	39
PID 1168 wrote to memory of 2680	1168	cmd.exe	39
PID 1168 wrote to memory of 2680	1168	cmd.exe	39
PID 1168 wrote to memory of 2680	1168	cmd.exe	39
PID 1168 wrote to memory of 1732	1168	cmd.exe	40
PID 1168 wrote to memory of 1732	1168	cmd.exe	40
PID 1168 wrote to memory of 1732	1168	cmd.exe	40
PID 1168 wrote to memory of 1732	1168	cmd.exe	40
PID 1168 wrote to memory of 1780	1168	cmd.exe	41
PID 1168 wrote to memory of 1780	1168	cmd.exe	41
PID 1168 wrote to memory of 1780	1168	cmd.exe	41
PID 1168 wrote to memory of 1780	1168	cmd.exe	41
PID 1168 wrote to memory of 1464	1168	cmd.exe	42
PID 1168 wrote to memory of 1464	1168	cmd.exe	42
PID 1168 wrote to memory of 1464	1168	cmd.exe	42
PID 1168 wrote to memory of 1464	1168	cmd.exe	42
PID 1168 wrote to memory of 2980	1168	cmd.exe	43
PID 1168 wrote to memory of 2980	1168	cmd.exe	43
PID 1168 wrote to memory of 2980	1168	cmd.exe	43
PID 1168 wrote to memory of 2980	1168	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\appFile.exe
"C:\Users\Admin\AppData\Local\Temp\appFile.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Mb Mb.cmd & Mb.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2192
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2764
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 155766
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2616
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Hypothetical
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "homework" Defend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 155766\Altered.com + Priorities + Cohen + Rejected + Leaving + Aging + Game + System + Computation + Immediately + Realm 155766\Altered.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Anime + ..\Ips + ..\Cheapest + ..\Client + ..\Po + ..\Charts + ..\Room f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1780
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\155766\Altered.com
    Altered.com f
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1464
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\155766\Altered.com

Filesize
126KB

MD5
3853653e8d34aaa1c0205bba6c6d3e8c

SHA1
770b4b7be4cc1ca0cec8eb296a0a204349b3093c

SHA256
bab5772fe1747d5a27e80a2476ac09750f640e197bfe9fbff908da370f6fef33

SHA512
5c42f00852218a2e808ad18e373a8a38535f468f793451afca83fd8a2bfbd57f6e17ea73694f2968d8fec59e4c12a1c9fa5e7b0af8500f516010b98a27476c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\155766\f

Filesize
457KB

MD5
8a67bbb41b9b2e0221d9f9f070c918d9

SHA1
468f81784f29cf871a8087deec134037efd242a7

SHA256
3f24f4b4ccf6d2296da98d7590c375dca509288377de1b8480dbceeb43df3043

SHA512
f9f38aee8692888a5d7e1f12029e5c8a24566abf3b6008fee81197ec3096dee43587c937f13e0710dab13a0dc51e7957b85605030e63c605251e4a51d3808201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Aging

Filesize
75KB

MD5
2d2d0d734b48b8d8c14fdf2abaec2d69

SHA1
52ee9a63c6d9e571ee26b7ece95f21c80f38df63

SHA256
3d1f64bbf0a343513b9dca1a98b509b0b92270e86df42b79c59e9ca7b1271743

SHA512
12702a7d7d9fa04ae01777b44b6a908e50bf9396782f44d14545bac4da293bef9af219bd4b7e9a2e65adb253dfeda9030b88087c120dae4625f7d61924471932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Anime

Filesize
78KB

MD5
2e19ce72fc33ab1e1b6c4cd764af0378

SHA1
8abfb9bf1a9d63029855e6d52a5e1b76f9c72764

SHA256
9f7a13744e14f486ee561c4c49bb3f603afe7afbe30793c53dd53af46836e528

SHA512
d64edfa8a0b313f2e63f0ef1b1f813cd8aed0d4f6ed33c50ba0dceacfb72eb74d4588c8b706d087d8d79d461f02b2c20a8259ddc62449abc3f829d873a7776fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Charts

Filesize
85KB

MD5
f3eaa547ffbe381ab6dcc093234473f2

SHA1
65f3161d35940828c02b8a7db1aa4f19b0804f60

SHA256
9ad773f199e969571442c06c11df4ec09d5f4f268046d885e049420cc08fb220

SHA512
c14aa630ebf1e388d72d1affb502a959c6a454477bcbfa478418aed8e88e3e99846a9f29a7aa1252c0869bc4afe46dee5a6a04cfcb778dbc251d1c40d34af61d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cheapest

