Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09-01-2025 12:38
General
-
Target
https://www.mediafire.com/file/0bcql8b96hshee3/Setup.rar/file
Malware Config
Extracted
lumma
https://cloudewahsj.shop/api
https://rabidcowse.shop/api
https://noisycuttej.shop/api
https://tirepublicerj.shop/api
https://framekgirus.shop/api
https://wholersorie.shop/api
https://abruptyopsn.shop/api
https://nearycrepso.shop/api
https://fastysticke.sbs/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 8 IoCs
-
Drops file in System32 directory 11 IoCs
-
Enumerates processes with tasklist 1 TTPs 8 IoCs
-
Drops file in Windows directory 16 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 50 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 36 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/0bcql8b96hshee3/Setup.rar/file1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd0c6c46f8,0x7ffd0c6c4708,0x7ffd0c6c47182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5576 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6932 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,122661328153356209,1801754168313092453,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4936 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Setup\" -spe -an -ai#7zMap3775:72:7zEvent185161⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Setup\TravellerHl.exe"C:\Users\Admin\Downloads\Setup\TravellerHl.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Laptop Laptop.cmd & Laptop.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2114983⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Basket3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "FTP" Engine3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 211498\Citysearch.com + Split + Laws + Humor + Forces + Jenny + Long + Df + Federation + Sexual 211498\Citysearch.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Ensemble + ..\Southeast + ..\Inch + ..\Congress + ..\Celebrity + ..\Smaller + ..\Blind o3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\211498\Citysearch.comCitysearch.com o3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\Setup\Version3.1.1\content\images\appIcon.png" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Setup\TravellerHl.exe"C:\Users\Admin\Downloads\Setup\TravellerHl.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Laptop Laptop.cmd & Laptop.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2114983⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Basket3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "FTP" Engine3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 211498\Citysearch.com + Split + Laws + Humor + Forces + Jenny + Long + Df + Federation + Sexual 211498\Citysearch.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Ensemble + ..\Southeast + ..\Inch + ..\Congress + ..\Celebrity + ..\Smaller + ..