lumma | c0a59016679827ffb9db85b4eff6133f0b36250ccafe6b15989fc2dd84bf1ad3

Analysis

max time kernel
56s
max time network
71s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 01:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

800.0MB
MD5

b4d4d19863fd8b7b64e2e8a1204aac62
SHA1

64d1609b82e6054af14412a92724d8605b7d015d
SHA256

56375ce34ece830c6770d768f1ed501a78c359a380c9576274dbbd19c9ef5aa3
SHA512

e00fa8b5af32b334849e499f5f0be5a23aeb37ab2b28d2bf82cee2766d85c3fb1a874cd327467ebdd57475b2b42befb7507d2d6ac923020964e23f0a3f5a7bff
SSDEEP

24576:KjatNrAGDrHrmxAztbD6Lf5aytZI9FmLaQWnnZp/fh+AR9wLsS9qB3Hcxx1VmLHA:PUGnHRbEau4FmUZpYARuISsV+VmLHRQl

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Extracted

Family

lumma

https://abruptyopsn.shop/api

https://wholersorie.shop/api

https://framekgirus.shop/api

https://tirepublicerj.shop/api

https://noisycuttej.shop/api

https://rabidcowse.shop/api

https://cloudewahsj.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1940	Auditor.com

Loads dropped DLL 1 IoCs

pid	Process
2868	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2952	tasklist.exe
2156	tasklist.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PlasticHugo	Setup.exe
File opened for modification	C:\Windows\LeastSkype	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auditor.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Auditor.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Auditor.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Auditor.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Auditor.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Auditor.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Auditor.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1940	Auditor.com
1940	Auditor.com
1940	Auditor.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2952	tasklist.exe
Token: SeDebugPrivilege	2156	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1940	Auditor.com
1940	Auditor.com
1940	Auditor.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1940	Auditor.com
1940	Auditor.com
1940	Auditor.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2868	2240	Setup.exe	29
PID 2240 wrote to memory of 2868	2240	Setup.exe	29
PID 2240 wrote to memory of 2868	2240	Setup.exe	29
PID 2240 wrote to memory of 2868	2240	Setup.exe	29
PID 2868 wrote to memory of 2952	2868	cmd.exe	31
PID 2868 wrote to memory of 2952	2868	cmd.exe	31
PID 2868 wrote to memory of 2952	2868	cmd.exe	31
PID 2868 wrote to memory of 2952	2868	cmd.exe	31
PID 2868 wrote to memory of 2936	2868	cmd.exe	32
PID 2868 wrote to memory of 2936	2868	cmd.exe	32
PID 2868 wrote to memory of 2936	2868	cmd.exe	32
PID 2868 wrote to memory of 2936	2868	cmd.exe	32
PID 2868 wrote to memory of 2156	2868	cmd.exe	34
PID 2868 wrote to memory of 2156	2868	cmd.exe	34
PID 2868 wrote to memory of 2156	2868	cmd.exe	34
PID 2868 wrote to memory of 2156	2868	cmd.exe	34
PID 2868 wrote to memory of 2168	2868	cmd.exe	35
PID 2868 wrote to memory of 2168	2868	cmd.exe	35
PID 2868 wrote to memory of 2168	2868	cmd.exe	35
PID 2868 wrote to memory of 2168	2868	cmd.exe	35
PID 2868 wrote to memory of 2912	2868	cmd.exe	36
PID 2868 wrote to memory of 2912	2868	cmd.exe	36
PID 2868 wrote to memory of 2912	2868	cmd.exe	36
PID 2868 wrote to memory of 2912	2868	cmd.exe	36
PID 2868 wrote to memory of 2628	2868	cmd.exe	37
PID 2868 wrote to memory of 2628	2868	cmd.exe	37
PID 2868 wrote to memory of 2628	2868	cmd.exe	37
PID 2868 wrote to memory of 2628	2868	cmd.exe	37
PID 2868 wrote to memory of 3052	2868	cmd.exe	38
PID 2868 wrote to memory of 3052	2868	cmd.exe	38
PID 2868 wrote to memory of 3052	2868	cmd.exe	38
PID 2868 wrote to memory of 3052	2868	cmd.exe	38
PID 2868 wrote to memory of 876	2868	cmd.exe	39
PID 2868 wrote to memory of 876	2868	cmd.exe	39
PID 2868 wrote to memory of 876	2868	cmd.exe	39
PID 2868 wrote to memory of 876	2868	cmd.exe	39
PID 2868 wrote to memory of 2652	2868	cmd.exe	40
PID 2868 wrote to memory of 2652	2868	cmd.exe	40
PID 2868 wrote to memory of 2652	2868	cmd.exe	40
PID 2868 wrote to memory of 2652	2868	cmd.exe	40
PID 2868 wrote to memory of 1940	2868	cmd.exe	41
PID 2868 wrote to memory of 1940	2868	cmd.exe	41
PID 2868 wrote to memory of 1940	2868	cmd.exe	41
PID 2868 wrote to memory of 1940	2868	cmd.exe	41
PID 2868 wrote to memory of 3016	2868	cmd.exe	42
PID 2868 wrote to memory of 3016	2868	cmd.exe	42
PID 2868 wrote to memory of 3016	2868	cmd.exe	42
PID 2868 wrote to memory of 3016	2868	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Elderly Elderly.cmd & Elderly.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2936
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2156
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 833075
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Knights
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "COMMUNITIES" Expiration
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 833075\Auditor.com + Teacher + Belkin + Streams + Urls + Reunion + Le + Auctions + Suburban + Lotus + Cio 833075\Auditor.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Die + ..\Folding + ..\Compete + ..\Bukkake + ..\Newer + ..\Common + ..\Relying c
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\833075\Auditor.com
    Auditor.com c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1940
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\833075\Auditor.com

