lumma | 71b00657f156b1b2a4aed6986abe0bd805e1277b739eb36cc75d70f675cb0ad8

Analysis

max time kernel
244s
max time network
246s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05-01-2025 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file (4).7z
Size

10.5MB
MD5

9861bea09429454b4eafc07e6909e5f0
SHA1

f4a66b2f2a7bc75c50a489b517438269931b0670
SHA256

71b00657f156b1b2a4aed6986abe0bd805e1277b739eb36cc75d70f675cb0ad8
SHA512

a68188d19b5d7fc4c3b5f2726432ba928e0f4380be6eb9356e43e2811353dc28109a850b2156058febd587ac68ffa728a8bd287c1ccf1624b84a19fb72418171
SSDEEP

196608:LSfzUDC7twljDKb9nf6FO7q2XIn8y3GANJxije/LZOuRaFVwa1tDwlxcxANwfM70:LSb2Y36FO7qlXWANfljZOuRabwa1JUxU

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://detailshaeje.cfd/api

Extracted

Family

lumma

https://detailshaeje.cfd/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	file.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3226857575-536881564-1522996248-1000\Control Panel\International\Geo\Nation	file.exe

Executes dropped EXE 32 IoCs

pid	Process
2376	file.exe
4340	Vault.com
1020	file.exe
2964	file.exe
3548	Vault.com
1544	file.exe
1224	Vault.com
1152	Vault.com
4924	Vault.com
4476	Vault.com
3744	Vault.com
4564	Vault.com
188	file.exe
2328	file.exe
4416	Vault.com
2832	file.exe
1652	file.exe
4524	Vault.com
4452	Vault.com
3232	Vault.com
5084	file.exe
792	file.exe
392	Vault.com
2244	Vault.com
2660	Vault.com
1776	Vault.com
1648	Vault.com
1404	Vault.com
1192	Vault.com
4752	Vault.com
4912	Vault.com
1144	Vault.com

Enumerates processes with tasklist 1 TTPs 20 IoCs

discovery

Process Discovery

T1057

pid	Process
2812	tasklist.exe
2848	tasklist.exe
4868	tasklist.exe
5076	tasklist.exe
4688	tasklist.exe
4928	tasklist.exe
2932	tasklist.exe
324	tasklist.exe
3760	tasklist.exe
4064	tasklist.exe
3640	tasklist.exe
3276	tasklist.exe
1920	tasklist.exe
376	tasklist.exe
1940	tasklist.exe
3780	tasklist.exe
4872	tasklist.exe
928	tasklist.exe
224	tasklist.exe
2928	tasklist.exe

Suspicious use of SetThreadContext 10 IoCs

description	pid	Process	procid_target
PID 4340 set thread context of 4924	4340	Vault.com	154
PID 3548 set thread context of 4476	3548	Vault.com	155
PID 1224 set thread context of 3744	1224	Vault.com	156
PID 1152 set thread context of 4564	1152	Vault.com	157
PID 4416 set thread context of 392	4416	Vault.com	223
PID 4524 set thread context of 1648	4524	Vault.com	224
PID 4452 set thread context of 1404	4452	Vault.com	225
PID 3232 set thread context of 1192	3232	Vault.com	231
PID 2244 set thread context of 4912	2244	Vault.com	242
PID 1776 set thread context of 1144	1776	Vault.com	244

