lumma | bcd89261e8260d0498651bcf52a817cc6221c0c39e96c262d22c5006bff8894a

Resubmissions

07-01-2025 18:54

250107-xkezvawjdn 10

07-01-2025 17:04

250107-vk9s4s1rhn 10

29-12-2024 00:57

241229-ba8nhsxlaw 10

Analysis

max time kernel
49s
max time network
59s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-01-2025 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

griefinsight.t.me.exe
Size

36.4MB
MD5

ccdff4b1fcc7f0bf1fee65fe759c2f63
SHA1

ab65ccb587e236a4efd13ed53da340cfc5390e5f
SHA256

bcd89261e8260d0498651bcf52a817cc6221c0c39e96c262d22c5006bff8894a
SHA512

2105b211bab0fb3778cbc8dcef757c937f65a5a1bb41233be902966ac4e093faf0b6d2f99299f669cd4c3709f9980efe60c20b19e51cddde500c4af0390a0d6d
SSDEEP

196608:XNQpKtZcrSXs7GljVyFlQlhTuoRIUckZP9aiUcm/6vjIKjLDpuxDJEvKoJIX1Udz:sOZgq5FMi5lLDK5tkrDEBA9Zj2PVi

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 4 IoCs

pid	Process
1708	Sport.com
1960	Sport.com
3512	Sport.com
404	Sport.com

Enumerates processes with tasklist 1 TTPs 8 IoCs

discovery

Process Discovery

T1057

pid	Process
3044	tasklist.exe
3808	tasklist.exe
240	tasklist.exe
1824	tasklist.exe
3576	tasklist.exe
3084	tasklist.exe
4236	tasklist.exe
1032	tasklist.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\HelpsInside	griefinsight.t.me.exe
File opened for modification	C:\Windows\TelecommunicationsParagraph	griefinsight.t.me.exe
File opened for modification	C:\Windows\ConsistentlyDevelopmental	griefinsight.t.me.exe
File opened for modification	C:\Windows\HelpsInside	griefinsight.t.me.exe
File opened for modification	C:\Windows\ConsistentlyDevelopmental	griefinsight.t.me.exe
File opened for modification	C:\Windows\HelpsInside	griefinsight.t.me.exe
File opened for modification	C:\Windows\RoutesContent	griefinsight.t.me.exe
File opened for modification	C:\Windows\TelecommunicationsParagraph	griefinsight.t.me.exe
File opened for modification	C:\Windows\RoutesContent	griefinsight.t.me.exe
File opened for modification	C:\Windows\BroughtAppointed	griefinsight.t.me.exe
File opened for modification	C:\Windows\RoutesContent	griefinsight.t.me.exe
File opened for modification	C:\Windows\ConsistentlyDevelopmental	griefinsight.t.me.exe
File opened for modification	C:\Windows\ConsistentlyDevelopmental	griefinsight.t.me.exe
File opened for modification	C:\Windows\HelpsInside	griefinsight.t.me.exe
File opened for modification	C:\Windows\TelecommunicationsParagraph	griefinsight.t.me.exe
File opened for modification	C:\Windows\RoutesContent	griefinsight.t.me.exe
File opened for modification	C:\Windows\BroughtAppointed	griefinsight.t.me.exe
File opened for modification	C:\Windows\TelecommunicationsParagraph	griefinsight.t.me.exe
File opened for modification	C:\Windows\BroughtAppointed	griefinsight.t.me.exe
File opened for modification	C:\Windows\BroughtAppointed	griefinsight.t.me.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	griefinsight.t.me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sport.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	griefinsight.t.me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	griefinsight.t.me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sport.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sport.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	griefinsight.t.me.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sport.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4576	vlc.exe
4340	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1708	Sport.com
1708	Sport.com
1708	Sport.com
1708	Sport.com
1708	Sport.com
1708	Sport.com
1960	Sport.com
1960	Sport.com
1960	Sport.com
1960	Sport.com
1960	Sport.com
1960	Sport.com
3512	Sport.com
3512	Sport.com
3512	Sport.com
3512	Sport.com
3512	Sport.com
3512	Sport.com
404	Sport.com
404	Sport.com
404	Sport.com
404	Sport.com
404	Sport.com
404	Sport.com

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4576	vlc.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1824	tasklist.exe
Token: SeDebugPrivilege	3576	tasklist.exe
Token: SeDebugPrivilege	3084	tasklist.exe
Token: SeDebugPrivilege	4236	tasklist.exe
Token: SeDebugPrivilege	1032	tasklist.exe
Token: SeDebugPrivilege	3044	tasklist.exe
Token: SeDebugPrivilege	3808	tasklist.exe
Token: SeDebugPrivilege	240	tasklist.exe

