lumma | 1846bc2cf1e352a7214870d2a9439f420dedbb3e3348a7b13a7bb7542f627178

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 11:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NewInv1.1.0.exe
Size

1.1MB
MD5

ec56f2e52cbbbb1ad1507da08be13034
SHA1

2671ea22d4340ac094fd1076b2fb440e19f112bb
SHA256

1846bc2cf1e352a7214870d2a9439f420dedbb3e3348a7b13a7bb7542f627178
SHA512

0822b4274116a2d212959e0bc2a54a8a22269b067b98be2d132373290fdfc2940be5d7e1f98ec70fedadae03297c00da5d3ae7499a4a52623cd96f7b8ef1e2d0
SSDEEP

24576:lXsUIwgY+tXzdBkFVIZkNha1SeQ7894cBhiAkSd3+g:9HINVdcIZJ1Ss9j0AkSdOg

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toemagnifuy.biz/api

https://fraggielek.biz/api

https://grandiouseziu.biz/api

https://littlenotii.biz/api

https://marketlumpe.biz/api

https://nuttyshopr.biz/api

https://punishzement.biz/api

https://spookycappy.biz/api

https://truculengisau.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2136	Surgeons.com

Loads dropped DLL 1 IoCs

pid	Process
2984	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2700	tasklist.exe
2836	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\NigeriaCode	NewInv1.1.0.exe
File opened for modification	C:\Windows\HardwareSavannah	NewInv1.1.0.exe
File opened for modification	C:\Windows\SacredEarliest	NewInv1.1.0.exe
File opened for modification	C:\Windows\FormattingEnter	NewInv1.1.0.exe
File opened for modification	C:\Windows\StandingYukon	NewInv1.1.0.exe
File opened for modification	C:\Windows\ThingsSelecting	NewInv1.1.0.exe
File opened for modification	C:\Windows\PrizesTable	NewInv1.1.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Surgeons.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NewInv1.1.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Surgeons.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Surgeons.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Surgeons.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Surgeons.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Surgeons.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Surgeons.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2136	Surgeons.com
2136	Surgeons.com
2136	Surgeons.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	tasklist.exe
Token: SeDebugPrivilege	2836	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2136	Surgeons.com
2136	Surgeons.com
2136	Surgeons.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2136	Surgeons.com
2136	Surgeons.com
2136	Surgeons.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2984	2172	NewInv1.1.0.exe	30
PID 2172 wrote to memory of 2984	2172	NewInv1.1.0.exe	30
PID 2172 wrote to memory of 2984	2172	NewInv1.1.0.exe	30
PID 2172 wrote to memory of 2984	2172	NewInv1.1.0.exe	30
PID 2984 wrote to memory of 2700	2984	cmd.exe	32
PID 2984 wrote to memory of 2700	2984	cmd.exe	32
PID 2984 wrote to memory of 2700	2984	cmd.exe	32
PID 2984 wrote to memory of 2700	2984	cmd.exe	32
PID 2984 wrote to memory of 2756	2984	cmd.exe	33
PID 2984 wrote to memory of 2756	2984	cmd.exe	33
PID 2984 wrote to memory of 2756	2984	cmd.exe	33
PID 2984 wrote to memory of 2756	2984	cmd.exe	33
PID 2984 wrote to memory of 2836	2984	cmd.exe	35
PID 2984 wrote to memory of 2836	2984	cmd.exe	35
PID 2984 wrote to memory of 2836	2984	cmd.exe	35
PID 2984 wrote to memory of 2836	2984	cmd.exe	35
PID 2984 wrote to memory of 2728	2984	cmd.exe	36
PID 2984 wrote to memory of 2728	2984	cmd.exe	36
PID 2984 wrote to memory of 2728	2984	cmd.exe	36
PID 2984 wrote to memory of 2728	2984	cmd.exe	36
PID 2984 wrote to memory of 2572	2984	cmd.exe	37
PID 2984 wrote to memory of 2572	2984	cmd.exe	37
PID 2984 wrote to memory of 2572	2984	cmd.exe	37
PID 2984 wrote to memory of 2572	2984	cmd.exe	37
PID 2984 wrote to memory of 2604	2984	cmd.exe	38
PID 2984 wrote to memory of 2604	2984	cmd.exe	38
PID 2984 wrote to memory of 2604	2984	cmd.exe	38
PID 2984 wrote to memory of 2604	2984	cmd.exe	38
PID 2984 wrote to memory of 2464	2984	cmd.exe	39
PID 2984 wrote to memory of 2464	2984	cmd.exe	39
PID 2984 wrote to memory of 2464	2984	cmd.exe	39
PID 2984 wrote to memory of 2464	2984	cmd.exe	39
PID 2984 wrote to memory of 2384	2984	cmd.exe	40
PID 2984 wrote to memory of 2384	2984	cmd.exe	40
PID 2984 wrote to memory of 2384	2984	cmd.exe	40
PID 2984 wrote to memory of 2384	2984	cmd.exe	40
PID 2984 wrote to memory of 672	2984	cmd.exe	41
PID 2984 wrote to memory of 672	2984	cmd.exe	41
PID 2984 wrote to memory of 672	2984	cmd.exe	41
PID 2984 wrote to memory of 672	2984	cmd.exe	41
PID 2984 wrote to memory of 2136	2984	cmd.exe	42
PID 2984 wrote to memory of 2136	2984	cmd.exe	42
PID 2984 wrote to memory of 2136	2984	cmd.exe	42
PID 2984 wrote to memory of 2136	2984	cmd.exe	42
PID 2984 wrote to memory of 2884	2984	cmd.exe	43
PID 2984 wrote to memory of 2884	2984	cmd.exe	43
PID 2984 wrote to memory of 2884	2984	cmd.exe	43
PID 2984 wrote to memory of 2884	2984	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\NewInv1.1.0.exe
"C:\Users\Admin\AppData\Local\Temp\NewInv1.1.0.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Meters Meters.cmd & Meters.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2836
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 212248
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Complement
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "cgi" Tvs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 212248\Surgeons.com + Keyboards + Integrate + Signing + Nirvana + Charming + Fat + Highlight + Posts + Lay + Semiconductor + Artistic 212248\Surgeons.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\National + ..\Confidential + ..\Cart + ..\Humanities + ..\Demand + ..\Peas + ..\Routes g
    3⤵
    - System Location Discovery: System Language Discovery
    PID:672
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\212248\Surgeons.com
    Surgeons.com g
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2136
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\212248\Surgeons.com