Drops file in Windows directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DetailsAnalog	file.exe
File opened for modification	C:\Windows\CouncilsReview	file.exe
File opened for modification	C:\Windows\PstServed	file.exe
File opened for modification	C:\Windows\PstServed	file.exe
File opened for modification	C:\Windows\RejectTransmission	file.exe
File opened for modification	C:\Windows\PstServed	file.exe
File opened for modification	C:\Windows\PstServed	file.exe
File opened for modification	C:\Windows\IntranetCave	file.exe
File opened for modification	C:\Windows\RejectTransmission	file.exe
File opened for modification	C:\Windows\DetailsAnalog	file.exe
File opened for modification	C:\Windows\CouncilsReview	file.exe
File opened for modification	C:\Windows\DetailsAnalog	file.exe
File opened for modification	C:\Windows\DetailsAnalog	file.exe
File opened for modification	C:\Windows\DetailsAnalog	file.exe
File opened for modification	C:\Windows\IntranetCave	file.exe
File opened for modification	C:\Windows\DetailsAnalog	file.exe
File opened for modification	C:\Windows\IntranetCave	file.exe
File opened for modification	C:\Windows\CouncilsReview	file.exe
File opened for modification	C:\Windows\PstServed	file.exe
File opened for modification	C:\Windows\CouncilsReview	file.exe
File opened for modification	C:\Windows\CouncilsReview	file.exe
File opened for modification	C:\Windows\PstServed	file.exe
File opened for modification	C:\Windows\RejectTransmission	file.exe
File opened for modification	C:\Windows\CouncilsReview	file.exe
File opened for modification	C:\Windows\RejectTransmission	file.exe
File opened for modification	C:\Windows\PstServed	file.exe
File opened for modification	C:\Windows\PstServed	file.exe
File opened for modification	C:\Windows\RejectTransmission	file.exe
File opened for modification	C:\Windows\RejectTransmission	file.exe
File opened for modification	C:\Windows\CouncilsReview	file.exe
File opened for modification	C:\Windows\CouncilsReview	file.exe
File opened for modification	C:\Windows\PstServed	file.exe
File opened for modification	C:\Windows\RejectTransmission	file.exe
File opened for modification	C:\Windows\CouncilsReview	file.exe
File opened for modification	C:\Windows\PstServed	file.exe
File opened for modification	C:\Windows\RejectTransmission	file.exe
File opened for modification	C:\Windows\DetailsAnalog	file.exe
File opened for modification	C:\Windows\IntranetCave	file.exe
File opened for modification	C:\Windows\IntranetCave	file.exe
File opened for modification	C:\Windows\DetailsAnalog	file.exe
File opened for modification	C:\Windows\IntranetCave	file.exe
File opened for modification	C:\Windows\RejectTransmission	file.exe
File opened for modification	C:\Windows\IntranetCave	file.exe
File opened for modification	C:\Windows\IntranetCave	file.exe
File opened for modification	C:\Windows\CouncilsReview	file.exe
File opened for modification	C:\Windows\DetailsAnalog	file.exe
File opened for modification	C:\Windows\DetailsAnalog	file.exe
File opened for modification	C:\Windows\RejectTransmission	file.exe
File opened for modification	C:\Windows\IntranetCave	file.exe
File opened for modification	C:\Windows\IntranetCave	file.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vault.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vault.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vault.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vault.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vault.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vault.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vault.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vault.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vault.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vault.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4340	Vault.com
4340	Vault.com
4340	Vault.com
4340	Vault.com
4340	Vault.com
4340	Vault.com
3548	Vault.com
3548	Vault.com
3548	Vault.com
3548	Vault.com
3548	Vault.com
3548	Vault.com
1224	Vault.com
1224	Vault.com
1224	Vault.com
1224	Vault.com
1224	Vault.com
1224	Vault.com
1152	Vault.com
1152	Vault.com
1152	Vault.com
1152	Vault.com
1152	Vault.com
1152	Vault.com
4340	Vault.com
4340	Vault.com
4340	Vault.com
4340	Vault.com
3548	Vault.com
3548	Vault.com
3548	Vault.com
3548	Vault.com
1224	Vault.com
1224	Vault.com
1224	Vault.com
1224	Vault.com
1152	Vault.com
1152	Vault.com
1152	Vault.com
1152	Vault.com
4416	Vault.com
4416	Vault.com
4416	Vault.com
4416	Vault.com
4416	Vault.com
4416	Vault.com
4524	Vault.com
4524	Vault.com
4524	Vault.com
4524	Vault.com
4524	Vault.com
4524	Vault.com
4452	Vault.com
4452	Vault.com
4452	Vault.com
4452	Vault.com
4452	Vault.com
4452	Vault.com
3232	Vault.com
3232	Vault.com
3232	Vault.com
3232	Vault.com
3232	Vault.com
3232	Vault.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3568	7zFM.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeRestorePrivilege	3568	7zFM.exe
Token: 35	3568	7zFM.exe
Token: SeSecurityPrivilege	3568	7zFM.exe
Token: SeDebugPrivilege	376	tasklist.exe
Token: SeDebugPrivilege	1940	tasklist.exe
Token: SeDebugPrivilege	3780	tasklist.exe
Token: SeDebugPrivilege	4872	tasklist.exe
Token: SeDebugPrivilege	5076	tasklist.exe
Token: SeDebugPrivilege	324	tasklist.exe
Token: SeDebugPrivilege	4688	tasklist.exe
Token: SeDebugPrivilege	928	tasklist.exe
Token: SeDebugPrivilege	224	tasklist.exe
Token: SeDebugPrivilege	2928	tasklist.exe
Token: SeDebugPrivilege	2812	tasklist.exe
Token: SeDebugPrivilege	3760	tasklist.exe
Token: SeDebugPrivilege	4064	tasklist.exe
Token: SeDebugPrivilege	1920	tasklist.exe
Token: SeDebugPrivilege	2848	tasklist.exe
Token: SeDebugPrivilege	4928	tasklist.exe
Token: SeDebugPrivilege	3640	tasklist.exe
Token: SeDebugPrivilege	4868	tasklist.exe
Token: SeDebugPrivilege	3276	tasklist.exe
Token: SeDebugPrivilege	2932	tasklist.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
3568	7zFM.exe
3568	7zFM.exe
4340	Vault.com
4340	Vault.com
4340	Vault.com
3548	Vault.com
3548	Vault.com
3548	Vault.com
1224	Vault.com
1224	Vault.com
1224	Vault.com
1152	Vault.com
1152	Vault.com
1152	Vault.com
4416	Vault.com
4416	Vault.com
4416	Vault.com
4524	Vault.com
4524	Vault.com
4524	Vault.com
4452	Vault.com
4452	Vault.com
4452	Vault.com
3232	Vault.com
3232	Vault.com
3232	Vault.com
2244	Vault.com
2244	Vault.com
2244	Vault.com
1776	Vault.com
1776	Vault.com
1776	Vault.com