Suspicious use of FindShellTrayWindow 16 IoCs

pid	Process
1708	Sport.com
1708	Sport.com
1708	Sport.com
1960	Sport.com
1960	Sport.com
1960	Sport.com
3512	Sport.com
3512	Sport.com
3512	Sport.com
404	Sport.com
404	Sport.com
404	Sport.com
4576	vlc.exe
4576	vlc.exe
4576	vlc.exe
4576	vlc.exe

Suspicious use of SendNotifyMessage 15 IoCs

pid	Process
1708	Sport.com
1708	Sport.com
1708	Sport.com
1960	Sport.com
1960	Sport.com
1960	Sport.com
3512	Sport.com
3512	Sport.com
3512	Sport.com
404	Sport.com
404	Sport.com
404	Sport.com
4576	vlc.exe
4576	vlc.exe
4576	vlc.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4576	vlc.exe
4340	EXCEL.EXE
4340	EXCEL.EXE
4340	EXCEL.EXE
4340	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 3588	3844	griefinsight.t.me.exe	77
PID 3844 wrote to memory of 3588	3844	griefinsight.t.me.exe	77
PID 3844 wrote to memory of 3588	3844	griefinsight.t.me.exe	77
PID 3588 wrote to memory of 1824	3588	cmd.exe	79
PID 3588 wrote to memory of 1824	3588	cmd.exe	79
PID 3588 wrote to memory of 1824	3588	cmd.exe	79
PID 3588 wrote to memory of 3728	3588	cmd.exe	80
PID 3588 wrote to memory of 3728	3588	cmd.exe	80
PID 3588 wrote to memory of 3728	3588	cmd.exe	80
PID 3588 wrote to memory of 3576	3588	cmd.exe	82
PID 3588 wrote to memory of 3576	3588	cmd.exe	82
PID 3588 wrote to memory of 3576	3588	cmd.exe	82
PID 3588 wrote to memory of 3584	3588	cmd.exe	83
PID 3588 wrote to memory of 3584	3588	cmd.exe	83
PID 3588 wrote to memory of 3584	3588	cmd.exe	83
PID 3588 wrote to memory of 2120	3588	cmd.exe	84
PID 3588 wrote to memory of 2120	3588	cmd.exe	84
PID 3588 wrote to memory of 2120	3588	cmd.exe	84
PID 3588 wrote to memory of 1760	3588	cmd.exe	85
PID 3588 wrote to memory of 1760	3588	cmd.exe	85
PID 3588 wrote to memory of 1760	3588	cmd.exe	85
PID 3588 wrote to memory of 2448	3588	cmd.exe	86
PID 3588 wrote to memory of 2448	3588	cmd.exe	86
PID 3588 wrote to memory of 2448	3588	cmd.exe	86
PID 3588 wrote to memory of 680	3588	cmd.exe	87
PID 3588 wrote to memory of 680	3588	cmd.exe	87
PID 3588 wrote to memory of 680	3588	cmd.exe	87
PID 3588 wrote to memory of 4356	3588	cmd.exe	88
PID 3588 wrote to memory of 4356	3588	cmd.exe	88
PID 3588 wrote to memory of 4356	3588	cmd.exe	88
PID 3588 wrote to memory of 1708	3588	cmd.exe	89
PID 3588 wrote to memory of 1708	3588	cmd.exe	89
PID 3588 wrote to memory of 1708	3588	cmd.exe	89
PID 3588 wrote to memory of 244	3588	cmd.exe	90
PID 3588 wrote to memory of 244	3588	cmd.exe	90
PID 3588 wrote to memory of 244	3588	cmd.exe	90
PID 1540 wrote to memory of 1016	1540	griefinsight.t.me.exe	96
PID 1540 wrote to memory of 1016	1540	griefinsight.t.me.exe	96
PID 1540 wrote to memory of 1016	1540	griefinsight.t.me.exe	96
PID 1016 wrote to memory of 3084	1016	cmd.exe	98
PID 1016 wrote to memory of 3084	1016	cmd.exe	98
PID 1016 wrote to memory of 3084	1016	cmd.exe	98
PID 1016 wrote to memory of 1740	1016	cmd.exe	99
PID 1016 wrote to memory of 1740	1016	cmd.exe	99
PID 1016 wrote to memory of 1740	1016	cmd.exe	99
PID 1016 wrote to memory of 4236	1016	cmd.exe	100
PID 1016 wrote to memory of 4236	1016	cmd.exe	100
PID 1016 wrote to memory of 4236	1016	cmd.exe	100
PID 1016 wrote to memory of 3572	1016	cmd.exe	101
PID 1016 wrote to memory of 3572	1016	cmd.exe	101
PID 1016 wrote to memory of 3572	1016	cmd.exe	101
PID 760 wrote to memory of 4568	760	griefinsight.t.me.exe	103
PID 760 wrote to memory of 4568	760	griefinsight.t.me.exe	103
PID 760 wrote to memory of 4568	760	griefinsight.t.me.exe	103
PID 1016 wrote to memory of 4616	1016	cmd.exe	105
PID 1016 wrote to memory of 4616	1016	cmd.exe	105
PID 1016 wrote to memory of 4616	1016	cmd.exe	105
PID 1016 wrote to memory of 1816	1016	cmd.exe	106
PID 1016 wrote to memory of 1816	1016	cmd.exe	106
PID 1016 wrote to memory of 1816	1016	cmd.exe	106
PID 1016 wrote to memory of 3972	1016	cmd.exe	107
PID 1016 wrote to memory of 3972	1016	cmd.exe	107
PID 1016 wrote to memory of 3972	1016	cmd.exe	107
PID 1016 wrote to memory of 2764	1016	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\griefinsight.t.me.exe
"C:\Users\Admin\AppData\Local\Temp\griefinsight.t.me.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Film Film.cmd & Film.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1824
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3728
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 277590
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2120
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Towns
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1760
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "secrets" Chair
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 277590\Sport.com + Hopkins + Alloy + Hiv + Execution + Quiet + Lamp + Vendors + Sublimedirectory + Enabled + Richardson 277590\Sport.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Ancient + ..\Dynamic + ..\Frog + ..\Cleaners + ..\Failures + ..\Railroad W
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4356
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\277590\Sport.com
    Sport.com W
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1708
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\griefinsight.t.me.exe
"C:\Users\Admin\AppData\Local\Temp\griefinsight.t.me.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Film Film.cmd & Film.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3084
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1740
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4236
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 277590
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4616
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Towns
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 277590\Sport.com + Hopkins + Alloy + Hiv + Execution + Quiet + Lamp + Vendors + Sublimedirectory + Enabled + Richardson 277590\Sport.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Ancient + ..\Dynamic + ..\Frog + ..\Cleaners + ..\Failures + ..\Railroad W
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\277590\Sport.com
    Sport.com W
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1960
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4912

