lumma | 20f96c72f95343c306164d0fdff253d50d85de272a5d3113d9e411aba467eb51

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

random.exe
Size

5.0MB
MD5

82b0dd4607ce761914ac07d3d585ed55
SHA1

4621e732feb0470f3a036cd01dc273624a6e790c
SHA256

20f96c72f95343c306164d0fdff253d50d85de272a5d3113d9e411aba467eb51
SHA512

bb3cb777938a0d5b033f13f30564798575873f89be7f3214b5481d37cc4391d7bc7dea2097c90b1492965e4f6f3d42ea75701b5b4cd816159f9c67517eb67f7d
SSDEEP

24576:QreSyKJOobxH5hrx+EHSYm6LFI8wVPW/P7Pub7jb7j:3Gr9yCq8wcLk

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://fraggielek.biz/api

https://grandiouseziu.biz/api

https://littlenotii.biz/api

https://marketlumpe.biz/api

https://punishzement.biz/api

https://spookycappy.biz/api

https://truculengisau.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
552	Thu.com

Loads dropped DLL 1 IoCs

pid	Process
2860	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
2732	tasklist.exe
2692	tasklist.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ReprintSinger	random.exe
File opened for modification	C:\Windows\LongMarie	random.exe
File opened for modification	C:\Windows\CostumeUploaded	random.exe
File opened for modification	C:\Windows\VoltageReturning	random.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Thu.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Thu.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Thu.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Thu.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Thu.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
552	Thu.com
552	Thu.com
552	Thu.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	tasklist.exe
Token: SeDebugPrivilege	2692	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
552	Thu.com
552	Thu.com
552	Thu.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
552	Thu.com
552	Thu.com
552	Thu.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2860	3048	random.exe	30
PID 3048 wrote to memory of 2860	3048	random.exe	30
PID 3048 wrote to memory of 2860	3048	random.exe	30
PID 3048 wrote to memory of 2860	3048	random.exe	30
PID 2860 wrote to memory of 2732	2860	cmd.exe	32
PID 2860 wrote to memory of 2732	2860	cmd.exe	32
PID 2860 wrote to memory of 2732	2860	cmd.exe	32
PID 2860 wrote to memory of 2732	2860	cmd.exe	32
PID 2860 wrote to memory of 2600	2860	cmd.exe	33
PID 2860 wrote to memory of 2600	2860	cmd.exe	33
PID 2860 wrote to memory of 2600	2860	cmd.exe	33
PID 2860 wrote to memory of 2600	2860	cmd.exe	33
PID 2860 wrote to memory of 2692	2860	cmd.exe	35
PID 2860 wrote to memory of 2692	2860	cmd.exe	35
PID 2860 wrote to memory of 2692	2860	cmd.exe	35
PID 2860 wrote to memory of 2692	2860	cmd.exe	35
PID 2860 wrote to memory of 2332	2860	cmd.exe	36
PID 2860 wrote to memory of 2332	2860	cmd.exe	36
PID 2860 wrote to memory of 2332	2860	cmd.exe	36
PID 2860 wrote to memory of 2332	2860	cmd.exe	36
PID 2860 wrote to memory of 2636	2860	cmd.exe	37
PID 2860 wrote to memory of 2636	2860	cmd.exe	37
PID 2860 wrote to memory of 2636	2860	cmd.exe	37
PID 2860 wrote to memory of 2636	2860	cmd.exe	37
PID 2860 wrote to memory of 2820	2860	cmd.exe	38
PID 2860 wrote to memory of 2820	2860	cmd.exe	38
PID 2860 wrote to memory of 2820	2860	cmd.exe	38
PID 2860 wrote to memory of 2820	2860	cmd.exe	38
PID 2860 wrote to memory of 872	2860	cmd.exe	39
PID 2860 wrote to memory of 872	2860	cmd.exe	39
PID 2860 wrote to memory of 872	2860	cmd.exe	39
PID 2860 wrote to memory of 872	2860	cmd.exe	39
PID 2860 wrote to memory of 1672	2860	cmd.exe	40
PID 2860 wrote to memory of 1672	2860	cmd.exe	40
PID 2860 wrote to memory of 1672	2860	cmd.exe	40
PID 2860 wrote to memory of 1672	2860	cmd.exe	40
PID 2860 wrote to memory of 1988	2860	cmd.exe	41
PID 2860 wrote to memory of 1988	2860	cmd.exe	41
PID 2860 wrote to memory of 1988	2860	cmd.exe	41
PID 2860 wrote to memory of 1988	2860	cmd.exe	41
PID 2860 wrote to memory of 552	2860	cmd.exe	42
PID 2860 wrote to memory of 552	2860	cmd.exe	42
PID 2860 wrote to memory of 552	2860	cmd.exe	42
PID 2860 wrote to memory of 552	2860	cmd.exe	42
PID 2860 wrote to memory of 876	2860	cmd.exe	43
PID 2860 wrote to memory of 876	2860	cmd.exe	43
PID 2860 wrote to memory of 876	2860	cmd.exe	43
PID 2860 wrote to memory of 876	2860	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\random.exe
"C:\Users\Admin\AppData\Local\Temp\random.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Meanwhile Meanwhile.cmd & Meanwhile.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2732
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2692
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 65452
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2636
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Lesbians
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Light" Natural
    3⤵
    - System Location Discovery: System Language Discovery
    PID:872
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 65452\Thu.com + Patrick + Diamonds + Haven + Boutique + Samples + Drunk + Ada + Myrtle + China + Situated + Beverages 65452\Thu.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Targeted + ..\Cartridge + ..\Defensive + ..\Alert + ..\Postcards + ..\Considerable + ..\Ht u
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1988
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\65452\Thu.com
    Thu.com u
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:552
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\65452\Thu.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\65452\u