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4340	Vault.com
4340	Vault.com
4340	Vault.com
3548	Vault.com
3548	Vault.com
3548	Vault.com
1224	Vault.com
1224	Vault.com
1224	Vault.com
1152	Vault.com
1152	Vault.com
1152	Vault.com
4416	Vault.com
4416	Vault.com
4416	Vault.com
4524	Vault.com
4524	Vault.com
4524	Vault.com
4452	Vault.com
4452	Vault.com
4452	Vault.com
3232	Vault.com
3232	Vault.com
3232	Vault.com
2244	Vault.com
2244	Vault.com
2244	Vault.com
1776	Vault.com
1776	Vault.com
1776	Vault.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 4936	2376	file.exe	101
PID 2376 wrote to memory of 4936	2376	file.exe	101
PID 2376 wrote to memory of 4936	2376	file.exe	101
PID 4936 wrote to memory of 376	4936	cmd.exe	103
PID 4936 wrote to memory of 376	4936	cmd.exe	103
PID 4936 wrote to memory of 376	4936	cmd.exe	103
PID 4936 wrote to memory of 1460	4936	cmd.exe	104
PID 4936 wrote to memory of 1460	4936	cmd.exe	104
PID 4936 wrote to memory of 1460	4936	cmd.exe	104
PID 4936 wrote to memory of 1940	4936	cmd.exe	106
PID 4936 wrote to memory of 1940	4936	cmd.exe	106
PID 4936 wrote to memory of 1940	4936	cmd.exe	106
PID 4936 wrote to memory of 1256	4936	cmd.exe	107
PID 4936 wrote to memory of 1256	4936	cmd.exe	107
PID 4936 wrote to memory of 1256	4936	cmd.exe	107
PID 4936 wrote to memory of 4696	4936	cmd.exe	108
PID 4936 wrote to memory of 4696	4936	cmd.exe	108
PID 4936 wrote to memory of 4696	4936	cmd.exe	108
PID 4936 wrote to memory of 4608	4936	cmd.exe	109
PID 4936 wrote to memory of 4608	4936	cmd.exe	109
PID 4936 wrote to memory of 4608	4936	cmd.exe	109
PID 4936 wrote to memory of 4472	4936	cmd.exe	110
PID 4936 wrote to memory of 4472	4936	cmd.exe	110
PID 4936 wrote to memory of 4472	4936	cmd.exe	110
PID 4936 wrote to memory of 3852	4936	cmd.exe	111
PID 4936 wrote to memory of 3852	4936	cmd.exe	111
PID 4936 wrote to memory of 3852	4936	cmd.exe	111
PID 4936 wrote to memory of 1148	4936	cmd.exe	112
PID 4936 wrote to memory of 1148	4936	cmd.exe	112
PID 4936 wrote to memory of 1148	4936	cmd.exe	112
PID 4936 wrote to memory of 4340	4936	cmd.exe	113
PID 4936 wrote to memory of 4340	4936	cmd.exe	113
PID 4936 wrote to memory of 4340	4936	cmd.exe	113
PID 4936 wrote to memory of 1916	4936	cmd.exe	114
PID 4936 wrote to memory of 1916	4936	cmd.exe	114
PID 4936 wrote to memory of 1916	4936	cmd.exe	114
PID 1020 wrote to memory of 3612	1020	file.exe	116
PID 1020 wrote to memory of 3612	1020	file.exe	116
PID 1020 wrote to memory of 3612	1020	file.exe	116
PID 3612 wrote to memory of 3780	3612	cmd.exe	118
PID 3612 wrote to memory of 3780	3612	cmd.exe	118
PID 3612 wrote to memory of 3780	3612	cmd.exe	118
PID 3612 wrote to memory of 4304	3612	cmd.exe	119
PID 3612 wrote to memory of 4304	3612	cmd.exe	119
PID 3612 wrote to memory of 4304	3612	cmd.exe	119
PID 3612 wrote to memory of 4872	3612	cmd.exe	120
PID 3612 wrote to memory of 4872	3612	cmd.exe	120
PID 3612 wrote to memory of 4872	3612	cmd.exe	120
PID 3612 wrote to memory of 1380	3612	cmd.exe	121
PID 3612 wrote to memory of 1380	3612	cmd.exe	121
PID 3612 wrote to memory of 1380	3612	cmd.exe	121
PID 3612 wrote to memory of 224	3612	cmd.exe	123
PID 3612 wrote to memory of 224	3612	cmd.exe	123
PID 3612 wrote to memory of 224	3612	cmd.exe	123
PID 3612 wrote to memory of 4072	3612	cmd.exe	124
PID 3612 wrote to memory of 4072	3612	cmd.exe	124
PID 3612 wrote to memory of 4072	3612	cmd.exe	124
PID 2964 wrote to memory of 1588	2964	file.exe	125
PID 2964 wrote to memory of 1588	2964	file.exe	125
PID 2964 wrote to memory of 1588	2964	file.exe	125
PID 3612 wrote to memory of 3664	3612	cmd.exe	127
PID 3612 wrote to memory of 3664	3612	cmd.exe	127
PID 3612 wrote to memory of 3664	3612	cmd.exe	127
PID 3612 wrote to memory of 4456	3612	cmd.exe	128

