lumma | 61c2f08d40d9d6d4a8bb4cc109ae7489c0dd263739898f90f67df75c414bea15

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 21:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

70.0MB
MD5

6d9439c5afd2cb8deeb2bd71a93e7828
SHA1

392ffe0569edd73a17f33a95b1aa780aa03903c6
SHA256

61c2f08d40d9d6d4a8bb4cc109ae7489c0dd263739898f90f67df75c414bea15
SHA512

dde7c930427a85c18c21fcfb5d53c800b6bba2b79bf5058afd75b7119d419953194a0e32383ab3267b24823fcdd9129003f37058cad90518cee256460ba3f428
SSDEEP

24576:Ytduzei3c4w+MTFpkqcsv2qBa7tsp0Lclw4BrlRHu:Sni3c4kHkNsv2H7SpOIrBrlRHu

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://rhetoricakue.cyou/api

https://fraggielek.biz/api

https://grandiouseziu.biz/api

https://littlenotii.biz/api

https://marketlumpe.biz/api

https://nuttyshopr.biz/api

https://punishzement.biz/api

https://spookycappy.biz/api

https://truculengisau.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
1056	Creates.com

Loads dropped DLL 1 IoCs

pid	Process
2704	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2784	tasklist.exe
2688	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ImposedEstates	Setup.exe
File opened for modification	C:\Windows\SeeingCast	Setup.exe
File opened for modification	C:\Windows\OftenProduced	Setup.exe
File opened for modification	C:\Windows\GuysPersonalized	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Creates.com

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Creates.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Creates.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Creates.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Creates.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Creates.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Creates.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1056	Creates.com
1056	Creates.com
1056	Creates.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	tasklist.exe
Token: SeDebugPrivilege	2688	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1056	Creates.com
1056	Creates.com
1056	Creates.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1056	Creates.com
1056	Creates.com
1056	Creates.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2704	2660	Setup.exe	30
PID 2660 wrote to memory of 2704	2660	Setup.exe	30
PID 2660 wrote to memory of 2704	2660	Setup.exe	30
PID 2660 wrote to memory of 2704	2660	Setup.exe	30
PID 2704 wrote to memory of 2784	2704	cmd.exe	32
PID 2704 wrote to memory of 2784	2704	cmd.exe	32
PID 2704 wrote to memory of 2784	2704	cmd.exe	32
PID 2704 wrote to memory of 2784	2704	cmd.exe	32
PID 2704 wrote to memory of 2684	2704	cmd.exe	33
PID 2704 wrote to memory of 2684	2704	cmd.exe	33
PID 2704 wrote to memory of 2684	2704	cmd.exe	33
PID 2704 wrote to memory of 2684	2704	cmd.exe	33
PID 2704 wrote to memory of 2688	2704	cmd.exe	35
PID 2704 wrote to memory of 2688	2704	cmd.exe	35
PID 2704 wrote to memory of 2688	2704	cmd.exe	35
PID 2704 wrote to memory of 2688	2704	cmd.exe	35
PID 2704 wrote to memory of 2768	2704	cmd.exe	36
PID 2704 wrote to memory of 2768	2704	cmd.exe	36
PID 2704 wrote to memory of 2768	2704	cmd.exe	36
PID 2704 wrote to memory of 2768	2704	cmd.exe	36
PID 2704 wrote to memory of 1328	2704	cmd.exe	37
PID 2704 wrote to memory of 1328	2704	cmd.exe	37
PID 2704 wrote to memory of 1328	2704	cmd.exe	37
PID 2704 wrote to memory of 1328	2704	cmd.exe	37
PID 2704 wrote to memory of 2556	2704	cmd.exe	38
PID 2704 wrote to memory of 2556	2704	cmd.exe	38
PID 2704 wrote to memory of 2556	2704	cmd.exe	38
PID 2704 wrote to memory of 2556	2704	cmd.exe	38
PID 2704 wrote to memory of 2908	2704	cmd.exe	39
PID 2704 wrote to memory of 2908	2704	cmd.exe	39
PID 2704 wrote to memory of 2908	2704	cmd.exe	39
PID 2704 wrote to memory of 2908	2704	cmd.exe	39
PID 2704 wrote to memory of 2652	2704	cmd.exe	40
PID 2704 wrote to memory of 2652	2704	cmd.exe	40
PID 2704 wrote to memory of 2652	2704	cmd.exe	40
PID 2704 wrote to memory of 2652	2704	cmd.exe	40
PID 2704 wrote to memory of 3048	2704	cmd.exe	41
PID 2704 wrote to memory of 3048	2704	cmd.exe	41
PID 2704 wrote to memory of 3048	2704	cmd.exe	41
PID 2704 wrote to memory of 3048	2704	cmd.exe	41
PID 2704 wrote to memory of 1056	2704	cmd.exe	42
PID 2704 wrote to memory of 1056	2704	cmd.exe	42
PID 2704 wrote to memory of 1056	2704	cmd.exe	42
PID 2704 wrote to memory of 1056	2704	cmd.exe	42
PID 2704 wrote to memory of 1680	2704	cmd.exe	43
PID 2704 wrote to memory of 1680	2704	cmd.exe	43
PID 2704 wrote to memory of 1680	2704	cmd.exe	43
PID 2704 wrote to memory of 1680	2704	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Combinations Combinations.cmd & Combinations.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2688
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 250661
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1328
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Keywords
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Ml" Empirical
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2908
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 250661\Creates.com + Officer + Randy + Task + Acm + Hdtv + Buying + Carried + Horn + Powered 250661\Creates.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Standings + ..\Extremely + ..\Insert + ..\Kevin + ..\Animated + ..\Collectibles U
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3048
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\250661\Creates.com
    Creates.com U
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:1056
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\250661\Creates.com