Filesize
1KB

MD5
c11076714705fe25e0209c6caa98bcb6

SHA1
1861b3029e998174cde954b050d6747739b1c083

SHA256
c4ef81953bdcab124b8ed919d67b1195886d2e641083d8d562f1767dcc860d9e

SHA512
34d43a26c1cbb5f1917b7d9350e0c433d54e3093b252b386c7e0053d2775dd8943e9038e3712a927e2115964e8a932cc49efe559d110a9ce46670146ea1426ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\212248\g

Filesize
463KB

MD5
530c3434f1693d22f53c45555451b244

SHA1
fb47cdaccbd15358fe51a117f3cbdb318a0de275

SHA256
cb0011025649c3d39a1f8647680199953c1a16b47faf1af1afa8b4589264c509

SHA512
14d52337162003b5ed0bd87cf61dd1a5848dd237da98b705ffe1f47c908bd7949b2a22e9e51407332728babba4de1453724869ee4f597e22d96c1e756d306eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Artistic

Filesize
5KB

MD5
5774fd588ff870ad376cf9ff6fe4d080

SHA1
db7bfd9cfa2b2ddb5b958869579489e95416d1da

SHA256
b18cf0df086f8a3436bb6ffcc192643d2cb45ed852e91eae6833411be6a25abd

SHA512
1802eefb7bb4c9f6658bfabbfd65fd84d42431c58da35ba2a8327e6a4859c26c00e843adec6e65b2e094e635fbbfc151cf68f16a011533bc817e96efd5e153d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cart

Filesize
61KB

MD5
f8eb8975c19df0e4adac64b842a557ec

SHA1
f4acd18b3a24dee28fc50a388a59fac25a73d7df

SHA256
89e20e5a963853f21e2322760e300e3ecb52acefa78332f4ad5b55b2738b55d2

SHA512
916faccf40ff05e22b84fe3a31e4d21d9534aff9b44e0b797353555d768bc031bde0f257d962f29c7ce009aaa2a1c543ff94013fcbe505e043e55e03a7c4438d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Charming

Filesize
124KB

MD5
e62283b65279a8bf92fabda6054695a7

SHA1
0db2f88f8f5e961c88e2fbe7db07fbf4931a7985

SHA256
0daa2006f374f6299a04badc5e5d250e31e7defc1685ba12b48e854a874480f1

SHA512
6d3866efebe3a8d365488c9c4be6419e34172e1e97138667a6f330b1ca5fe371b12a9391fc4e8ed340544f8f4c0047bfc0ec5d38fad799860292124a611902d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Complement

Filesize
478KB

MD5
7a3096a5aee56c3b631ff6444863032e

SHA1
7ac6004a009ea9d0c823da6ac29fa322cc826b36

SHA256
05e23e9a26793d65aa3ef5502ff2c7721d3525f88088cb17d1ce062fad285a07

SHA512
510bf659f46e199a838926d4663bfb01523ebeffbf7351fafcf4fb729c37fa7d88eae1e4f0c2bdc2c22f13b344985ada89233f01f2a5fd7d943b9d603a4e6896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Confidential