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\file (4).7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3568

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Optimize Optimize.cmd & Optimize.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4936
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:376
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:1460
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1256
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 546325
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Learners
    3⤵
    PID:4608
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Sleeps" Vessel
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 546325\Vault.com + Sandra + Filled + Ours + Egg + Circumstances + Small + Operating + Death + Inquiries + Reception 546325\Vault.com
    3⤵
    PID:3852
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Cal + ..\Slightly + ..\Handed + ..\Uni + ..\Eco + ..\Chrome + ..\Melbourne E
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
    Vault.com E
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4340
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      PID:4924
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1916

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Optimize Optimize.cmd & Optimize.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3780
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:4304
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 546325
    3⤵
    PID:224
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Learners
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4072
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 546325\Vault.com + Sandra + Filled + Ours + Egg + Circumstances + Small + Operating + Death + Inquiries + Reception 546325\Vault.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Cal + ..\Slightly + ..\Handed + ..\Uni + ..\Eco + ..\Chrome + ..\Melbourne E
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4456
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
    Vault.com E
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3548
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      PID:4476
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4416

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Optimize Optimize.cmd & Optimize.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1588
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5076
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4640
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:324
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    PID:416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 546325
    3⤵
    PID:1132
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Learners
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 546325\Vault.com + Sandra + Filled + Ours + Egg + Circumstances + Small + Operating + Death + Inquiries + Reception 546325\Vault.com
    3⤵
    PID:4060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Cal + ..\Slightly + ..\Handed + ..\Uni + ..\Eco + ..\Chrome + ..\Melbourne E
    3⤵
    PID:564
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
    Vault.com E
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1224
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      PID:3744
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4584

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1544
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Optimize Optimize.cmd & Optimize.cmd
  2⤵
  PID:4844
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:928
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 546325
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4164
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Learners
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 546325\Vault.com + Sandra + Filled + Ours + Egg + Circumstances + Small + Operating + Death + Inquiries + Reception 546325\Vault.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4336
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Cal + ..\Slightly + ..\Handed + ..\Uni + ..\Eco + ..\Chrome + ..\Melbourne E
    3⤵
    PID:3096
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
    Vault.com E
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1152
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4564
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4108