Filesize
1KB

MD5
95799d47b08d0a83c2315ff39e062787

SHA1
9ea6ed4fe71050d9ca599f9c237f4659bc2e4e44

SHA256
cbe7febb2b721f7468e69f91832b2fce3fb464b6196a7fa5aea40cd3704aa8ce

SHA512
21734937fcbf39c25269779f188a451a7aae1da3c116403f8c0cfa312c865937fa1df44e982e1891a5fc91af6253f259d62ca5b97db1a60752f0b9708ca48853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\833075\c

Filesize
471KB

MD5
c16f1f2ddd12c58877c0403595ebc291

SHA1
81a9dfff63aa34b20f335cde358eec06b4d6ba42

SHA256
d9f559ca6c3b4302b70851a95c3fe1bda2ab040b669f2665d6116b3f535ecd4e

SHA512
7b01fd23ab0f07fa13decfe44130b02ff298c237b897db4697fc4383635e3da3deab5bbf70deec68712db29ef76f1c7af21d5ff1fceb9290c23bc6dd76930d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Auctions

Filesize
59KB

MD5
4f989fe2288df507824795891db37ad3

SHA1
04d1c1e8b73e7505cda1ee59ff334c9e4f90c98d

SHA256
5c9fd76e22bc14be1a78ce29eaf0c7ab3dfd202c90d00af713db269215fc9705

SHA512
16fa0ccd15f2c7fe41af7ca8e75b0336412e1150a12b927b1f8bc14abc3179a34a60340b530046880c63c9aa54c968bf1b9540cbe6d79248981caf7ca1a49d40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Belkin

Filesize
87KB

MD5
4a74fe9a414178e272a121e0aefb4fde

SHA1
61cff1e2e68f659fa655353155fe8e688dcd52e2

SHA256
a6f85ed9eaf661638dac027224afcc4435be462c1102eb84ad3557b362b5b027

SHA512
94bd356a202d4d27a946a7131b8de9c05a7ff11f2c7ead65381ed2550f2014cda1ac27004041c5181a62ea68f67a051b1312cdfca013b93b8bda9c0295f40430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Bukkake

Filesize
62KB

MD5
a853f8ba23ee9006672430226faa209d

SHA1
e5819c98ab22d6821551e8ed79c094bf4abbadd3

SHA256
ebcd770dd258f448ffc4ae24ef89100e8b0f320d0299e64589c91b4ed23bde73

SHA512
bff70b15f1a6ae193bc85b1fe6c5e64bb24ea2136fd9f18fdc8292cba1bfb02c371593dceb80fde5708d061697c37632799ccd8c0784899cb0e8a716e805b000

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cio

Filesize
14KB

MD5
8bb1164f4f404739f54cd316c8e8b36d

SHA1
655244bf3b18ce2f4fb36c0e8880fc8df91f75f1

SHA256
89e6c32c015562cbbee1f2845baf10cf0050c4b0d03922b7118c14267a12d098

SHA512
fda9a87c772c0fe932bb20d1e4c793e18c2412993b1948dc210bdab1a09e565fdc16887897386b46449c2b9854f9aff24610ee892b2a33ebd15ee465e2ce4929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Common