Filesize
56KB

MD5
7821523d49b1e8b7f9c482c424dc594d

SHA1
bf8e1ef09883a238632cd92e125e495323536b17

SHA256
4fbcd80aab85655e7585b6872095055901325db298e954d9aae2f60780642f4f

SHA512
d29784b71cbf87cd2b28f5db1d281df1141e27be92d61ef81f6c36c96d888dd055550f104e606a403a066afc5bf692cd966a5ae24932a422871552cd1bb83e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Demand

Filesize
90KB

MD5
8bb2068d76f5a5fd1dcb65ce3d6a73b2

SHA1
30f981fc976d01210f2363a11a7c46708ee619ce

SHA256
72f8ad3555d5877e6f49b828691aa58efb0012eec05f3c2299526221fe9342cf

SHA512
2eed07d2bbec2cb951319007df44fd60370ad176979fc9a1cb0090df1680987b6861dfa97d267acc1cdb1916be728ad7fbe3589afc0594e8b8aa0b2a3a8c61de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Fat

Filesize
69KB

MD5
86dfb4d4f7a1adda9a82640b6d35b0e2

SHA1
77fe92e668af4c47b766ad02e29a6bc468cbb312

SHA256
df7500c4f66983377e79ef45e4276a9a384a327ba145ba331b77eff305f23084

SHA512
1d546a521bb24041a67141830f71682dee325dfa86ccc9c479173f187c8533d2785313aeac2c3b1db3ebfbf44b28187385c7c61ac17f5138e575c0c93a9c0510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Highlight

Filesize
125KB

MD5
85d7c2c5e056e4a21878360548f0fa36

SHA1
f02d73e6fe479762d4c83ad47315fa10fc84b075

SHA256
82a98874e4ba9240eff71725b227d06316f28c3fc7ba0dcf4956484e80f7901d

SHA512
a4a0013a1193f49a2a4dcdd548c6b872016185061fb6c669a12da2c5a404a7396ed3837570162f4b1beb23e3a23fe46eb74566c95f454808f953b89776d7a518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Humanities

Filesize
85KB

MD5
639a227778f1370837e87b2ac06d05ea

SHA1
358532a2eafbb9159b516ce9f9d76240dec8b426

SHA256
1106498084ae1e7f0e04981b818df2c8e3f2c80de887c42a9651b27fecf4f1fd

SHA512
f9fbfe06dbdb890f0718940b371a2c8019d3ae9680e5e69e88cb467141d5e3703b0b38c7b84540185805479c11f346c7eba43e63cd58af376c7cd78fc2310b8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Integrate

Filesize
131KB

MD5
b9ee068d114421763c9d10aa50c8cc63

SHA1
a331db04db854ae06f953395d61dd7c71c3dcb97

SHA256
070d6987e4592272a1bed7a4a5e3e0bb8e8509ee45fb5aa43cf78b815bd4f36c

SHA512
f46768837751306f6da8d8147e1528dc0a7f05ab347c9d92f6bbc8ad1258432896b6aed0d759e3396e628f0b42bff30858be7290af20fae991b29a390e2599dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Keyboards

Filesize
58KB

MD5
cead9e6935ad1d2fd2add4b10ca27a6b

SHA1
ce812c48af8452bef5dfbaed44082b4e75b0733a

SHA256
944749c33f419f64ea4b73fb62ae300ad38d3e2869ea1f9512bbee1451a8cb8f

SHA512
537ce4c66d8435a6de2d7546997c8e4dfd65addfeb3546c34fa17502b687e31c13831607b7cb04d1ac280da95d11c79fad71555a2eae99ef76d1521e248048c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lay

Filesize
77KB

MD5
936598eaddf54465dc8baa64215986a4

SHA1
8fabc57de628206f35ca2e65c015215f579c831e

SHA256
bea63e45dfb58e89bb140a031b74431859f0ebb12bc5c95d810c484251bfc21a

SHA512
70879f9f51ae19a2b7a4d907240b48de6b62c54d372ae0226ee00714bd86f67dd3e3ce7347b44b89ef77c56c840555aaec8f173cc8c0463344f0a87cd69d7da6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Meters

Filesize
26KB

MD5
9ab61c1120917df9d09207973ea071f7

SHA1
3ee91d62b8c4176e5d56ccc2277b1c5403c4e521

SHA256
65a70fa3c59aca47c345b79240243154925295f5d3350862faaddec2131430c4

SHA512
c20086ed148bde8737525fc0f731de6d854dfc935aa173793441dbb18e5037cfb6d9ba9a62c45dbc215779d1c54a7767d9391658a20d326ce8ff2eee56a609f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\National