C:\Users\Admin\AppData\Local\Temp\griefinsight.t.me.exe
"C:\Users\Admin\AppData\Local\Temp\griefinsight.t.me.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Film Film.cmd & Film.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4568
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1032
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3044
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 277590
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4524
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Towns
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 277590\Sport.com + Hopkins + Alloy + Hiv + Execution + Quiet + Lamp + Vendors + Sublimedirectory + Enabled + Richardson 277590\Sport.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Ancient + ..\Dynamic + ..\Frog + ..\Cleaners + ..\Failures + ..\Railroad W
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3220
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\277590\Sport.com
    Sport.com W
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3512
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3416

C:\Users\Admin\AppData\Local\Temp\griefinsight.t.me.exe
"C:\Users\Admin\AppData\Local\Temp\griefinsight.t.me.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Film Film.cmd & Film.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:668
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1188
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:240
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 277590
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3496
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Towns
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 277590\Sport.com + Hopkins + Alloy + Hiv + Execution + Quiet + Lamp + Vendors + Sublimedirectory + Enabled + Richardson 277590\Sport.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2336
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Ancient + ..\Dynamic + ..\Frog + ..\Cleaners + ..\Failures + ..\Railroad W
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4504
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\277590\Sport.com
    Sport.com W
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:404
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3340

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\ProtectWait.asf"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\CopyRegister.xlsx"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\277590\Sport.com

Filesize
1KB

MD5
1d49794a9c5f375dcd996735d982e2af

SHA1
2aad1a9de32f193e3270de786b3117a73d3f59d2

SHA256
352381ef9f3fbddb8f28bd4dd334fb4f00d9f5343ef49d65dee7587c64850c98

SHA512
34f896850af6a1b1674a0037d7d4407e3aec0aab71f06939de5e86f8eceddad5f02771bfd376991ed60c79cebe7062d2bbcefb92a4b73d27fcf43b300a2ad117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\277590\Sport.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\277590\W