Filesize
62KB

MD5
3343bab5952bde5f6e5f5e0aeffbfaa0

SHA1
190de1b9591fdf2a6efc81d101c4cfc10357216c

SHA256
3476a2a20531ed13d054a62d54edbc1082565ce9cfb97997e14a88c503ef5925

SHA512
7863d4da0542994587cc248ba2fc97ac3e4d59ff6eef67b5743f2ed7499ad6440fd1976c081477222eeb99a8e1806424b6f96aa04284a6308972449485d30f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Compete

Filesize
96KB

MD5
ea7349cd6b023cbcb6e7b35e7f743ca3

SHA1
33f60bfd3ddb6d06f52ffb6a0b500c8228815e17

SHA256
3690cf2a6d0d0764d8900a68684c0681ae1a0be0fe83de235bfe330281c94849

SHA512
c21f1e445cfcd19760aa7ab0ff2ad769b6a79657f88b4a280ba8cd8efc211f12a4465f9feefc4475e772f803407ddd586bf075cbc70a3bc37d1be9ccea42a38e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Die

Filesize
55KB

MD5
e8fd86d8f17e2f3544e3e1fa98d3099c

SHA1
31df18ba4beaefccc790465ea9a6977fc362a887

SHA256
0986e457bd65e8bd51df4fee0d40121eab968c4695810dd9e3b185cf94e30d4a

SHA512
647749daa7cc00d8abd6ff4bf176478ee998dbd0c78931d0f1ddf5e269465c0e7d00f7c7f0005be021bd1694316422a08b48991370d62bb233fd7c5e11186270

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Elderly

Filesize
21KB

MD5
2b346f7f697da242fbbdd4cac81832f5

SHA1
c42977d8b070b85e83a432758486b1d95d26f53f

SHA256
6a3af83883e8aede7285e3dec81544a800a0581e8f3200e20c5379e0318208db

SHA512
d456fc01413bd33f935919ddb2c2baffc89d88a201cd035198de1cd82993473c9d6594ba489bc5a0d5ca8cd6f699101f8ba58bcf2f476b9a76602d90d9703c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Expiration

Filesize
1KB

MD5
3c2f564f0e6cf845f275c0c260d8e2d7

SHA1
cd64eec775ccfcfbf40eac824776e7b916c0096b

SHA256
77d4e41b168f50fd0602a36175189fb9824557dac9c8e7d8069ad350ff52a70b

SHA512
29b9feaab2f140fd5fe2e3dc1b93fe0550f75d7245a02144eef320b2a56df5b2e49bbb8368d63fe9cb7a4cd4821959c3f1a5dbc172bd75dcd2551f79d1e66716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Folding

Filesize
74KB

MD5
3eb6148b77b49e7e5d666f6735c3e4e0

SHA1
080bce92426eb4784ebfa7ce49740cf9e5666c06

SHA256
a715dd8459669aac579b6f5dcf0eb41348d6f5f72696a51dce56e524f9cf3715

SHA512
ab9476c117864d20c326cbde4398b4df7631181e5de41e266693adcad40ea7462b31376fed556feb272f4d88c63b31e0a67e708ac6b809601e4d473e7bcf1976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Knights

Filesize
477KB

MD5
c51929f6b56df082636303912abefccc

SHA1
fc9b0adc28d41c69628ca6c8d5f6faffd59bb801

SHA256
c6d95cccaf4295a357fa068f16094307252c0cbaeb0e07ed77d8c22ae7021066

SHA512
d05422d3c7e2b5ebfde8f906a8229d9f74c390da3dba2f692c76c49e76be3d92e8139f1227bd0b8f82a6c1da637a7f306fec47c8d98047cd813d973d72bb04a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Le

Filesize
55KB

MD5
54faecf50af8404b2420efc817866573

SHA1
99bd647c28703db2f2bc2b477bf4406de6ae4bdb

SHA256
7590140370bf630a10c5efc54170d737f33c30c8934d88d0613b6a3c03949a39

SHA512
e2709e435653a561794a25a17b8210ca3e383199ed9b9e016dab76cdd3bc80898bf14a76ee69b5ad2d9e71b79cefda78f20fc717c0b7afa20911847c5170dbc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lotus

Filesize
129KB

MD5
12b3dc27d331d7fcc10fbe2b079cd7c2

SHA1
b8c0ac1b928aa153f5787f096f9ba49a0ce6d3bf

SHA256
c1dc610ae31e6897175be00530632ba1aa78f690f7ad4d80d92f9b97c0d613f0

SHA512
3ce8054ec9c4b85e2bda8feb7b822a02c1c43736252f47916916fceb52ba675dcd2ca9cff59403a50eda1eb5d95ae87a66c591933fdb07b1b979b3365b6764c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Newer