Filesize
472KB

MD5
a6cd3d383e8b40f11b1778a14a72b3dc

SHA1
a4f649df47def118e15b4c922856dd9ae071c7b1

SHA256
5ddc1a0e891b0dd2c5aef3e9b3d1e86e968489b88264e85f53f95eb4f40ca903

SHA512
6d554096a3980eb5160691588ee88b9e97dc3712e8d5058f58c8f5a222bce8e1530cf702e34dda1f353eacf9c03b1e7707751bdf1864839e847d103cf3943e12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ada

Filesize
86KB

MD5
e7dad7c10471aeb4de5d87c9b2279182

SHA1
0b50c90e12f76aab4f94e02ff73c69a373fb897d

SHA256
d8264b4c15d18c40c999054dfac06849d6f6b11640f1b705e69dde6abd87fee1

SHA512
47e3718e870daaf31bc13b8bb2f615f8fd9a4fc7d1158bbf73eace2eb4af6d7bac0623ce19bf82b5b59d714ab7e909021b087fa0c3622cf3c3dc2974a1da30db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Alert

Filesize
85KB

MD5
ce8c590592724ed4670344fb9f030142

SHA1
9f513cf74fbec5db3d3dbe09c6aefea6771f3983

SHA256
ba3289497c6e2952a1f7eacedd846e76385bc2366d5b10fa64acdd7052150a36

SHA512
16af27d045dc099f6efbe17476a58520077ce31cf3540fa42de9e04f249c86ffee965b14c0e9a2a9185a9d02035b56c78c35afaf8f03ef661000511bda0c9ef7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Beverages

Filesize
6KB

MD5
485893ba0365e6619496df76ab9fe18c

SHA1
d73d1ea4c1e619fce50c855ad834ca5165aeedf0

SHA256
38255e04fceb6b20562255be4b5ebd1d6f9dba72deb4abd350216491d19f98c4

SHA512
02e29fa4f573766207d52f5e3d12ad89d763df21431a673a2e72eb330f40e3c31e3cb93501ccc21a1f54e678c7a92363ba87b2983ee768d7c9e5ee48f211552d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Boutique

Filesize
145KB

MD5
54833e3a62484385b41a2f61b89e780b

SHA1
2b480f8f2a1d61166420d4601c79f53d1825a707

SHA256
314fbade578479a7583c4c3fd3db2c3b926bb322b60bb7077ab76c55710b08e0

SHA512
cda303e3dd66475a03f5d45a01e60a6f68151ded88825c080fbd8ab6872aa4350f87cded176c9e093ca2471ce7da31ebc1be6d2fef5573155453d8ef185832a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Cartridge

Filesize
50KB

MD5
f6e47b67fe7b4937ed799d78aa9383e5

SHA1
69ecf3dbfb9266fbc5a4d02301cc24f79b124fa2

SHA256
c2a4a03e6fa006e62b247f60b8a83eef90886b30cfef90916f7f4ac493676808

SHA512
2ceef4c33f3428bcbc52392e5cc193708f7a3cd5952822677284e5faedf443750612aab34f2a997fb27a80e4a2214813d4bd9b4772d482a613d35b8d0a4cd290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\China