\Blind o3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\211498\Citysearch.comCitysearch.com o3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\Setup\TravellerHl.exe"C:\Users\Admin\Downloads\Setup\TravellerHl.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Laptop Laptop.cmd & Laptop.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2114983⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Basket3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 211498\Citysearch.com + Split + Laws + Humor + Forces + Jenny + Long + Df + Federation + Sexual 211498\Citysearch.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Ensemble + ..\Southeast + ..\Inch + ..\Congress + ..\Celebrity + ..\Smaller + ..\Blind o3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\211498\Citysearch.comCitysearch.com o3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\Setup\TravellerHl.exe"C:\Users\Admin\Downloads\Setup\TravellerHl.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c move Laptop Laptop.cmd & Laptop.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 2114983⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E Basket3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 211498\Citysearch.com + Split + Laws + Humor + Forces + Jenny + Long + Df + Federation + Sexual 211498\Citysearch.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Ensemble + ..\Southeast + ..\Inch + ..\Congress + ..\Celebrity + ..\Smaller + ..\Blind o3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\211498\Citysearch.comCitysearch.com o3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5dc058ebc0f8181946a312f0be99ed79c
SHA10c6f376ed8f2d4c275336048c7c9ef9edf18bff0
SHA256378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a
SHA51236e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa
-
Filesize
152B
MD5a0486d6f8406d852dd805b66ff467692
SHA177ba1f63142e86b21c951b808f4bc5d8ed89b571
SHA256c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be
SHA512065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a
-
Filesize
816B
MD562f27e9f47494ffec6a8ea389faab31a
SHA1fb615dcc2319019ab960ae84d61896ff9504c35e
SHA256b0be115f9751f84bc2e52f465f697f5b0ed7a59b4e90650e1d74d966081cdf6b
SHA5122a06fd3bc0c2404b8e4585d40b9319dfe81ebd4252f4cb3821bc84ace0d416b92315052b408b377741f715f49bcf4407048d9f30077ecb3d638f8e41bc3e642d
-
Filesize
744B
MD5b94b8f5c636da34f6faffd36ba11d0a7
SHA1f897b94809305001064b7fc81ba30692a4245de6
SHA256f6b825bca32c9ac160c5c6aa5109f9f5853c7a469db795d22ed767dc93e5223f
SHA512472e772717fec870cf4525397c7afe457802a7c8e0f0622f004b50249ab272b79f2d0eedc3630b2c692f2d0c0322a52448601440003d85178a3a2db29cafebbe
-
Filesize
768B
MD5d41b88c90b711b3112760d8af4e89907
SHA1c8db672fda0c11cb5d9eb22033a4ef258f524df3
SHA25687e004dead0984870bf046649d000d602368b5630b13c309438f1dbc34e28f69
SHA5129fb89c38de3edb0398005353ce2b40664026f31de6a5625c4e3c4e7d78c64df00d306c90c2c7f5afd14c3687b6327d974441462641f9dcfcfb45f19faff33e44
-
Filesize
792B
MD5b939ca47dd0d004f95b28a2aef7385e1
SHA15b977fbf68479beb5a9ad938270ca4915bdce879
