lumma | dd95ea562335de025678407ad4dfeb923c76ba0e4eb18eb4f539876435395f5d

Analysis

max time kernel
58s
max time network
72s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 01:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe
Size

913.1MB
MD5

eb4c3ac3d9e180110caff98bafa7c98e
SHA1

b50b6850f9e7b0312ae89cb1c4ba49d3221604e4
SHA256

5097335b52a0946622914659e078a9a94b8026e71098e2351ec94fbad96d5caa
SHA512

fac63555a92e27b1727b301696138b8182142307d0d0496ce44a70ae68b8042e3cf15ad20835f398ff2dd231d99db1b5b70843a8a6cb752cdb6861aff9674359
SSDEEP

196608:vWjHxUa0MqC6FxRsd3334aDl4SDPpaQHVIyAONxKmfU0mZ+q7GtNzmJnqCm3GLxl:v+RUZfjGDuiIofdURuSnz7BdAkIa

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
436	Breed.com

Loads dropped DLL 1 IoCs

pid	Process
2980	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3056	tasklist.exe
536	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\IrcMario	adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe
File opened for modification	C:\Windows\ManualsTy	adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe
File opened for modification	C:\Windows\AccommodationsAuthorization	adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe
File opened for modification	C:\Windows\ExpectedReader	adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Breed.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Breed.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Breed.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Breed.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Breed.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Breed.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Breed.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
436	Breed.com
436	Breed.com
436	Breed.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	tasklist.exe
Token: SeDebugPrivilege	536	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
436	Breed.com
436	Breed.com
436	Breed.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
436	Breed.com
436	Breed.com
436	Breed.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2980	1272	adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe	30
PID 1272 wrote to memory of 2980	1272	adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe	30
PID 1272 wrote to memory of 2980	1272	adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe	30
PID 1272 wrote to memory of 2980	1272	adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe	30
PID 2980 wrote to memory of 3056	2980	cmd.exe	32
PID 2980 wrote to memory of 3056	2980	cmd.exe	32
PID 2980 wrote to memory of 3056	2980	cmd.exe	32
PID 2980 wrote to memory of 3056	2980	cmd.exe	32
PID 2980 wrote to memory of 2932	2980	cmd.exe	33
PID 2980 wrote to memory of 2932	2980	cmd.exe	33
PID 2980 wrote to memory of 2932	2980	cmd.exe	33
PID 2980 wrote to memory of 2932	2980	cmd.exe	33
PID 2980 wrote to memory of 536	2980	cmd.exe	35
PID 2980 wrote to memory of 536	2980	cmd.exe	35
PID 2980 wrote to memory of 536	2980	cmd.exe	35
PID 2980 wrote to memory of 536	2980	cmd.exe	35
PID 2980 wrote to memory of 2944	2980	cmd.exe	36
PID 2980 wrote to memory of 2944	2980	cmd.exe	36
PID 2980 wrote to memory of 2944	2980	cmd.exe	36
PID 2980 wrote to memory of 2944	2980	cmd.exe	36
PID 2980 wrote to memory of 2812	2980	cmd.exe	37
PID 2980 wrote to memory of 2812	2980	cmd.exe	37
PID 2980 wrote to memory of 2812	2980	cmd.exe	37
PID 2980 wrote to memory of 2812	2980	cmd.exe	37
PID 2980 wrote to memory of 2828	2980	cmd.exe	38
PID 2980 wrote to memory of 2828	2980	cmd.exe	38
PID 2980 wrote to memory of 2828	2980	cmd.exe	38
PID 2980 wrote to memory of 2828	2980	cmd.exe	38
PID 2980 wrote to memory of 2456	2980	cmd.exe	39
PID 2980 wrote to memory of 2456	2980	cmd.exe	39
PID 2980 wrote to memory of 2456	2980	cmd.exe	39
PID 2980 wrote to memory of 2456	2980	cmd.exe	39
PID 2980 wrote to memory of 2324	2980	cmd.exe	40
PID 2980 wrote to memory of 2324	2980	cmd.exe	40
PID 2980 wrote to memory of 2324	2980	cmd.exe	40
PID 2980 wrote to memory of 2324	2980	cmd.exe	40
PID 2980 wrote to memory of 2352	2980	cmd.exe	41
PID 2980 wrote to memory of 2352	2980	cmd.exe	41
PID 2980 wrote to memory of 2352	2980	cmd.exe	41
PID 2980 wrote to memory of 2352	2980	cmd.exe	41
PID 2980 wrote to memory of 436	2980	cmd.exe	42
PID 2980 wrote to memory of 436	2980	cmd.exe	42
PID 2980 wrote to memory of 436	2980	cmd.exe	42
PID 2980 wrote to memory of 436	2980	cmd.exe	42
PID 2980 wrote to memory of 2136	2980	cmd.exe	43
PID 2980 wrote to memory of 2136	2980	cmd.exe	43
PID 2980 wrote to memory of 2136	2980	cmd.exe	43
PID 2980 wrote to memory of 2136	2980	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe
"C:\Users\Admin\AppData\Local\Temp\adobe_illustrator_2025_v29.1_(x64)_pre-cracked.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Sporting Sporting.cmd & Sporting.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:536
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 254802
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2812
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Dome
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Tablets" Hb
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 254802\Breed.com + Dispute + Christianity + Methods + Causing + Myanmar + About + Cakes + Wa + Buttons 254802\Breed.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Greetings + ..\Providers + ..\Occupation + ..\Holocaust + ..\Deluxe + ..\Jet + ..\Exceptions Z
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2352
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\254802\Breed.com
    Breed.com Z
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:436
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\254802\Breed.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\254802\Z