Filesize
467KB

MD5
49df92c35068f3e8e14251fb2e6439cd

SHA1
cee12ce578f711ce634cfb961a5ac48c9e804212

SHA256
a82ae8f4ed0cdf3dd96f9ae9b4835bc30d1d4ac0508dbdcf156e7a4f49555ba6

SHA512
2703c6033855a8bce6b11b957c430b39ccf2b97a732169e46d06494bab891d8a6d30b859ddc27ec231421e7287920ae903dbbf4f24fb1e192c55aa1edb026828

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Alloy

Filesize
92KB

MD5
bf5ecca0fe12de322a1fb5c82de075cc

SHA1
543d6b52c62877e5a72e281b64d24bd53316e897

SHA256
ccb21fcd241c6424341ceeb1ad989807870677cc7c767eb1f3e4ac6c3a4f9ee7

SHA512
900b09ed9a1d225dc65af7bc9a976408cd5ef708f56557579414ef0b30523feb3aa4950ff44d216218f8beff7f610b5cd3d0b9941fda67a6183b68670b2255ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ancient

Filesize
55KB

MD5
63e0ed6b4b39eab7e6bf1e684c8d0ffd

SHA1
97b66e6bd90d2456151155e7784628e68d707c06

SHA256
e7c8d386ee494739a444b9989cd0de28b198a6e7627fc49a6d3c08f6bf25af6b

SHA512
6afcc9e6b35ca8d065f40efc8c8400ac7f95e6bf1b496f27943a3c5cdb566bf19565f7a4364f8d9d1d69f7991bff63a09367dab9b32b118a48431e5f5e2d64c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Chair

Filesize
1KB

MD5
762c3214a0991fa05c6d052bb2e0cae4

SHA1
677b3c7f77ce37ae82d40ca8bd0dbb2b0b0c44eb

SHA256
4b57a2a7aaa573ed35e3ae8d181cc1de61a2e7e6f712cbdf293737fffb92b53e

SHA512
842991ec464b1da72be764ac4818b0a0e04c523aab0369605d15daad77b5796edc996edae9693862df950d06f7ae94d204bab1f180301d2f681cfbf0e966ede7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cleaners

Filesize
92KB

MD5
2d7ab45dde01a497612b02b11fd7aa16

SHA1
ccbc335b3d3cea36f2586d094cfdeae3c5c6c341

SHA256
30dd87f574db66f80b72c1fa6b1014056fd6fdb0c6fc83e12a02eda92d59d00e

SHA512
33dbaf7f9dc0e80ab659fdb0b50f4346afc6964b479f5696992567b250ddc740b084cd075d8c2f593397d8d9497ab5a044b3ad2752af545aeed5fcac7544aa3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Dynamic

Filesize
89KB

MD5
a61956a86cce903dbb962485438a37d1

SHA1
b28bfc8a310ef41bddde0207a14c7942d7d2c9e2

SHA256
2dcd33c47d973fcb333d743363ad8634640deff7d27f564e31b5576b730d3f5e

SHA512
96f3a146a83315d139ec52c14c77002f1db19ed4c99df8917a1cced32b8196fd4b4e0dd4d3f3b1e998fb24ec122e8ec357686ef54993d8e44adfb2732abb3b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Enabled

Filesize
59KB

MD5
eab279765b35426d85eed591cc233ba7

SHA1
620cc65cdc026a209c62365972255f1d57c048cc

SHA256
4999aeabd9d1405c3efc1d48c411534bae11ffd211f11c4299bbd4518bbba733

SHA512
86182659023841e731ef17373705b3882a9331e6a6dd3a6dd988a4010f61152c1ffbb5f6bb5de38796b87d281e91793b98d182c20a292d822742882242ea0794

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Execution

Filesize
107KB

MD5
2dbc18176e0e4a9eff23858b9e6b667f

SHA1
e2f8f92ca92e552fd85ca0f4fd9f03ea6192f4e3

SHA256
4b42caaa64de4b126c21410764ac933df638d9f6f8ecb26c9e4878a4d772e84f

SHA512
a92b7eda2edd07f80a685a7bcbb259d2743796c3aef8d04c50d6e5f123d709bec082203e9cc5ebae3bd6e67646aca5aceccf9787b771a363845f2b216a0e3e3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Failures