SHA2563c3410ddbd5aa0ddd9bebb07f2246908096a4f679924d14d26a01073d8acef96
SHA5120e7de29fb1efe7e0436a1ef5148a24d4f48862ed7a0c6d9f6e47cb1ca9900079cd2369ded61543a5cf6b257ffdf3bf476194756e22bf8c9f6514e4d12ff4f59c
-
Filesize
720B
MD5d8bbb67bf30598c89b78f1c28738bb7e
SHA19bcf52ef67848bc852553c27b3bbd425e25e7136
SHA256a822c6a1e3eba02c457ffb869d70016b29245c1e374f31eaf5583edbb38fe99f
SHA512d02e7328ff31a8f4c13c76b86fc81e63e00c0981016edefaefaa19d75dcda5d6a6afb8c9ea551fe8112d5388cf9740daa64e7ecbfeb8749ac74c3e9c5abf0f86
-
Filesize
4KB
MD59e564f2c68d255e4f8ade81a0992cfaa
SHA1d05d77e062c40eec0e7e86e4977b0ed2b9fd3735
SHA256df4fd65cd511eef89c356d1cc13491f374fad24993b8f484144edac2b702c955
SHA512189d54e7c5fe6866ccdfea4b885cceb0466b9763a5cff9a693628bd5c327055e9917224e22f21ac739a67cfd100043b391cf6141071e900800dcc0943b19d0a9
-
Filesize
8KB
MD5788d2dfaf3647a2c33058e6405c307ee
SHA12cc8f74dd07bd582c61eb3e755397179661cc5a6
SHA2567e1dcf6e1f4b5da976f47c37c821b3177e488322c65be267a17ee66c2256117b
SHA512b7034a46e680f821c7f0b522c8e026e992308d62a94b2996e73504ff74d911e74d28478716169ea541cf4a963ee44796db062c1ab8554a1bf332317be03f480a
-
Filesize
8KB
MD5574d415d68ac8939c0ca7c286f1b536c
SHA168bc6feeb8d991a30cff261d90d2a4b79811421d
SHA256b40324858af25a18d3743d06e67a5c9be97e96a3f92dee264ca6e37c5eba861d
SHA5121137e7101a130bab31d3c71ba8206b3ba40203eb2f4c662f10caa88c5018f79dad0653bcade69b6583292c6754fc1d28d6686b61958c6795e09cf8f9515a80f2
-
Filesize
5KB
MD51e35ab78ffa045df2e05d5536e635b32
SHA1048a8c7200ac4d9cd126372c66548cc3ab297425
SHA25619ef2055b3029df59d6d5dc5e62a6ea4397b01ea34415b837eb5262b20eee094
SHA512d032ea50dcd48c06c6ccd125176a089e57f54de924935468e631797469e263f2171bd1b044d4e9414977785ef817fc47580c398927ff925517c320ac6317c912
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD503f7538d284b948c10ac9905c14b42bd
SHA1a775e028408d89b577cda805947b4df3d782c3e0
SHA2568f814fc47b46adbb37d2e0144e835eca2c581627fbcd5e231c973c3d99c70e3c
SHA512b9e24b7d6c379301936b1984cffaf3cea52544112986617b85936b466382bdd8dd9879a9462be2c7f8e709dcfe7942e7794648e273c2e60cc9b57e7bd6b2ade7
-
Filesize
11KB
MD52c6452a897169b269fe82d762b80b745
SHA18dde39a5c0d2f3c6637f4cca3f7d884a527d1f45
SHA256cd4ffbceb041f814404a8e9ae74954ec579c001a07940fd5c7cd8883f41a2340
SHA512705a3bcf0e7755c61e7d1cfad395acf6b216399379da7b96727db1ddaf9e3b8e212829d5f7fd479137b7baebcf94ab607a1b54f3107d7c0a913ac00d6cacf435
-
Filesize
159KB
MD560f7d67879a170cfff5220479bc5ad4a
SHA1c1aad7c7634d3f42ce02fe080ee93baf8146bc77
SHA2569fec3ca578c3fa4bc9c5083e2e97ae116f6bd015c8aa70585af965b247d75cc4
SHA512fdb0ee628b9f6d9a81a338ee8c45557f4d7898f7928a11f1d403c17beee64c048dd2c5073943a8e0dcc512f7b5f216e1094af0ba994ef20950013afb61930c9e
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
465KB
MD518331c2f9a0cf33a49fb666159dd37c7
SHA12fef0413182e5364447e00fde3334f5c9944bac6
SHA256373383e6208502fba5dd12f8370b1621d39c3147e94e75bd8746b9923fae4537