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Optimize Optimize.cmd & Optimize.cmd
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:224
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2928
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 546325
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Learners
    3⤵
    - System Location Discovery: System Language Discovery
    PID:548
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Sleeps" Vessel
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 546325\Vault.com + Sandra + Filled + Ours + Egg + Circumstances + Small + Operating + Death + Inquiries + Reception 546325\Vault.com
    3⤵
    PID:856
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Cal + ..\Slightly + ..\Handed + ..\Uni + ..\Eco + ..\Chrome + ..\Melbourne E
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1500
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
    Vault.com E
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4416
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:392
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1264

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Optimize Optimize.cmd & Optimize.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4848
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1588
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3760
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 546325
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1996
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Learners
    3⤵
    PID:3804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 546325\Vault.com + Sandra + Filled + Ours + Egg + Circumstances + Small + Operating + Death + Inquiries + Reception 546325\Vault.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Cal + ..\Slightly + ..\Handed + ..\Uni + ..\Eco + ..\Chrome + ..\Melbourne E
    3⤵
    PID:552
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
    Vault.com E
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4524
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      PID:1648
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:4564

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Optimize Optimize.cmd & Optimize.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2436
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4064
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1920
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4444
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 546325
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4872
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Learners
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 546325\Vault.com + Sandra + Filled + Ours + Egg + Circumstances + Small + Operating + Death + Inquiries + Reception 546325\Vault.com
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Cal + ..\Slightly + ..\Handed + ..\Uni + ..\Eco + ..\Chrome + ..\Melbourne E
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1364
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
    Vault.com E
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4452
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1404
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4164

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:1652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Optimize Optimize.cmd & Optimize.cmd
  2⤵
  PID:4876
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4928
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 546325
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2256
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Learners
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 546325\Vault.com + Sandra + Filled + Ours + Egg + Circumstances + Small + Operating + Death + Inquiries + Reception 546325\Vault.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Cal + ..\Slightly + ..\Handed + ..\Uni + ..\Eco + ..\Chrome + ..\Melbourne E
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4844
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
    Vault.com E
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3232
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      PID:2660
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1192
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5084
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Optimize Optimize.cmd & Optimize.cmd
  2⤵
  PID:644
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3640
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    PID:4256
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 546325
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3644
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Learners
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 546325\Vault.com + Sandra + Filled + Ours + Egg + Circumstances + Small + Operating + Death + Inquiries + Reception 546325\Vault.com
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Cal + ..\Slightly + ..\Handed + ..\Uni + ..\Eco + ..\Chrome + ..\Melbourne E
    3⤵
    PID:3664
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
    Vault.com E
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2244
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      PID:4912
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:1772

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
PID:792
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Optimize Optimize.cmd & Optimize.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1912
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3276
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    PID:4760
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 546325
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Learners
    3⤵
    - System Location Discovery: System Language Discovery
    PID:416
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 546325\Vault.com + Sandra + Filled + Ours + Egg + Circumstances + Small + Operating + Death + Inquiries + Reception 546325\Vault.com
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Cal + ..\Slightly + ..\Handed + ..\Uni + ..\Eco + ..\Chrome + ..\Melbourne E
    3⤵
    PID:552
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
    Vault.com E
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1776
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      PID:4752
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com
      4⤵
      Executes dropped EXE
      PID:1144
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\E

Filesize
483KB

MD5
df0f6568abc17bb254a1179ce06d8ac9

SHA1
e0bf28f35f5d1a88cdab86042c79ff649201df02

SHA256
5df73a3f5b7ba2af6d5ec60ff8b2269dda34cf6843f29f716cd94770b61bc0b7

SHA512
67d68309c9683c71d8fcbc680fd7a1403dc144be94f710022369f46bc7adca60dbc55cbe0785afacb37750bdd732e287d52dc2593ee313e75a0df76e127ada0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com

Filesize
755B

MD5
05d654e595a0b52fa056972ba826fd58

SHA1
3cba2183dd8ba3cc6f334138f39fc5150f008253

SHA256
f5c37a706cdcf13a6e78fa66f53244692d67bcaabdfd34a948ef747683cd3658

SHA512
6567c8396356b41357a25a8db6d1048d1317e6bb9046cda70a0cd4b82eac8cf21876eac59aa2786cb6aca0795be265f55a3504b581d29ae4cae45d1d2b7617fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\546325\Vault.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cal