Filesize
436KB

MD5
642c411cf8908e1b80e92b096d29bcc9

SHA1
0f99185847d7f917094003cb2e3a46f4ab2de496

SHA256
1e314e71bda518494cc50d781d5b9d79bd853c2f7cf9d1e3fa4ac59281516475

SHA512
784db2fda67f7c944c7bb9ed825152e2e70d117f98d456f9342bbf686875610d80e8caad28cb073a7a91490858357d28fe74b9393f59d862d06fdd5b60509446

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\About

Filesize
139KB

MD5
57ed4c7e48266628e18a57fcd8e47961

SHA1
67b5eaa02d6b31bf930867dd44e2501a0243232f

SHA256
38aa7a843ef48d6d36b13a556baeaffe823c8d7f8dcb24ae1253d7331157fde0

SHA512
1a18fbfdfbbddfa1822498c83a0130fff9789fa921ea0e84d4d826da277a6f0859ea02182bc0a275a5a2387b5fb54365b8eae7df9fdb05393a297d0246dc1a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Buttons

Filesize
35KB

MD5
f58a9ec64d3d4dba943514acd31243b2

SHA1
dfbf020ac779e01b22147e0bbe4d24ca6f3f029c

SHA256
400059584d4a78ac9b279d717d7d4ec9f205c1af2cd3613f7dcc100c0dd988cd

SHA512
e52b28f61e1e5ecdb88ce8e0aae465956e6a34dc8629c2d82f15805ca84d321b3c1308290f2d846671ae5116b22972f3a541a77bc764ab7e04b502750cb648df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cakes

Filesize
111KB

MD5
6a58a62b3f89f7815948746700c20591

SHA1
1241a394df91b9528c4147f426b26b86918bb0da

SHA256
5a38b90a594fc01e0b4e36cd2a0fe03e0919e8e6fcedb3b918860747c1adadc5

SHA512
2449248ea06da06286afe7d81d7eadffe0a3dd77c5c2e506e2a4586c1eb7bf54acbd44607deb642702cc23d2620627cbf9f82a00adde126a963e142a9ea4f854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Causing

Filesize
88KB

MD5
e2c9a5f8eadd6b7a33054eaab5a00e72

SHA1
c5ac3b626c23c9783885bfbe55ce488d2b333b7e

SHA256
b5aa68a8561c45891aba321222825e1e28b973875c3877ec7cd785314d8e2854

SHA512
0638d01cdbbb3be8a8eeadade5019f1f49ab549ebd1b580aa745dee14a1cfe241a13b1b3f5a45e7665c8cb552084a63ab59ed211ff8769927d92680370f4bc81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Christianity