Filesize
2KB

MD5
4158264f53a3c139503f81076050d1dc

SHA1
fbd8a18f3cdb83810941bd10a32ddc42e446bf44

SHA256
0eb2b5abf8b0c455e796b73bcc05763c89f84effe5887e1362d2e936def3364e

SHA512
0018fa4598d0b798c3102fc0afc8002b409f7b0c49a78d41dd6c43f282c107aa4b1ef80526b7d056695cdd42ac1b0f0bc402479c0b7b85c17f23fec12508af4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\250661\U

Filesize
467KB

MD5
cecef54353e4fdf1ccdd7f147448229a

SHA1
2abf40db66bccd9d3e364be7a6247a471ea1afd3

SHA256
ac1f74fc644b5cf17ef680824f773c40b3c298978391cd7934d53375dccaa69f

SHA512
ab871c97b3b514ee541514f6cc0da9b55da26d786613b3f9e588defd4a687d35bfa63795bd018ca1c1fc941fb9a65c40c9f262d775f5cb9fbcbe91f140c98fff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Acm

Filesize
145KB

MD5
b93b2af50ccec005635f716ec072dcbe

SHA1
f4033005fe92d3d9dca79122600952a9cb9fb996

SHA256
adb16db01927272a48403358940bdaa4d9649d8ba0b013a95c2819839aa478b0

SHA512
2413a4c3485685e0cc1c2948bd65fa300ea1cdac41ed0c43946193f4ad046a78332511c4e84710b1f8905cd64fa32ced11260b9342ba472b9866c0f128dec185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Animated

Filesize
61KB

MD5
d656e21decdd65da73c1d76df53347bf

SHA1
64a2d57377a79c561c8a18e6723b0f5a12d96bde

SHA256
a3590d66860c2c92fcc92ccd2b0541e7db63ed7783fa92e1588545feaac1e823

SHA512
0b1eae9db1025c33c101da929edd6566d2f9f379f3781ba435295fd6091609a356bc6101c93731bd2bea41d0f5687951bd676e21d9d977bcf56b26061de277d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Buying

Filesize
149KB

MD5
0ef636892399da1e510ff10ab906bd86

SHA1
8d15d71eecd7f2ca2cae8f38d6694314b0726a20

SHA256
1deb1534534a84bbba7321c6fd6e9e34506f8c051b4d2bb1071ba1c427977231

SHA512
5881bcefadee4a3072d8118095bcffda7c9ac4fbb1aab7c6a20f6973f9462d9830d37d22b43209acbb5f6342a24fd265a8fa8cd5ad84b39ef013288b6d868368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Carried