SHA5122f00efc9f8460d40e81856ced0b43c2ec493fc80de9ed489b7aa23a6c47d0bee547c81bfb4d5d5fd3404f8b1110bbb241a6344be805895a3d7d9cd97c46abd93
-
Filesize
476KB
MD58b45af5e6f8ef7e03be8e9146e947fd8
SHA1a8484aecfca5b7b638ea105202b38196fcf99053
SHA256f16635c56c519437dc1fceb0cb94f471beec616f9e80221953c72acc51dda8c7
SHA51285ba9761094d91abaeb691eb477c8c615642d0637dc103228ea74765fd023b26ed90bd0365492cc85f71e815236e2c1e00e1b3914d59760f86a39863503407ce
-
Filesize
41KB
MD5af171adaad573c9e04e90db400b92355
SHA10467356000a20539a751061bd2fcd39d3191275d
SHA2567fa27d40c7e765e7d6f60723e83c3aaa0efc91084b25e1d3e3b6a49cb05e985d
SHA5126507cf42f2e83267dce9f6b546af17f3fdcfd31b1bc67342689937d4ae77b7d4bb3e8c5d143760ed48c961b69eba56f408af92c677b9feb3d9e406e09118075f
-
Filesize
94KB
MD5dcb6618c96c4a650139a302f9256cb17
SHA11beb379f32dd12cf846119a2d5c3a72a2868cc36
SHA25694e89084817cddaaf910f75cd65767d23c79b128a790f4fc48063a395f3e061a
SHA512d821d1d83b76a91c05f75555eb496af2ac72426b6c57342b60dbf6fdb7890bcf33b58d1d661c78478ee6f35ea18745c79126f8cc976442d95fb7ec0591cb920e
-
Filesize
68KB
MD5b432ec359833da2ad20be7c71f87b61b
SHA1cf08d4be1a296b438dca8efffb73eea9a76088b7
SHA25699b804dd70c6e4708f326f7efff472cac1605a1b4c2f396daf73fb21fd4a4f1d
SHA5128a2af7130d33e7600b2bf14275540b26dd857de24a6df9debb4f9e212c8344216a4a02f514a2a0d613171750cc9c7c9c9b5aec5210bc5f926194dbb4c79a8dce
-
Filesize
63KB
MD543cead6a18639788f738d28c8eb1b033
SHA1c667a7bc3a2432fce9c2f0cd7a3b2ee1d6831b24
SHA25695ed55f1c2af1d79b060526334ffe80fd9beed6e9183caaf6fc39b9c483f0e37
SHA5127bfbf96dda654e08e1d04c6ec2487715befe9934d5c2750fb35fbf5c6b473b02e7b96c2c950da637853c73096466abd05b2356e0e4174714d68e529df3d89ed1
-
Filesize
98KB
MD51083a291861cff658c42324c9d26159d
SHA18418efc64d53fd4133031754efe02ca4ff0ab198
SHA2563cc8ca1b5c5b841761bbc1c853caf59238b704be69d29fda93e9e65328378cde
SHA512c16ea458cc40e65e45fd60cf252c47d5df98afda9873587f325153d20aafea565a1dcddcc19ffb8ce1191c7ab9d6a1e279d3fc4c27897797b811aafb47ce9df0
-
Filesize
1KB
MD5e3c3b224fc170f4fe103b1d4c9b40881
SHA1d90c9d54b661f8367ea4078751be75293ae93c91
SHA256a5f63f6206af643e1e5fb609a0f568f100cece0aafbf1f4e518ca427aadf5318
SHA5126e1ef7638d25b9180f195988484a0ff442eb6d3e3613aa6914bfb72e52342d19a28aeb85489e0578a2e26c39b85b1e5850529105041bcb3f668e19b7b153dd2a
-
Filesize
80KB
MD59b875ebe5bb1856601d65e6082ddc426
SHA1fb66d804059d3d7ad9881c193bb79f9bc20e26e4
SHA256ae7e6e00c3da9eaaf78d210769bd95676472b90f5cb0d81059444d7f565dd446
SHA5122f2ccc85d78b87da9a4ea59db20147207eebe710a3f15f1463d0da82de06db72d30996fe2df6debb9d7ecffa121ce58e9b1811d5ab568e4e14d08b1afddc14f0
-
Filesize
78KB
MD56bd28391f63cae1485fef4edb7881f80
SHA12d06af8c4d117efae01d8cffaada2e4362e3c639
SHA25676ffe87187e77e6c5ce666f9db23e39cae1ae45e47a2649ea5a033c838212e0a
SHA512877b322b7e24dbd7d96ced9b108d07b441ccef8f663a638fca630f254712140c318d63faffb52463dfea51eacdbfb48eea68860eb3099cae143acb699ac8b73a
-
Filesize
81KB
MD524e527160a05fb76aed85dd191325a08
SHA1bdcbbcd09b4ab9704e762abc3e47e38a4df73ce1
SHA2562fe8dad29adf3370f5679c7a48d0ad1d20d6006ede6a251a40f0e2bd34f8e00e