Filesize
84KB

MD5
ac87a37d8c4623e292bd1650e2eafce0

SHA1
3fd339eea4edeab614088c7b9d83530837daea9f

SHA256
52701c477cd41c8a09750119d3156616ed517a4496e6481913d681f734340386

SHA512
2d943aa7b7bc267fd67dfbf44cc0606e146e7d825bbd64441f19adac36546e4dbd17a9f1187d31d052200409fc6b8cdb03838984f15ff55f7eded5255af4490d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Deluxe

Filesize
92KB

MD5
4daca48150059aee0ad09fde98eedacf

SHA1
3bb1a2deb09eb22b61c2ac23706ad4e9dee88cb2

SHA256
97873fadbd36e9b9e41cd8f2f72e5cdc2a5ba2a729c003365a148e292bfb5545

SHA512
f1eae3eafade5fea2d51526e1db5b72b91f875d60e31044e2b8e1388e85c1185e734536a0032299c8c0ff70a36ccd0d0479bfe3950b5b069bd6505f722cfe01d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Dispute

Filesize
89KB

MD5
7dfc7e8b0b66a95aaa5cd46cbeff1813

SHA1
124e2efd6534f11aac3392b708748db67c1adaea

SHA256
2d220985b7c03b8b86c8886a3048bda666a19070792c149eb7973c2ddc2e7b2d

SHA512
3e2c9f1ef4d55fe67eae88e6532c882ab7e66701a2a398036aea6561443dd7b4f8db97648eaf0059aa00dec84f7e5ae509fd6749d9d150cb0fdfa9b7d7c5ca68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Dome

Filesize
478KB

MD5
e66a8e8a1190ab4f70cae80ab744cfeb

SHA1
76908604d5e4739e8987326f6c38d7689a4485bb

SHA256
3b2c2a4a02c799adae00d6be026c5e3c54733d6e8b0a0e51488e3d0f9f0876fb

SHA512
3da89fd04275c4069d4eed250043edf6f90ed6ab79453a7f5a7bfa8307f4d6a1b76ccc758b36f9124c8f6361fb571245f4ab4235977b520c2d1fcbe86df7e036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Exceptions

Filesize
6KB

MD5
5d2e0aef5363b9722be3691c2d506025

SHA1
f82df8e4c6d1d5d59c00241b874496db678bdb25

SHA256
3e1370a32f14b94d8b0149936502b4ea0b02896379556dedfd5933807053ba82

SHA512
0dcf21a8b1b3f34643cc67624602aebe319dc474894d06abd7abd16164d539b1640d178db3d4906971f743bbb43713a3e28685bbea85c38a520a0288b96d1072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Greetings

Filesize
68KB

MD5
a99fe78815fcff0eee64aaf9d95da419

SHA1
e67a750d727c374b3003625ecef48d103145f0d4

SHA256
468b7e12a558f9f80f0fb222a17311a8baf8eba5d48e48ab215550bb5d9e671b

SHA512
5502b6e3464a9c72c5bc05e63195f99e2ded95ed893a1efa6d9108e85c60f3bbf2961f99824c4539356a3be972162e08c71c93cc7644cd4d17f478697c64aec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hb

Filesize
1KB

MD5
fd35a4be23be4db482de37e839c18e5d

SHA1
a1535a7214f99c26294248fffd0e2c352c1b617e

SHA256
e4c447b8ac2fee6b3304323c5094eb9b3db68828d4dac3fe4b4c30d44a2f5ea8

SHA512
a362b36ecfe71d9ec6a1b11386a33e86c6e0c4cbbddee0d68254de1ccea8b00828c02e8388e74f919d6765ef7579c81bc75497f52425bbf6fa6c54f9aa50a432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Holocaust

Filesize
51KB

MD5
402681c9785f6549ab89e6d3f618b668

SHA1
11ac2e9dd4c94c89554effc45b29c3a5f65ef3ae

SHA256
27b790faf7bbb7a038991b38c9f2f5421c40fcb44dccf0c87d1f13e1b3328638

SHA512
9a40bfdd38bb268a0088357eef5a2f1e56716295899e5436c187d2f4dcfed729c18f3b6e43334d324d87c032b4bf1580f1099441a881877f3797d2edbaaa539f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Jet