Filesize
65KB

MD5
96817ed779dd7000a3f2137ed87189ed

SHA1
0d1a40df9467a594f2549706bf87f9f565688a45

SHA256
35329d71f708a5de45a920fcb078b65f65f53ae0836afb2d7c6299ea88ad208e

SHA512
41da8f5bb7373f74e1b1836d3e97a4dfd330b6e60625af466791579fcbdbbf56f371fa12228786988537359724f2d086c3d5a244f74880e685d140ace5de20a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Chrome

Filesize
58KB

MD5
e5a4caa82d7869e676fcf78846fe983b

SHA1
dda4a6b84789971c05434f68afcb10377b3a0221

SHA256
95acee660862383146de220182fcfbfff6c8ad3b4ffdbf8f8966727da9ab7400

SHA512
6d03d3be56263ac3265ef23a5ef3f97a98e28091ea0c73b1e0fa190b7075318daf55e792a90a145310b856d339412d6c71d54b439fae2cfbb5a1eb1136c98ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Circumstances

Filesize
108KB

MD5
0165da60d34a2a363287ac64098b84b5

SHA1
2bf47ff8da6b5121a0e851277e8a9f2886259eab

SHA256
bca1e6fae3ea0bfd01335e45b5d77470d8d7b8ea6962ae1b28ff872146d753cc

SHA512
183ef257631bff9a7da89ea474620d576900d8927be3209bdcfa1f0f804195fb208395a446e77211cb49103fb18110586efd01be6de708863b2262762054a691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Death

Filesize
147KB

MD5
b580ff0b1525303ae26f8bab6e2b2559

SHA1
ea41a7401acb5e7f56c421f425d9941b61072d26

SHA256
d3a6dd7515e8c2ff69c735f30e945b12d71f214f518a57547a2fbddb8ceab2ae

SHA512
55dc0cbb0eb19106bb9702a7384791d8f9403e5b78e3842d18357ee03e2602baff9a2253163c88e385da539892ec97edf5f20048a6adb4af1b96c809e0246433

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Eco

Filesize
86KB

MD5
8dee0d38486d2243886650bdd689a7e3

SHA1
eb0f8213ab752fc93010a9a7da9aec8673e9aa1b

SHA256
beb2d5364843791832fee351dc6db11c804911b816011e7818e8bfa424a84080

SHA512
bf7e8ade22da886ab3333ecfd1644c6153b8757afb8d4d249faad0d719b91eb41e4a6340969868865f00cc555dd6c7f263caf802a80d904f28cad8bf4ed28a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Egg

Filesize
92KB

MD5
3614631a01488b054482e032ac5dbf1a

SHA1
1953d0e5730bd08f7413418d554ffc824c9738a4

SHA256
9f7d76b6cc10b7a74569292347e6f89ad280da997c44acdf40525bb5c280a1b5

SHA512
f1bb65ef807acc271671d4f50254fcd63dbf636e910fe804c2b2bf3b3a986ae00eafe964996086e4ce15143b1ef3ac58a77a26d2565746956cd0ea05c2118221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Filled

Filesize
149KB

MD5
f38bb3ab269c94305d56ab464ad936fa

SHA1
c156fc9e4efda5cc54f443738ee1a33930a2e6b7

SHA256
15a796044d37d1fb5b45aee9de903ca7407ddf7c29e80b52d93d950f9cdab7db

SHA512
db7a7e8f26c881bca7003aa4a3de6fd0081eecd0ed7a34c374be4488621442a8402cf20e3321da0cd0ddb663e894a4e3af89bca9ac1f69d3cf1bc4719dec3c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Handed

Filesize
63KB

MD5
af07fbcbf92db52a4395c2e71e647ede

SHA1
3ce0567596775000adfc0fc9c20d729a398c5c04

SHA256
281031bfd76c1122e2d79ebafd2086d52ffcbe1f3868bb2aa3a07537a74c20b2

SHA512
6cd781a0eb13426d2f8482634ee1423dfb5c3700556bb781463ce8f002e5e7b9d565ec4f500c906b7cd6bc87c22331ccc955967c7130786d9231a4017cacd6a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Handed

Filesize
66KB

MD5
2eb7f77a9873ac9cd3dc87694a8df572

SHA1
0f46a796ad77fdd2fcf0418b4a7dd14a4a334058

SHA256
ae6eea71eafd4bce8cb603353f9cddee2d123aa3a00b3f22a495aa8da21f28f2

SHA512
0c8a29bd4062e5aa4eb6a712d2a411e33356bafa3138b63def3e4549f1ce98d706f4194e959ae3b1f5f55037aea48630097bafdd135590dd781a81afc0f5904e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Inquiries