SHA5124fe745c443968f1f5415ad37d72c74543a16108a454f74907aa7adc88b4c5e885e5d41646799f033d0c2b746e912003432ffd4a8260ba5c4118c53cf5b8c2479
-
Filesize
96KB
MD5df1d93ff9c8a1dd12a2bab89a892c6ed
SHA18fca8c3e3a2dabbbdfe70bad96f886144cc895d4
SHA256feab8dde9678e43776080be17377b995ad513f56d34d809a02df3f4f9710db75
SHA512a075bb46738a2627e71e0af403c14bec758e1f73ddb508a9f67f856c7cb27a7ba731c0ac9874c4a4682880947217d225cf107eb1ffd174372037e36cbbbe85a2
-
Filesize
117KB
MD5bcc3f9fdb2a03d04c767eabaed712af9
SHA13685b4963514786315d0879624fbd2ea04657885
SHA256c744564a8d47139a33729af50aae22f5d51211e407c4ff73ca43ac1d17d5c1fd
SHA51244fa8e24c33679cf4bbae88a963e6a9fad6ad032b7a2ef6695f161ef9fbf98c9f39ed6d7aa85029e37d1b525cebfd99e9cf46a57a3a3cf98b45ea9793885fee4
-
Filesize
65KB
MD5e1b4676755aa8f3ce05946f98b10c35c
SHA1831452d93120a319df38e96c99afa7cf2f9e1868
SHA25619169e9ef3d2dad968952ecb92c07136daa4c6da1013b3c9ae9412e67693d299
SHA51289c6eca351db3c76a75b7ea5180bf369cafb32e2e95642eaf2573ee5a66ba3bf1ce6061b0141d4b58e0b189aa54a8985ba49773a477015b80f4303c9ee63b290
-
Filesize
148KB
MD519e2f00cdc1e151d69192aea90aa4273
SHA1d6635c1df04b9fa481483d8e4f176c10285b5612
SHA256a74872593e6bcf01ff228a8e37b7b5661336328a4ac2c674dba3cad767252471
SHA5128955d339dccc651a12c992e62faedca4cd6685aa989b7746a3bfdd4b452c9e011429ac138d0f5f3216427c2a656649334a29b3f42b579eb695f73595265e0a1a
-
Filesize
17KB
MD58a939585396475c5eae7c6388030eb77
SHA17bae26ed990cd9e5e72403de0094529222f44cea
SHA256f635dd0a17e12f5045147a7781d0b6290f41846cd39642155958117df14b92d2
SHA512ea09ce100953913ecbfe5a96f884cfe71ac204f6a88e9a41732fd607fb5afcf1ae12b69aae6fa8fffaa871c5f17b803f751cf8deddf77328d5779a0d5d91b1f3
-
Filesize
75KB
MD59fe388b181e1a60593b814b0b67d15ad
SHA1aadc8c0432a7e6843a85d6384d31c9c05216c91d
SHA2566c01d8611730b932dc04bf4d067a5d79d6e022167e23abdc55b942fdd2323040
SHA5124ec9a6a506d0a88428004203f18ea2cefba4a027463da4b5749742e67d6e6b17272aad682a84a629f271626a3cdff14e15bf003a69ead0e000272f25313e932d
-
Filesize
100KB
MD5a0de463ec0066becef6c5f9a80b3d11d
SHA1847481cabce760881c3cfe61257be881e89cb304
SHA2563f94e686854ec6e8b19c899e1ae1d02db7918a7afc1700bb3439ab56e98d965a
SHA512615b1ffda53949f0d694993f3f08065bd51a6136592e04ad381c0f8705621f56ccfc0bcbf3d713159e3714e3e21035308e08374d002bf0f8c0b19824e69ef4c6
-
Filesize
125KB
MD5913c36a33b3117b83eb967a004e7665b
SHA1e89e8a8ad010d743338dba99eced7da27d55ccf6
SHA2565012ab358bd66e3c8980b38a06b60c87deabe4ef26ca924ee8648e63168b385e
SHA5124c0f267377ab6096d8ae0354a685fcc8948957a3061915889e838e775f8e37165763745c85febaa4ef1f81710e2468aca98ffac1493d4e9b65503777b87d2068
-
Filesize
51KB
MD5ec4143f68bd78d13ad4938c371c803e9
SHA1ae1c3bc9b49aab701080f3338f9f46759dcf984d
SHA256ddfacc5a2028cb0e186b502ef2fdbdc0c9b6a315236f4b2a705244cfd6366c8a
SHA512d95d20574c7d14cdc381da7497d25603bfc2bdd73a3c097b4156f8916d9fd809927006453c081d93a5ee32d2770170f2fb5f16ea8900e76a9a25b93b1f0e4790
-
Filesize
66KB
MD576ec3273a98f4c3721acd0d41b7fd1b7