Filesize
92KB

MD5
5165cd78ec72e2b49692460743dafb29

SHA1
c769a071dba21372b9c2e8b76704cd674407ba55

SHA256
ececc4c0d950519e3d25c7e839d538ba63c5082660473752b47f6ff526d2fa8e

SHA512
7e92e1ff427e2cbeb0d01c3dfe141a0250e264c74c7bd6adaa6a406ede4e2974e23317b242980c261bdde6cf9455307e93fdcf77b41353089213249cda4fd442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Film

Filesize
10KB

MD5
509636be99d8b1a1b5368da36da538e2

SHA1
740bd2711d42f17109ba98b5ad14e2e5b082e468

SHA256
5d7be8469296eee85de14cea66d02cf2ac4ef2740af91cbe255b9b926198fc68

SHA512
e622001f40be19a28fae3689ba4cb5103ab28328b020e90dbd9ba67f488c76637ca0d946d44d75693e9865d08995cdff1656acd9e6014637bedac134bda80acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Frog

Filesize
50KB

MD5
e049624b6ebd9642580089323a8ae26d

SHA1
7fc84539fd1cb1df237f1f196a0065bab8c112bd

SHA256
0e249ea89d6857f782ae5c4ebfb16a302b70aeba6564a50e993fb02215070f75

SHA512
d54e2f034de3d3c863ed5345fdc00f25119f7279a7209cca4a0f7f2008cc8acde63eeed8dc794e36fa5b59e630868c94f77eda4a71df26f17c87f9107121f222

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hiv

Filesize
117KB

MD5
e4f8982c78312a62f88fc6262e48ca71

SHA1
bdd012a3a73cecc0cf50317f60646363c3fe03b4

SHA256
c57f28dd6d9205aedbb7665a8996a8bbe33e98555a75a32c5909b8b7b9e5bf32

SHA512
bf4de12ea5692023c5673c85473fe7d2fb479a9359a80b4b163cbb7185a111ecf7603ff37bde4ad47862cc8705d4f5ec1d3b897ecac87f4ecd2bad23c50c58da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Hopkins

Filesize
121KB

MD5
ad26468cc1a53e24ac9980bba847956d

SHA1
c14bf5ac0805c0626442f1b06683dd93cfacf7e5

SHA256
aa4c4022f8b911900ce6d2f94a80f8ecf3baafdbba94a5092dafb7692eeee95b

SHA512
95630463a3a728bdb67e0319acf942f05cac1317449d3bb9bb58163e6dfbc45f7499ef173ac1b816be59b6bc06503fbd9e4a01f63ef541040df283cbcdc2138a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Lamp

Filesize
50KB

MD5
14840e265aaa8d654822b59527ab95ad

SHA1
1385d5ae8b23a93bb76dce5051f4f227d1224846

SHA256
3aa11a85cb727c41d2ba8fb0b30d8006a51dd7e2c3ff4e04f2c7d6cdcdacc790

SHA512
0cfa21bd49d9b866b5f7a53fad6165582dc14134d4601919e44948dbede076fec4b438eef1d2b340910ecfefd1d5278586628c3beebf69d2c78309de24283660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Quiet

Filesize
52KB

MD5
178e6bed948a87b10369feeadd9ef006

SHA1
d5221a1b6b27b890a984cb4cc6228cea3443e010

SHA256
9c949bf0bae8084abf6c7a468ea5e2e8d3ff205aef873f682acf43c2a5e584e3

SHA512
27beab81ea020ac7625a69784bdbffb4bb0c95c1533a48c5924bcecc94192cca99537687cd6e33de6fab457898bda8065d63df7a455b4983d57ac9b7aad3e2e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Railroad

Filesize
89KB

MD5
cbffec94136278012b024ee188ba1f0a

SHA1
f9a39df9b4cd25c2247e6c241e8e0e5379559b3c

SHA256
5d42ace838cf5a4427bea5167314a0c7c60075f2628f3e2cd8a95073678cd15d

SHA512
bdd2dd2916a4b9b6a54eb89bfe951a6e79417c0c9880c775027a2b36e4b87966a8cf7bbe30d79c4a1720d0a766e34caf9077d4f0f5ddaaff84d6209fdeeb302d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Richardson

Filesize
114KB

MD5
38aa875fa99c1569a903be50f78dd72d

SHA1
2bb96021189f4610721f09adb9d9175282ac1c05

SHA256
04fd355004cf7f974496c7dc1b717cfa50a94607cbcb2d77a8c9f0369e370b8f

SHA512
3b1d48c081e8b4377b8cafa4c244fdaf1af1cb7f694245ea249f2fdc10ea04685c3abc7e886edda37c28eabb1e9495d91fdb0156f308e5ca8cd4858372f62d86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Sublimedirectory