Filesize
64KB

MD5
69f962402be76f9a3ae3a106c36a3111

SHA1
28669b6c22dcef647f9ad54d4042703c6e7b4561

SHA256
e92fa0abfbb990aca0ec469e7c6b37ba2538429246b44cda3173eabd24b2aaa1

SHA512
1a9947f5c07978ad42fb1ca16b5155078c0bec82e8f8545d76b0283752a1f0aee451de27e00488107003b90e1988fc898f3b33a0f795c20e6f0a0ef4ca22df0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Learners

Filesize
479KB

MD5
4580d0bfe95e1c4296275d41a686c76e

SHA1
4abc4ce9a2f0861d30b333f070de73403a22deea

SHA256
14d12dc7ea25a20312b4844641c45674ec3ceea0e0b427a70bf9665002035bf9

SHA512
5b69554cd46e066bb29a2f4e71d4236762b7678a477a14ad409ee957b996fa29854f63080a6d69e255edeb12304f0c6dfc8ad1e6d25a91bf1f13de5fbc925851

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Melbourne

Filesize
73KB

MD5
a4b84a58543f88c10d471a73e3ee8a88

SHA1
0b681670166272fc58d074e392362d9432260987

SHA256
8599719ffcd778c57096561523ec9d01a610ce8f1c9fb68f4bc4a5d9fbf8bbb5

SHA512
c3caa271b37bf631414205b3210cc695211a644127ae364c302b4720d2aff00fc1b8644b7b3265052fca600491d7707e4f2fa2cdadcf8b6cd824f0cbb85ebc71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Operating

Filesize
52KB

MD5
81b641477a442d0acc40b65e61c97a1b

SHA1
065958c4c2b053a3167f843f85e1024d0b2e786a

SHA256
3f69411da3639774322ecb5c3847448d2a86f72cfd0c49bb8d00bacb1f97dbad

SHA512
1ea8d6568ff5cb12730a4d67ceedef7c95bfd62703f1224d20ea9c86256a304dada70d262fa4ab68e39e34dcf90ef102f63756feca29159bc41eefb7691ff2cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Optimize

Filesize
13KB

MD5
25f5720a25088fc7efd740633e263de7

SHA1
748f7c422204bbccfec665bb9b1e66116ef27257

SHA256
c603f816c8d5bffc4254ba401f01e9855a578f4440657e68ca1a599ebdba5298

SHA512
1b8a7941670c8c9e32a090aba7dd8f4999b0ab97beca621a1e0953f221096cf1e17ba57223327e5109cae36aeccf370079a34093317c09a5554b2ccde537f9fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ours

Filesize
71KB

MD5
a196bb04e630190537897872f4a70610

SHA1
8a6152c381b3f900d818b41c43a9722a3143b044

SHA256
a90590eb9462cdf0a50031d70d54a076facfa79b1059f123771d9fa7d57217b8

SHA512
7e13c576678f40d5a5b8a27ef397fda4d808cc07db345158cb65fc6bbe22ca0ab9db8c8feea8160ad0d3cc5f6ed23ab12bce736df7e94dc69014cc9261762116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Reception

Filesize
22KB

MD5
4b756fdcca1fce3a4cedc3d9ca8a3df9

SHA1
cf80a81a8f449c1e126ae5590301aadc160df14d

SHA256
7f9772e958fbf7508a48e8260aacb381cb57dda73546ea226031431a70d974f9

SHA512
bfe633e43797d29d487a353e1bfa45f4d33d276ecaf9b7da7631ac13035fe0cb4306c2df134a6348f7a6685e6ad610c35caad438a344d9fa88b58ca8ba84ad2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sandra

Filesize
89KB

MD5
99fc2a087a974fca8a3340451df085b7

SHA1
75b3e73643606d419c393e90630772e423613fee

SHA256
df22b8906fad24405255347ff335be66fd021e817795970b845ccc09d766fe46

SHA512
701004f8379063e629da1098991bff91137e66a1a25e82bca8a4d98a948c7938dd8090705cea5c6022e51beaec198c2db1e48dcdcd3acaf4202a3c78e7a2d1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Slightly