SHA160f3f5931a30f9d230aec42d67fd7ddb34e63efe
SHA256ed968083b882a9a82baa5b1bbbe23372fa2e4c670a65b43a30f374d350d6cb64
SHA5123478940609c4fec41674cab9f55ec135f64ecd0c4d568d0e43a6ca83d888bf948b118c3528f250e98bdfd871360630a378f88da0c813aa47237917ec2b8ab417
-
Filesize
83KB
MD507dde86ef03ee736e3b55ec084fa9e96
SHA1e6155f70eb5929c4bd8f02c84851d286774c0659
SHA256a370342686d1d929119080f9bd1f5262ae8e09d85cd1e56caf5d863451bce6d5
SHA512dcad81892a9c7073e188cd480c9671ed56514c6daa7f11a23f42ba60688a3ddc67faaa06d6762f55b8afd288e9f9f0226ddd6eaba57950df80280d920989848d
-
Filesize
1KB
MD5930eb6f1ca2dd339b2cfaa23f3e7c4cd
SHA116f569b9785919d0b6a939aa4f2b3e64b0966a85
SHA256ac5b06748aacc67f7aa9257c2f5ab1d3a81077271b4ea69d24daa3be616679b8
SHA5127e025d0895cea47ad93dd527d7b4a6777a00879351adf176f08bb408ca5f43db348fb9217d45c44d86bb7f2e6ca4ae4fb57fe093a616c9db9f28765fb1771532
-
Filesize
3.9MB
MD54290bf19c70db819b4ca7a80ebabca3c
SHA12aaefa1183234d661f9e82ba40bd3c58e106d42b
SHA256fb346203c063d5e48ea230b2c4947e5b9e8e600a0b5940e42b325426637c441a
SHA512c2a9afce86f768e4406c4d51dd659bcd0428ddffea5b3032ca2783dae646f7274480cc74ca5dc0151c69d734ffb6c1e9188e41c62cf8bd2ea46fe890fec09944
-
Filesize
637KB
MD520c53b63527023e3bc2300fe83e62941
SHA10dccc5c4fa3e79cb258406050eeda2c224b6ce31
SHA25665eb3dcbadc41708c3b6347f13ef1d6b0fdc48fe72dac91c41ff38d390231af7
SHA512ef54e4a0c47b0621845b1f677b0136933a571c857f46ef7b556f509a5d36c771708505e3216248b540ffbcada08dc289167d91c4ceba7d678de70f499900cd22
-
Filesize
44KB
MD5ccdad492bf2837b5c39af24e1edeba19
SHA1559849e557ea273c8b093520f25f71999bb842dd
SHA25648b6feeab56e590821508aca66a4d4347276719248a39caf4019c41884b51c65
SHA512638b4a53e3c8210cd60b16b69b8ac96745451f9b28abca9106e56bc740f98461cf06d8be0b355f429db358bcdcdc232c6d6e10eb51948d5f43783901658807a6
-
Filesize
264KB
MD5abac4265c823916c5e7eff156e9efa0c
SHA1afe2336ff1030e766bdc0f23bb489518fecf9245
SHA256c1fee2558ca5efb77691635b1ff92ba3661b8217653f2ffe6150699d44137e6b
SHA512ee27854a771076d397b0135e7c4cf415d59031479be5739b99b51ec54ca1bee6d0f411ffe7ffee1f2df2a5aa88360ddb94621f6c5ac8ec30c120d7b86c9ef95b
-
Filesize
8KB
MD50962291d6d367570bee5454721c17e11
SHA159d10a893ef321a706a9255176761366115bedcb
SHA256ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed
-
Filesize
4.0MB
MD59cee917599959084a52bab23760d377a
SHA1f656fd8a9ba69ab6ab6b4197a5ea315391c987e4
SHA25611b5e06939869ecee30f05494b91b4707ac8ecd0cdd376e88e0fb0d4ac925900
SHA51254576a2d1f9062cf58022b1e3c84129ad427f5e47e301cc4819d34aa168a958600d47827f16ee44f350b39ae703dd6106352470adb75068fbf6d5b8ad319bea2
-
Filesize
256KB
MD52b19239fdfc1ce97f23509562dae213c
SHA189874206b901d33a4033cde558f515000d436183
SHA2562947e7b436276b77907ca9cc9a6a9a0521701086f3bc373e285ddd7bd9551b6c
SHA5128c92dc7046b25a4537ef88cbc83016894f2b41e04b14bcbae2e947342c15d563998868b27fd119d8b067e9c12914d3e1a37e3be019333f407e3d4551ce511dd4
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
348KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