Filesize
70KB

MD5
9aad350403fbcd2b04a8f2a04adf8e1f

SHA1
a27bd9415ed68d9c34254cc68fb9abded8bb981e

SHA256
f65a05e7dedd3a6217b5c45c989f9fa0422fb3c40b03e3a8044b73f58366b5cf

SHA512
aa9ee17191a3d8261d6eef01a26b501f98ef8f99545785b36873359f5b27d9181f5abdd7e566d520a40d66356182ebbddbd74156935c21ee6150daf7c4398593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Considerable

Filesize
81KB

MD5
582f79ec93d7986f4ac4ada8f4b6f230

SHA1
1756e974dbb027368b704f966ae3513876bd9404

SHA256
74580677ac85ac203711f5055c844f7231b7cf6d8e39721cdd1d759034fceac0

SHA512
c3c5956d457f4a65be8caa325a6138b2fede04472ec55cdd5e9d67f105c0cfc74896a2eaba5c2873faef4342e0f269a2c14b92d611986a2bf1c5620708e3aa0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Defensive

Filesize
88KB

MD5
2c52b361927e9c023b405fd270b733be

SHA1
82eceb8cf13f8dc270c68c89a620d8bfe7673259

SHA256
4d335d3ce94c40bea4b86976c1f833e4ca9f6f1eeb5f455673c867a1dea43cb0

SHA512
2183fff7e14b98f8bb88bf33d849b7cbb8cdc11fa65338b49234553b55b3573f5061412a5ca96d1a0101fee00aaf288b1703e24eb125a6cc25dfc811c0aaa193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Diamonds

Filesize
115KB

MD5
b29bfe6d19ad6757965fba08e57d5d82

SHA1
0afca9e7a6936064ed8e14ac29b2dfd83a3a5617

SHA256
f871eb3dcda6c25d7a182aba8b01de2e24baba42b93d78ca644bd6e70bc4bfb6

SHA512
ec815b201f7bd80b31ed8a4817c4d3c1b76d954cc5075e5361400f430e629d11d5f6284d880262c4c7a645f81f0cc4d6331d4928ce4c898f4bc5989e23d2c9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Drunk

Filesize
133KB

MD5
8747f478f628944842af7753a40b0b89

SHA1
03e68d87ae3376339e14402a3a3e2774fa66ef91

SHA256
84dffa32ea835a716e2de5e4942ac771ef1e049077d4088900f213d63c7cc591

SHA512
c3bcc458d4be37dc7843ecaf4222aa7f800c710439febc10ed9c17135280ac60e109d71a3e0bfb3ff4fe78fb668bb9a946d87115db47be66cbb7516d7cda47c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Haven

Filesize
62KB

MD5
0a3335287b3ee7d849c7f0620e451c62

SHA1
71d5366ec395218a37370485bce2632fc40f6f18

SHA256
e54d4354e9af7a915c3d7f26e0e4d0a7a1b30597b09e44cccc3f3254789e58db

SHA512
dff728d5c25268b68117fbc1238bbca40239c1d66eef57c1714dadd4c5144bc9f959589dceb82249f8db3d035232174bba71cd34ee7c417be1df40c1d401ad66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Ht

Filesize
51KB

MD5
3f2483c5dbd68f74cb53bd420a4104a5

SHA1
5e5eb4131914f77dcf064b62d7d0ebb9ad1e0e59

SHA256
69bb48ed643edb2986951c62784e52ff9160c022bc69c72e2180e29ecf117149

SHA512
c77ee857c0e6509ed2641627769c0e797fc616cb9e75317e141b40f82359ac49c48cb610d7cb4662d624628c266c56752f297e02e445bcfe33d7737a223104dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Lesbians

Filesize
478KB

MD5
215d1e37ec89699320d7aea64f5d87a5

SHA1
8d2effbedba47d04dfed215462a71333df8e6a5b

SHA256
7b05699feb654bdfce048d2eb1d8974b7bdadcad5d6451bf613ede4d4e1ecd5f

SHA512
d9f8bfbdc4a9594ec7885bceaa2167b87fc1de989d9edeffcdf99e96be53e21a19f375330c8c10bc885473b3cf31465c525733ce3b1eebf08aebdbc1a6f6d003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Meanwhile

Filesize
11KB

MD5
f54f9a9722a00681590a763b976a045a

SHA1
ca7dd2b9e413d7a78c6cc07df941c045dbff9d8b

SHA256
3ed01caabffa5c8d4118788f2c639daa0abefb7728b6bf37063a5a4a01c320a8

SHA512
22dcb50e3bf008494a2dd28a9299650113b28abf365c8bab9a4bbc5f582edc9722ab9bdad51cd4bc9b82fd1dbfc3e679e33a652be3dc3c3d8b0986872ec34dd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Myrtle