Filesize
115KB

MD5
664328ee019462f865e94b7f37b783d8

SHA1
03920bac1e0f8b7443f3308b9ba44a6149c7a2b2

SHA256
59b70f66c964714c16e4f58e6c42130f845066c3d5d77c3138cf5f3d8cc95fed

SHA512
d67292550f5c8fb49d93337824558cdca1a127d06a0fdb46e5c5c7b3a288bda8fc6d4b0cef47fa61e1211c4737c2b3e8a3426e44e10df1a2efde71aff0f461cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Collectibles

Filesize
66KB

MD5
15797ba22006cb78ac5c0f7077d89e78

SHA1
846dafac16bd2afebd20d9cd257345cc3c68fc0c

SHA256
a74a84a64a8dd359d922bc4119c681d6855feaa1720f63a233e63091eabbcbbb

SHA512
bf3f29b1ede56b30404d12f515a8802e26b73d127bbc5fa60f51f4a86a36a03580a2c8f143a17ffd26facc7fabc8ce7d72d53baac3a21c243d9dcd79fd9033f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Combinations

Filesize
23KB

MD5
06b5826aefee2609cd5c3c0068d6fe05

SHA1
65e18f91ab04d2af533c0354da962f28119c0b8c

SHA256
354b019022eb8a55517ade24e2a4f35469ed4cc5797c8038255713fde10d6834

SHA512
cfaf2062adb1e6f8b7300035c9b4b5ef123c6b10991de25586eb7a154708406f9828fd8c0f0caf86112d6efd0c9887db1d028fa1e456a9fee4740b8605451692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Empirical

Filesize
2KB

MD5
64e1b429f3a6711ae857b100d8157fa3

SHA1
ed289ed171ceca8dc51e6b3665fd257b583ac8f0

SHA256
9346d3702fcdbd3397707c95e9a4dedacc529c89c8d0a3e44bb4ca78925b11f0

SHA512
d8cdff172d7784b74bdcd6d06acaea49225647547392ce0d0521e42842420409fce8d1679c31363c3e0a37bb0bad303fc4e9b3fce047882a86d462fa8cf1adfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Extremely

Filesize
78KB

MD5
f457ad0a5f00e5a7ecef773ec59b462c

SHA1
d88e867f9ac7ddc7f88179c61d3b214d1aa05054

SHA256
23247486b72f1336f56f959a21f78cc4643c26ab9e18f76c654778e3357ef805

SHA512
5ea2e4499c0c9a8393b3eafaf477ef06073e21117fbc62be1cd9cb6b2cf854ae84d184c7ec86bd9bdf3dc58b673c52da33201370c0a87f414f00346a3e8a5fab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Hdtv

Filesize
91KB

MD5
82bf7fef5576e4d83301419e5dbe5a38

SHA1
5cfd9dedc5f1007be833c07b0738651686575e05

SHA256
35517b54cb9bb9dc03ecb85d5a6d63713503b28bd87a842533daecf409fca6d3

SHA512
524a37626ad0ad9b1adbb4602c6e86125650fa28185eabcd8c4fbbc88a5aa99b7777a92f2185af83b16a508c91f469b954ff530612dfac238718bbe2336c7f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Horn

Filesize
60KB

MD5
33442e116b74223da22f0699f78f24c9

SHA1
e6f2a7c46998431511346c311c52104d785012c7

SHA256
7ed1e8f16980c7164b7b096e01441a2a40226b96e59b1ccaa3eb1f64e7c79c30

SHA512
44727d16eb2863535b996fefbaf83c8268a37acce4e7b7bea5ad9296d94d0318b1ede96eca99cf9aa877cd84b4014759f04fe5e374ee7944c62f4d43c01f2582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Insert

Filesize
82KB

MD5
4d0fe6780b9020aa6d4c0f2712dba5f2

SHA1
e1be6019e8e31cc0915e23a9e7fa69cd24636582

SHA256
df2e85ac13613cf0932f3fd6b358f5d5ab501b5e2eff483717c8b1e25782dbbc

SHA512
cf02ad21ce505c13a0c5e2c9dda613a753d11645e9f3f8c35dd86070a3b7ba5326b584eaa8301f8625cb50323bb1c8d3eb255ef13cc690389c581a9c2c39d3bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Kevin