Filesize
56KB

MD5
d0faccc354d82f80956b525cde65b5f9

SHA1
0a77239d63633c1baf1ea1c5d73d83e3cedb10cf

SHA256
892da9dac2a2dd04bcac005750a7a1da773baca6a25c1fbf51af2ce41c59252c

SHA512
2162dd8b4ad1b28482f8701b6362b7da40fc937594d08ee0e1343f5223331b0de9cc89f903ccfc92bc4e319649ac073f050d31cc7c04990aacda0b7f1cac76e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Client

Filesize
68KB

MD5
dff8e9b2fc908f3ba33e096b4f35e626

SHA1
dd120ad25b0b1892a70846018d23fd156330e3e7

SHA256
296c6c7acb2e87ee0082bddab82c5395030b5214832da7685d44860cef6d96c9

SHA512
abc5721e2276137f53d4f9042493defd70a021bd451b15fe8bcd1d5712982610fc3821ddb5212e3cae2b2af214ce394b5d2750a23c07cf1e040f736d6448c91f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cohen

Filesize
133KB

MD5
9b6654bdee2dca21441bd0b196a6b198

SHA1
54a28022fc8e63f5340a65e372da2cd9ff1215ca

SHA256
e55c39a69f0b9d923a6ed9d3f05495f632a8cafa89abadd173e4f3badc513490

SHA512
49ffe1263e4439d05bd133357dabfc7940dff59bc006b730e9e9115b8492e8fbf47188edba2b6fc78598076b5f57a673e6cfcb70db837e2ffac26cb6767f28bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Computation

Filesize
109KB

MD5
7e03c7e02c79f1b2e9fcc0dbd15a046b

SHA1
47c1b880b4920d27a10403644ef2590339685042

SHA256
6e0780ef4ff73842d41465ef93b90a06c1af0e1821de5868e7f955e914494ae9

SHA512
4978b26135749b077846175fd74d947e7c9c64eabc80fe3191430c4188c7b1ef4c4a0a8292ca8c17a25bc568a67286f7b34f0c7d3cb3337227636f1a98b7b685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Defend

Filesize
758B

MD5
2813fd04e4b6f011537b206cc75d49d1

SHA1
d94c080e2aead4761acc1dc942179bc188263581

SHA256
15d4c801ac2708fae3657a0e2b177e537f67530336e9a81ffb60a5e97d32afde

SHA512
b29f807a8f0dbb91ba9506aa7e29a34ed51e38820b7d9b10ff157956327bd8034bab1746037824103fe752114ed913c3558eefe2101b43e5402f5339eb5342fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Game

Filesize
99KB

MD5
740dcff59cce5d4474008dc8860576b9

SHA1
cd549817fb35aa52a36a8ad4b85db179dec86aee

SHA256
a9fb448c5a154077f2aa903a010bbb69213c7e5ca614ac92685bc4160dff5dd6

SHA512
9a616ffa6cb1465ac722b225551c2815b3db0efd578da18691bb64c08d293b76eb048cd743746a3cb2231433ea700a84dbcf1626cf25447f2158b78ad2967c7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hypothetical

Filesize
476KB

MD5
6a90032c3087da0c6c5cd4e26faa130a

SHA1
01c303a210d2358815b9bd80a8db03654e443d5e

SHA256
1fe850eb734c06f7f6275f543e66da757798efd85438ec44f257752cad0a844a

SHA512
929109607a664a76b9be329e31c54b5005c024b4fa9bb2ecb76777578af000d01878cba4575596af0661458bdeb3f5589b66b361d5c1e45986a3e22027f24e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Immediately

Filesize
71KB

MD5
d6fd801778c7900546c3e7fc650d5c37

SHA1
3b4b40332a55caad44f35cdedeedf8739d4235fb

SHA256
21de6e001ad0fd9e7f197c87087703ab507ab80940dbccbdc64866e6217ff289

SHA512
3ae1673fa8ba7937d13efb81de2cc7a6f7f804fa9f200d8280859a75806d2623ce15fad6ac8ecd44d4a95a3a24bca98778a52c07292a70ee382df6609267a0be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ips

Filesize
96KB

MD5
7314b029ea8ba2b0fd4888f0160d65aa

SHA1
2b6bf44bf4f65dc9e73ed9ed7777bf6266b802e8

SHA256
9f5a2b00865b79179fa92a2052e416f66af15ad969ca8d0082daee4c4054435e

SHA512
f6c5d890ca7560f7debf488894f41d6b1473e5e0a0df5e7bc586de684184eeb9c97462652d9dd5fb198afd256eb4236e9d747ec25ec981dcf8cc668708d2e626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Leaving