Filesize
58KB

MD5
0966734c9fee7283f3bcad06603c6702

SHA1
0cc5b5ce8dba957916ba30c6795642fbe058dbbd

SHA256
712f475a67ec383cd6dda47bb2e551c4989844d9559390f14ae2b3bfe189f567

SHA512
a0178f8d50a58e75f7a2d93188b56ce71e514a56d522785e2409f750c0cf7cc51917f64107a7fd3adf2a0474a2a9f9f4fad911db94bc82aaab6653a5fe6a4525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Nirvana

Filesize
80KB

MD5
b48c4e815f2499b2e472dfbe61c65c6e

SHA1
a711526ed111eb85cc5879e5abcc98a7de3a1be3

SHA256
36d21aee65f3313509dd058420fb25f7337b66edec5626e395c3b8554273d8a7

SHA512
7d98596ff32e131f0731673ce3d5bcfef9bc3235540aa8d92d88e707ad823029cbea214cfd5490eb644e3f2540e3c50975f7d6dcca6b6ba2cea4822ea2fc8c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Peas

Filesize
65KB

MD5
04da8c43e6b809eda59d214022bdceda

SHA1
39d5b2b08519a2aedb28bb5f7e26cdc54dfb59eb

SHA256
23df97e902ed346156117d05f9d4777640eebaad86348ae61885b85eaf8137e0

SHA512
cfa601b2e636d81f8c9404e2be74a6d457208286c610e5ed2477db7d13b6cfb443c2782914b03699788f217fd3fe17095868519dd07099ed9718196cb2128f4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Posts

Filesize
142KB

MD5
263757e90f3f37226bb1ce72e4338836

SHA1
aefc45d170ac67965ab6cab83749c3448b19e633

SHA256
c1ec3bd2c32f4adabbb301c48ded6008c498813b932497d6060df61980989b76

SHA512
1497df221301633b59c41952def56ac1d5a951be22dd0119e16d7e9abb7d9b12ac945b2b385c98d324647f92257c7a9f3cfe0c7d3619275f54fa5ccd3e2f1527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Routes

Filesize
48KB

MD5
d7e978da8a3f1dca2340f813c7da3adb

SHA1
79bcdb824771eb3dcb425c1fd894f1a62cd69324

SHA256
57247c77a08ab10a1c80bbde737ce3d5a43ac17033cc7ddbcacbfda54c859d84

SHA512
657558c78f90cbe31e3427718d74a6b79360e15084c3cb5891decbcf8917535c1f896abbfaf92856ff6005a313a36f43bf338b1fb9aeb535e6f3ecbcef4db1cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Semiconductor

Filesize
60KB

MD5
0cb4eb4d5f485df086884a6be043eb92

SHA1
c52ee2cd9368a7b46c4350edf107912e5d28e401

SHA256
678503ca52c63d28755d24653239c34033772231b351016e73b8a83ce918e886

SHA512
f81bfdf03cea24ebeb371eccf9ec6e1d8ddd3eea9364beeb61fe39a2bfc6eca005fdf16c19db0c4cd2c856aaf7545be3e3b6659fd6196e1236b2833b732251a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Signing

Filesize
52KB

MD5
53d2d146d1250598fa4d9a18a8b304e4

SHA1
178c507271d8d651ae4033b2356f7babbb3ac399

SHA256
b2b32aa3f783b0745d3ec56ff935c815031fd00f1bb25d71e0c8755d8cf3a1d2

SHA512
211cb765d7077ab6915a941653c2b4c63d1d29e525652ded4d5062a3aa77eba79969cabbbe5f0710e241786701b4b3bcaf58b2d1db6f4e0c842599a59458ae61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Tvs

Filesize
1KB

MD5
b439fb30ff31111ecfb3010a54a2e465

SHA1
4716df6e8d58de17e4893e6b875ce16614a594fe

SHA256
80f7d4a734554fd138fe5625f2d5d3aec8852631cfe9909fa04b333a36d9b25a

SHA512
75504a37dfdf8a0ace75895a103c313460f08819a6106667e430bf2c72d8abdbeefd9f7301d11b1b974f0d4ccd16e541935076bd09d4c8ebf808b0fec5277a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8CF6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8D18.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\212248\Surgeons.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/2136-76-0x0000000003780000-0x00000000037D9000-memory.dmp

Filesize
356KB

Download
memory/2136-75-0x0000000003780000-0x00000000037D9000-memory.dmp

Filesize
356KB

Download
memory/2136-77-0x0000000003780000-0x00000000037D9000-memory.dmp

Filesize
356KB

Download
memory/2136-78-0x0000000003780000-0x00000000037D9000-memory.dmp

Filesize
356KB

Download
memory/2136-79-0x0000000003780000-0x00000000037D9000-memory.dmp

Filesize
356KB

Download