Filesize
92KB

MD5
4961ae68cc712e49e667d33bcdfa38c4

SHA1
eab641942b30d79be68ff8cc820d076919c2f7d8

SHA256
e887da35d8ca3adcc569d6fff43d0bfe48f221eb2890d2f49bf3ccef5b17e476

SHA512
da9015e60291ee8b60c3b4b3c3e8ffc2507fd62e52cbebb4b7e2eec28b5b38413bd977e04b3bdf13637ab2193403b70c4bfa74b2a3ec44adc6c31bedc1709f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Keywords

Filesize
478KB

MD5
1cf9c7908c62a1f69b4fe75f36407147

SHA1
c64c982ed8e64f220c894f79ded872f061e171c6

SHA256
fa801affa7f65a8f3dcb9b7a6cc54d1d0e0f27e76079303cc4fc3d368d461fc2

SHA512
fbd772071970b53d81f9f826124f8a1c7500c764c50de4ea84a9c84c725c9f1fca2d8695a3d7428e25bf6e08b6476367e92874937e2bcfaccfa51453db49ddc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Officer

Filesize
134KB

MD5
d67580f456c779e35a08802f44600197

SHA1
452150324acb07f919727b80bfd1ee8a73ea0d24

SHA256
6545454d9cbeee48426f99893b75ae304f6f82e8c4ff92e8cb4ce65d64abc770

SHA512
1de3774c429e8f49c728d9ff0f0d596ac0c764bd50b643541c7c57f33b69cda1d8988bfb8ac7ae29f6b1b92829fd126ab0eb1d904c6bf8fb7d737f9d5a0b5ad0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Powered

Filesize
27KB

MD5
d6f0021c350669ccb5311e5a7e4ee512

SHA1
8e8ef783e760902e9247eb9fa6cc01e4063eec5d

SHA256
265cffebef310cf141736f946222d7605c619bee3583693cb527922469217f6b

SHA512
31bcbe7ed8fafb0c5f355682f11bc7479cb205edc690f675551b9822eaaf5489e5fd3817db2f8eedb6566dee3298bc76d3aef554e9dcba192cbeddada59317a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Randy

Filesize
123KB

MD5
60184e1449cecf77e7c0b67686ae93a6

SHA1
f3e95249bcb20abeeeb0e7bcdf1d72bd78be7c5b

SHA256
dce03f1084d6f86a0fe85207b94e2b42a1227d662150b61050deace350a6157d

SHA512
c6c19c826f01e76b137b18109a835c0f6fccad4d6d02fe8a8bee2be6f6fe86cb66c496af049acacf9329f21fa89701d67e3e13285ad4ed71bb09bd0687ce77c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Standings

Filesize
88KB

MD5
907215ad181011930bb17ed808a565fa

SHA1
5d6f8a4b8742b501658eff75073bca0c696d9a9a

SHA256
74def03c3833e35519c1bd61cc9093b815517102a52ba7eb5518962186c66896

SHA512
52ded92ade76d2ffea291702b5fc44dd8012788f1f2e4e44c180b9a23c1dc8d91b5c6a85662ac1905af146f10ec4efaf4c294b0875e5798226086dce6def13e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Task

Filesize
78KB

MD5
7654374e2e43e28971c5cd535baf1ed8

SHA1
a452a5432bbfd53d97b15e3a5756b633636a5bf7

SHA256
9231ece5b6a4fdf26363e968040a22d1dd4511985fce8828ba0e2ff30b9b4e6f

SHA512
0ff536a18cbbcfe48608d93942a43335a7f5b7629051bd20058b55795417eaa95fe2f587e4920d779219db5b60734817b33d48856f1feea1fc66bc3a5372fbfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5063.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5076.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\250661\Creates.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/1056-66-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/1056-65-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/1056-67-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/1056-68-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download
memory/1056-69-0x0000000003620000-0x0000000003677000-memory.dmp

Filesize
348KB

Download