Filesize
89KB

MD5
f3c461d3382ca719ed889794a105969a

SHA1
9f809658408b124da902b5f9ec804e63959d3115

SHA256
a135bad5fd34c8daf8e37f7991d50b250c4c52fb1eb8188a022161c0f3860050

SHA512
4a74f6f5d89a44b2929a5d625fa3963916f3b15a5073c98b20f5ab69422b12aeb7bec40d711e440f538812438869254ec7cf323b0c2e9331f04e47e50f92fe30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Relying

Filesize
33KB

MD5
85710221e954089fe03a7e0a36d37961

SHA1
4661d6e6206d5568341e42531cf425efbe260a70

SHA256
672e5aab02ffd641ba59de12ab059bcb1b9d13c96497d993d1de241b8fc23911

SHA512
3c348b4c455990ebc5f7cd9736f8b467245f4d8e57846d5c0ba6509615c9c1207493f1947c4a86c0beb78d4d09fad5a166fde73be42c0a3d7565aefd064c6e9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Reunion

Filesize
99KB

MD5
23f57f85b7751c2aa5e2bcf14b7a71ba

SHA1
c2f1ebd04828e5283bf1f16b0a2be345fbfc9afb

SHA256
c1f4c250e2ec3bca004a576fc0bb2406c6969cd987d9dbd384353536ce7c30af

SHA512
38ad408585127d28eb5e77a3089f0db00cf792d30f67b7ef260093a63f36f0ffef20ef8cee6fd4961ddd8543baa738602c3a337b74ed7f2ebbbffde84bd5d799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Streams

Filesize
136KB

MD5
c809040cbe80646e91bfd8ac5b14b5ce

SHA1
60f9672e2a347d9c8f544e7ffd1ff5092a09de69

SHA256
5cf443b3b203b24e54693b6d8d1542573c26df58db51078e5b9f8c0bd3f11f4a

SHA512
06bf7dc5d1eea9b3f75f544ee32ca21e6a9c64ea0c5b60ea355e117ab836037e557d3beefa2cd3ab9996cd20ee1d8d0459b687950c74e8a7da182707542a7110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Suburban

Filesize
118KB

MD5
d5604fd884b523a093525077b879e755

SHA1
9da375a5441c7387231fc4f0368858cba1922880

SHA256
e251d31724ca24a174ee34b140adcf03120532931c7efe59a56283d79b58001f

SHA512
d5f0d895f25d445cd6711ff6e9502af7e6ab7a08ca7bd0cb49a1bf556f14e081d42d200fe4202d9923f5b7b7abc43388f902dde9cc10f16e259652aa06c1b598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Teacher

Filesize
96KB

MD5
72878bb5088e9d99d1a1595bff6bbbb1

SHA1
edf4f87d2e866f86c4456f626052cb486a742bbb

SHA256
f7bc585dc9221cd5bdaae306b55391c0736ffe0bae9414a1545d2d2b1663c860

SHA512
793c261032a8d6f90f119de6f1bc28f6b64809b8ff66b39db704f2bfda463b90f6238b9289cfa1dcc143e21c7e13be61c205a9282ffcceaf38ffc696cc4b3103

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Urls

Filesize
130KB

MD5
d8d7e8a8e845dfd84628cfcb956161db

SHA1
04385cfccbacfda98a50cbc3e6d2eec3243faaa2

SHA256
d56964936063f21b78a588bc18d0cd790591962bbb6017fc8044eda3acbb84ae

SHA512
184516d98bfd5494bcd23940f422c13dd269646ce5398db468925d7c513639a35604cfcba135e0430383615ab93e52ad5882a56dc7649a2ea26e9ce6e2de65b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB7FB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB85C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\833075\Auditor.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/1940-73-0x00000000042B0000-0x0000000004305000-memory.dmp

Filesize
340KB

Download
memory/1940-72-0x00000000042B0000-0x0000000004305000-memory.dmp

Filesize
340KB

Download
memory/1940-71-0x00000000042B0000-0x0000000004305000-memory.dmp

Filesize
340KB

Download
memory/1940-75-0x00000000042B0000-0x0000000004305000-memory.dmp

Filesize
340KB

Download
memory/1940-74-0x00000000042B0000-0x0000000004305000-memory.dmp

Filesize
340KB

Download