Filesize
72KB

MD5
d3c5dd24f7ad544272d5747152e799a1

SHA1
b22262d67fc3135d43bcc5fa53b165761d3d944e

SHA256
294b6ee9e9486df87f5945ec34bd6605f03ee201fe6f4535b12c413b6263afe7

SHA512
b9a132fb9c7355a3c0213410c1d5969c470daeb39e154181f76def68b900de660b9bbfd82df474f4bc3e81e21acae0a0cf7974f1c5fb2fe3fd479902b2b02509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Mb

Filesize
26KB

MD5
c593366e1cfcd643e75b566ec386caf7

SHA1
f9b22698e9a5115d020ff7c9490e388127837d27

SHA256
b42a8dfc65980c281016ea1d2f7a9b6c79bd2de660e2dc65a9c2ccdc91253bde

SHA512
165489199629eacdfbf0c1ab09b69de4a04bb9b1d682ec6f8e05910aae638cd17ce4541d1fa346a11f451c63f8370c3e7a68d3bf4160f40f2f8085cf48ab0c47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Po

Filesize
51KB

MD5
a4cb14af2fe7cbddd269e8ccbe9eba81

SHA1
88555646770e70ced0c883463df324b4ec70d028

SHA256
560b476dc3790c8e2f5b509c488ea6a86e700ac19fcaf904178462ff3efcf98e

SHA512
871cdb1002a6acd13f151689d5578aad70316c2a3834aeb8cc37add349539cccde4741ac91eda5261e5890f357f1c1c3d6e5bd51b24be4c88cd7df542b0ee31d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Priorities

Filesize
126KB

MD5
69a4f06d648eafc7cc54b6290eaa0bc7

SHA1
84585a3b86aca8642b5b929ad8cc80057c6dbd27

SHA256
8b638187baa22eb1b3532050af50817171fc0ffc805bf2d6a7da7e666385d148

SHA512
ec649e724749f614bb23edddae2e4746e35e13d761964169ff40579cf42a049421672f4545cd9758e7430042cacde7349c819dbc04f2f036f4190765e50771e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Realm

Filesize
11KB

MD5
2d501e26576c35e22c6ca520ca3f50c4

SHA1
f94695ac3a6ed634098f5e7d7b3c26ecd9d91a77

SHA256
27a1053a4e6a02d13e8fce0ec03456a921e826e82253b81c354f3426dbb1462b

SHA512
79d2e29bb47db6fea5d022b8f344a2004509161aa7587b5112db5cef42988c91efc0077d7903155933c0eb145e42a005976520d36da5f789187b6b6a8202f3b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Rejected

Filesize
87KB

MD5
2e89af75610e5a67ff8dcd67d9a2311e

SHA1
d9c2f1600ec94105c45b6efd81a4ce8b7a3c8c6a

SHA256
49ed44ff870af4c1ed5879efea9e5b85c47ff0b86f5ffeeb682c83630f61c7bd

SHA512
b1da7cb625a3b8315707f448e49b312760c55f5dcaf4772fa9a585f57dd229ad740f855375b20e7b2a0aafa02705261915095997f05e1b16b8015008bd4a5631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Room

Filesize
23KB

MD5
2ed2df6ad501afb2ec8f1b3d2f817b92

SHA1
6820af9f60dcfc99ab82666f0d41c21acdfa9f5b

SHA256
a605e2ff4003733f73ff38aac0966f3c3531c5439035d94e99f48e6afbabab9f

SHA512
c00a1aebc37f23e917990b14b22730651106fc1ed65a59f6224378e9bcf91a989f2862ba39af424bb4d0e01e472c0f894405c98a01f68854a27a70715ef72369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\System

Filesize
141KB

MD5
e127b540b096a89b7420ee8a13e3f062

SHA1
7fbb7a24c7b948025d930270c894d4abad818d39

SHA256
0cd5bd98b3110ac1e954733e00e0884a0b08351c7540acf41c396a5e38a9d22e

SHA512
e35e7ea9b289adeffa7662e2d2b51caabc44ec3fcd4367e94881a4e2f5f76c8a30e59ce56d3848e356fa1c0269d88e6a189f619a3522459784cca0ff63c0d72d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE18B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE1AD.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\155766\Altered.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/1464-73-0x00000000035D0000-0x0000000003627000-memory.dmp

Filesize
348KB

Download
memory/1464-75-0x00000000035D0000-0x0000000003627000-memory.dmp

Filesize
348KB

Download
memory/1464-74-0x00000000035D0000-0x0000000003627000-memory.dmp

Filesize
348KB

Download
memory/1464-71-0x00000000035D0000-0x0000000003627000-memory.dmp

Filesize
348KB

Download
memory/1464-72-0x00000000035D0000-0x0000000003627000-memory.dmp

Filesize
348KB

Download