Filesize
60KB

MD5
bb04ddae79d8f32c1629428f582b8f41

SHA1
ee8d11da5a575898f13cb166e89cd131cf039302

SHA256
2873a0db0bc4b1cec38a19ebf8cd959cab07f8bdcc91e3e64d8ef49265be26d0

SHA512
17288a3490e89a16d5789690e2375d075f9685c94c795554c4e75a3383265e7bb7eb70d9f8c794d5d6a7de82ce6b8cb1b469f00824bfc4fa31ce1a0454903c69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Small

Filesize
130KB

MD5
4ff68398449417b6d5b4aa2482cfe7b8

SHA1
23dedd3d292c8ffadcc1811753598312e0d5a9cb

SHA256
6526ccb4d0f6c12a158538b43bb34750e7cc3755fadd1690efc331aa146c2941

SHA512
1a8979a0ef588381e73fc116276572b1591b5fb03d67f24911e0a3cd06c71bb026f5c7a64a84d7b658614b468bc5addf19f37d6045191e87948ad7f386f54077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Uni

Filesize
75KB

MD5
f31ca5a0a4f2400fce2dae6dc5012fa1

SHA1
6778af6607cb2955ba1903167e6d6be6b8074be6

SHA256
413f2a41c139aec6ee974dad3f50cb85640909be2b25958a3011145b032f96d9

SHA512
1289e605c79542f40d56af8e6aba989145e01da23915bc818664c6a0b2686988c6552040d6ae311a568898e6c32eb90743b2ef40bc9fecae12571ebc62a1ce9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vessel

Filesize
761B

MD5
40fac3fba35d8d9482d54ac5da23c326

SHA1
ccae6a535db71fbd38c15865cd9710907bbd1d92

SHA256
9292149984974a6b6a10bda8ec38c65865f0e435b912c430c901d5250e78f202

SHA512
8df390f830712beeec4a55154211ac22f82c4621c2c568124b20ac5b3a20ed9e5efc37cb78f1098a9e5d1c37fba8b37029a596cc177d54e56b8dd73a16dc1059

Download Submit
memory/392-483-0x00000000013C0000-0x0000000001412000-memory.dmp

Filesize
328KB

Download
memory/392-484-0x00000000013C0000-0x0000000001412000-memory.dmp

Filesize
328KB

Download
memory/1144-533-0x0000000000550000-0x00000000005A2000-memory.dmp

Filesize
328KB

Download
memory/1144-532-0x0000000000550000-0x00000000005A2000-memory.dmp

Filesize
328KB

Download
memory/1192-527-0x0000000000FC0000-0x0000000001012000-memory.dmp

Filesize
328KB

Download
memory/1192-526-0x0000000000FC0000-0x0000000001012000-memory.dmp

Filesize
328KB

Download
memory/1404-525-0x0000000000790000-0x00000000007E2000-memory.dmp

Filesize
328KB

Download
memory/1404-524-0x0000000000790000-0x00000000007E2000-memory.dmp

Filesize
328KB

Download
memory/1648-522-0x0000000001680000-0x00000000016D2000-memory.dmp

Filesize
328KB

Download
memory/1648-523-0x0000000001680000-0x00000000016D2000-memory.dmp

Filesize
328KB

Download
memory/3744-251-0x0000000000760000-0x00000000007B2000-memory.dmp

Filesize
328KB

Download
memory/3744-250-0x0000000000760000-0x00000000007B2000-memory.dmp

Filesize
328KB

Download
memory/4476-249-0x0000000001600000-0x0000000001652000-memory.dmp

Filesize
328KB

Download
memory/4476-247-0x0000000001600000-0x0000000001652000-memory.dmp

Filesize
328KB

Download
memory/4564-253-0x00000000005A0000-0x00000000005F2000-memory.dmp

Filesize
328KB

Download
memory/4564-252-0x00000000005A0000-0x00000000005F2000-memory.dmp

Filesize
328KB

Download
memory/4912-530-0x0000000000C40000-0x0000000000C92000-memory.dmp

Filesize
328KB

Download
memory/4912-531-0x0000000000C40000-0x0000000000C92000-memory.dmp

Filesize
328KB

Download
memory/4924-242-0x0000000001260000-0x00000000012B2000-memory.dmp

Filesize
328KB

Download
memory/4924-243-0x0000000001260000-0x00000000012B2000-memory.dmp

Filesize
328KB

Download
memory/4924-244-0x0000000001260000-0x00000000012B2000-memory.dmp

Filesize
328KB

Download