Filesize
92KB

MD5
e6c98ce396b7eff6a19d39917c53632b

SHA1
c7ff69492a4712d052e0dd61ab757cb1ccb40059

SHA256
62ea9cebc81c5e3f4c93892379a2533826bbb0ebdb8187e3399c291a5fdc0ef6

SHA512
2d388678f2740de402120562535691aa92d79549b2e7068405f113612e920b2354acdacdd6a808666f5fb272de95766ba63f2b6b0029505838cd3a3a5f48ba2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Natural

Filesize
2KB

MD5
d95f61f9dabe9ff14efc02a1e25d5143

SHA1
06a1f83c29e63d871056bb7876aa5b18f5628471

SHA256
70e237db397460c195cacc9af78a6da4c92114abdfd3989eb75d74bd9e556318

SHA512
19ec3b84e04e0e301ed6beb9f5fe6c655e4ed2f7b1321927410417a5eb49b1e6dba825713231914219ad95898dadc43fbc8b947878cf7dd40c123aaaf103df04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Patrick

Filesize
94KB

MD5
f924f94313c3d0855284e553ba47e68b

SHA1
74ffea37a07d797da6e7b37f8526ae6239a053b1

SHA256
3cc7cd5a374733cc63cb7778922000e6715556619f6a959d2f9989188512d8ab

SHA512
b32dba869ec38fcdcda175deca013275ded001936086d0598ac697a7268dfa6ac337b3fe50ed6f224ac1dd7384290509c66d714a121fffa0054ca74898f121d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Postcards

Filesize
52KB

MD5
8a0dfea5f88d6673f4fbeb83655612af

SHA1
0c8d3d567e9bfdb32a4550e01d700ce3b9b92c06

SHA256
91fe2ec9ed991452f388ffafe877f105ed4e535fdcb85b0bb86ebd764aa1e960

SHA512
0d0469fa154920810f8601370e60742a2f2dc07087c2264509e5a1c80ee4367ab0772f9515a070ba8b0049d7d044aab557032d0da2552e51bf66a9cf1acd0f47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Samples

Filesize
65KB

MD5
92091ba39b3650b848804c9e7a33328e

SHA1
e9ed799ba78836fc170fb5c3dca53152b3a9e0f4

SHA256
4943e6ac3e9ab4c10a46a1cd4d3111890ea7aca437f7eabafd49797592e40548

SHA512
cb0f13fefe6284eceeec2960c40de762b2808e96b7e08ce86c7210a45b59b6b590ae8d69d88d0128e24be1fbc6a724eab08c42fcc4ca3ec8bb5d8d8d3bc4db5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Situated

Filesize
54KB

MD5
89ae9cfd20e98ff5b58adc07ad0baa2b

SHA1
a0f58d8a783cc1b621dbe67c93abeb9ab632bbaa

SHA256
ecdfbe6666a7a22c0a4f41b4360ed9759acc82012e12e55e7558e22287e89c3c

SHA512
2fac9e814d26990989ec2418ddb8b01f6cceb37bf3412ad72e59ae7ac07aff39b4f968fc455a06b4ac2498efb7980be806b233e42e510fc567c1d49feb9bd863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Targeted

Filesize
65KB

MD5
192c41a324db7ddef0199b6c0a82679c

SHA1
a946f6e2fb342306b10d631a9753cb34e921d7f6

SHA256
ca62247302606fab36caabcd440da5d2d5531416ee6b1a4432baf48379c02a39

SHA512
d9b6a5c94c441be5852351ce85cc7a3c949821b0a943f19f377a8789474c9a67a58a1e6eed4b51a14c3ce8647af69906b7653db14e3af4fb0d222f83224f0d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9C22.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9CA2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/552-75-0x00000000035D0000-0x0000000003629000-memory.dmp

Filesize
356KB

Download
memory/552-78-0x00000000035D0000-0x0000000003629000-memory.dmp

Filesize
356KB

Download
memory/552-79-0x00000000035D0000-0x0000000003629000-memory.dmp

Filesize
356KB

Download
memory/552-77-0x00000000035D0000-0x0000000003629000-memory.dmp

Filesize
356KB

Download
memory/552-76-0x00000000035D0000-0x0000000003629000-memory.dmp

Filesize
356KB

Download