Filesize
67KB

MD5
418ffa04db14f2654bac2eb69ab1a4fb

SHA1
ed912c858f4857622064e72e3965a472c792915b

SHA256
1fbbe0a73b3318726cb16526de94ea178d5a90c904d045392727c40ed98c2d6d

SHA512
7bcdabcb10c192832a1206db2e9921dbe22b09471505e88d22c3e9e72926fd0444ea9ff3db5ac06ca9d23368262ee8a5a1d17ad7d6deb1166f216a57f04fa363

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Methods

Filesize
103KB

MD5
0323f6a6d6b1b4dc2ea9a86bdb67d7d7

SHA1
c01e3c27a582c707762e21d4dd95964ed273dba1

SHA256
0518290c9926e81d2946f1f88a555e7e6adf509d67b16ecffe5d47f59a3a3510

SHA512
0cff5ba1b5bd495858cb6005c06ea8d28653f2723224f5eed64faa710a83f1fe2ff2e3850ef3763718ac4a12f986123a5e3c42b7b41f53fe2a076f14faddeb89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Myanmar

Filesize
132KB

MD5
13e13da71b031c0889dc700533a1d620

SHA1
d0b9eaf6e2283e8414eb6d1465f13b60e95d03d3

SHA256
7b95fa9ae1b4388383216e773b1d6d14cfe8dfb5d788f59e127a8940162bf7fd

SHA512
b3824f322ffd614a7ed074a00951ffa65aa2221aec5b594a23035b8f434c1a7af21377c2c720191a0f5b711c1cb792ca185b75ea93c823b13e940b5d0028fa24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Occupation

Filesize
56KB

MD5
913ace0c1abf0ba441e3b8baf8cc9b0e

SHA1
649a2c7905f98a0afe04dcef843d68ee33568b83

SHA256
22d22e605d0d477787476b6d64239f5b240ee139818dcf11faadc9338c8d4ba8

SHA512
b09b56c58a9800117d742137662daad528eea2c343fef78abfcb023d2d194e621002aebb890e98d14b2121882995ef7342fbb38519876aab9542169ad037c8dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Providers

Filesize
96KB

MD5
a51dc886f7c3aaefd47a3f8bd29af74a

SHA1
b5aa16c5b321cea8a47a48d15610f4fd962c5b3f

SHA256
37442b922e61c1e357e8752b18e1002e3d00958500837791fa0dbc05523f1317

SHA512
3c0726ec0eac62304fb75ce76e0ef49b37e86e11542bda712c2f2f298baa67f933167019aa3e17c64728bd367f95c752378bbd4caa32ab83fb5f2e4ae8004ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Sporting

Filesize
26KB

MD5
73c4a232fbd6fd5f609e1252258ea187

SHA1
e75881de914349d524f37a04aaa8a52034679681

SHA256
5607fe360d6b7bc50fdfab89fdc5dfa022ed37a8e53344b4da960c7a704012fe

SHA512
80ed892b5aa241f150b2fe47163dc77ea9e6ebca90387af3d1c48a398f83f692263724e6494ba773508a46bc37ce4391d66ce0b675b7b8090d128e4378deffd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Wa

Filesize
142KB

MD5
57464fe980fa9f09cb6eb4d85f0f110a

SHA1
a018271a804d7306cd334a547a413672d5b187a8

SHA256
0e8fff4e6fbe31d0e6cd4f50fbbc83bdafd69f90783babf5273330108e7f651f

SHA512
c8295a5b67ee911703fcb66ff308df3c133b058fdad088243b96ff98f6fa1c880cee311b4337b39e009fbc51d67d4bbc3469c1e7382f6677ef712636612a95c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab877A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar87DA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/436-67-0x0000000003E30000-0x0000000003E86000-memory.dmp

Filesize
344KB

Download
memory/436-69-0x0000000003E30000-0x0000000003E86000-memory.dmp

Filesize
344KB

Download
memory/436-71-0x0000000003E30000-0x0000000003E86000-memory.dmp

Filesize
344KB

Download
memory/436-70-0x0000000003E30000-0x0000000003E86000-memory.dmp

Filesize
344KB

Download
memory/436-68-0x0000000003E30000-0x0000000003E86000-memory.dmp

Filesize
344KB

Download