Filesize
102KB

MD5
9f148cb01562931e370295278bd2519a

SHA1
e701d89837700d6088ac356f043a515aa049f812

SHA256
88e568009ea3fba98e0bbd208fbab6c669b88a3f3c05c235fecbe2b74264ad02

SHA512
d1cd6e027219262ada22e27b557621f3169441d31afa160c5d45d35e9e497fa885c380038cd06af61e8576a6491c83176e966e9032c413524d4b62c981657f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Towns

Filesize
477KB

MD5
9eee5692db0f0abe439c8334d058b3e1

SHA1
16617a78a1db582cf4a0e559027c10b654832785

SHA256
d4cf09479c550c057e8e992bb6ec21df20809e3876d03f7ee0639ff37f8fee62

SHA512
c6254bedfcece029b620fdda11a0890c53e13014cff34f176bfced416aa17c3ac01648f6a8391a6a446093189772266e1df3bc27abb296c29d8978ed62c29b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Vendors

Filesize
109KB

MD5
f487f7bb6b87c2c4d8d4b4cee2fab343

SHA1
f02b4bb2f5152e3e9e3be708c3800b184b053736

SHA256
de24e746c6384e4ea319b517d01cbd4b74d369f5ea2d2d9784b138f1623b28c7

SHA512
957017b50c4718fabc93617b5c15a763e81201f50f2bed653f20c4a08696c98a4dc9cf0c99f471469193ded942d717f94610206b59c03e4af90041d693bbec28

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
317B

MD5
28c38c8afb36c9798410f38690667761

SHA1
70173763ec40381122635820e56d80e77e6e1e11

SHA256
3a57098f469b28af95502602a2b6e4f430cf1321f13935056c1561f1f1335e8c

SHA512
2960a3ca43bc0959c82b51858b6f9858627be44d475002e96ae9568d44a46507a5e4de1ec3954f2ad9c350f04ca2aa75468f6f756b23778edf33b7316baa77f0

Download Submit
memory/1708-194-0x00000000040B0000-0x0000000004106000-memory.dmp

Filesize
344KB

Download
memory/1708-195-0x00000000040B0000-0x0000000004106000-memory.dmp

Filesize
344KB

Download
memory/1708-197-0x00000000040B0000-0x0000000004106000-memory.dmp

Filesize
344KB

Download
memory/1708-196-0x00000000040B0000-0x0000000004106000-memory.dmp

Filesize
344KB

Download
memory/1708-193-0x00000000040B0000-0x0000000004106000-memory.dmp

Filesize
344KB

Download
memory/4340-260-0x00007FF977A30000-0x00007FF977A40000-memory.dmp

Filesize
64KB

Download
memory/4340-309-0x00007FF977A30000-0x00007FF977A40000-memory.dmp

Filesize
64KB

Download
memory/4340-306-0x00007FF977A30000-0x00007FF977A40000-memory.dmp

Filesize
64KB

Download
memory/4340-257-0x00007FF977A30000-0x00007FF977A40000-memory.dmp

Filesize
64KB

Download
memory/4340-259-0x00007FF977A30000-0x00007FF977A40000-memory.dmp

Filesize
64KB

Download
memory/4340-258-0x00007FF977A30000-0x00007FF977A40000-memory.dmp

Filesize
64KB

Download
memory/4340-261-0x00007FF977A30000-0x00007FF977A40000-memory.dmp

Filesize
64KB

Download
memory/4340-307-0x00007FF977A30000-0x00007FF977A40000-memory.dmp

Filesize
64KB

Download
memory/4340-267-0x00007FF975300000-0x00007FF975310000-memory.dmp

Filesize
64KB

Download
memory/4340-268-0x00007FF975300000-0x00007FF975310000-memory.dmp

Filesize
64KB

Download
memory/4340-308-0x00007FF977A30000-0x00007FF977A40000-memory.dmp

Filesize
64KB

Download
memory/4576-253-0x00007FF7C85F0000-0x00007FF7C86E8000-memory.dmp

Filesize
992KB

Download
memory/4576-254-0x00007FF9A7FB0000-0x00007FF9A7FE4000-memory.dmp

Filesize
208KB

Download
memory/4576-255-0x00007FF9970B0000-0x00007FF997366000-memory.dmp

Filesize
2.7MB

Download
memory/4576-256-0x00007FF995400000-0x00007FF9964B0000-memory.dmp

Filesize
16.7MB

Download