lumma | 4e0cec1e4b37b441348aafedecbf222b44e57e6dcfb26288eb4abdb99dace7a2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0cec1e4b37b441348aafedecbf222b44e57e6dcfb26288eb4abdb99dace7a2.exe
Size

53.3MB
MD5

78dc0759a77be20264122225bdb8d59e
SHA1

a38a428199ade9f82ee993f301e4812890c829ac
SHA256

4e0cec1e4b37b441348aafedecbf222b44e57e6dcfb26288eb4abdb99dace7a2
SHA512

1b95d0893a608d8976d587651ddbb98f4dc52926f95c7ab7e38fbe9b8fc510e4856b5b1cf2199a71cdff50b22e82a510f6ba20592630a67393dfc6cd0db2a877
SSDEEP

393216:S76L6otUitqtH7wHtXq2pt2jbOCacCFIK0fpP9HF4VW8yfvnVQx4urYsANulL7Ns:S0LoCOn+2vs4urYDNulLBiuo

Score

10^/10

lumma discovery persistence stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 2 IoCs

pid	Process
820	6969.exe
4352	LummaC2.exe

Loads dropped DLL 6 IoCs

pid	Process
820	6969.exe
820	6969.exe
820	6969.exe
820	6969.exe
820	6969.exe
820	6969.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6969 = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\6969.exe\""	reg.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 820 set thread context of 216	820	6969.exe	92

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-string-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\libcueify.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\msvcp140_codecvt_ids.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\6969.exe	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-filesystem-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-heap-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-multibyte-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-stdio-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ucrtbase.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-conio-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-convert-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-private-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcomp140.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-locale-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\concrt140.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\msvcp140.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\msvcp140_atomic_wait.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Qt5Core.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-utility-l1-1-0.dll	6969.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-process-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\msvcp140_2.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime140.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime140_1.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-environment-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\msvcp140_1.dll	6969.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\6969.exe	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-math-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-runtime-l1-1-0.dll	6969.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\api-ms-win-crt-time-l1-1-0.dll	6969.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LummaC2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	820	6969.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 820	2788	4e0cec1e4b37b441348aafedecbf222b44e57e6dcfb26288eb4abdb99dace7a2.exe	86
PID 2788 wrote to memory of 820	2788	4e0cec1e4b37b441348aafedecbf222b44e57e6dcfb26288eb4abdb99dace7a2.exe	86
PID 820 wrote to memory of 4352	820	6969.exe	87
PID 820 wrote to memory of 4352	820	6969.exe	87
PID 820 wrote to memory of 4352	820	6969.exe	87
PID 820 wrote to memory of 4940	820	6969.exe	88
PID 820 wrote to memory of 4940	820	6969.exe	88
PID 4940 wrote to memory of 4796	4940	cmd.exe	90
PID 4940 wrote to memory of 4796	4940	cmd.exe	90
PID 4796 wrote to memory of 3760	4796	cmd.exe	91
PID 4796 wrote to memory of 3760	4796	cmd.exe	91
PID 820 wrote to memory of 216	820	6969.exe	92
PID 820 wrote to memory of 216	820	6969.exe	92
PID 820 wrote to memory of 216	820	6969.exe	92
PID 820 wrote to memory of 216	820	6969.exe	92
PID 820 wrote to memory of 216	820	6969.exe	92
PID 820 wrote to memory of 216	820	6969.exe	92
PID 820 wrote to memory of 216	820	6969.exe	92
PID 820 wrote to memory of 216	820	6969.exe	92
PID 820 wrote to memory of 216	820	6969.exe	92

C:\Users\Admin\AppData\Local\Temp\4e0cec1e4b37b441348aafedecbf222b44e57e6dcfb26288eb4abdb99dace7a2.exe
"C:\Users\Admin\AppData\Local\Temp\4e0cec1e4b37b441348aafedecbf222b44e57e6dcfb26288eb4abdb99dace7a2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\6969.exe
  C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\6969.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:820
- - C:\Users\Admin\.nuget\d3DRj9hTVqLJoK6\LummaC2.exe
    "C:\Users\Admin\.nuget\d3DRj9hTVqLJoK6\LummaC2.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4352
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "6969" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\6969.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4940
  - - C:\Windows\system32\cmd.exe
      cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "6969" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\6969.exe\"" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "6969" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\6969.exe\"" /f
        5⤵
        Adds Run key to start application
        
        PID:3760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.nuget\d3DRj9hTVqLJoK6\LummaC2.exe

Filesize
322KB

MD5
2c1e463de0d2e82e61e5b5cd87c356d0

SHA1
a61fd405b8b5c89a9196af67db665e8cd8916fdc

SHA256
7bb589360559a93b1512ba3a9b892ab92d33b507d1d857940f9e1f0c3e5e6e9a

SHA512
b61ab0ba7677c4956da4b08e981a1dc34fcaedc46e3d46e07578b6edc69ca2e6fa88f19ebb89c411ab96c7e33e16078abe0a67abde039bcf00f994de89a28aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\6969.exe

Filesize
45KB

MD5
25ab75a586f4b22ebae81e74b20bfee9

SHA1
97f52704adbbd42f1c6415f565241ba1521c450f

SHA256
14a4044215f341ba1ece3e49d475e309749b65c8959f2724d26209ed705a225a

SHA512
cfa18fcccdeb95450f9ddb24dd620edca3faec765d339395884bcd2369783e37fd41ab3923a2d7439512670eb9389555dfc5a72adb725c818d2a5f4ea5154f7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\MSVCP140.dll

Filesize
552KB

MD5
29c6c243cfb1cec96b4a1008274f9600

SHA1
c54b10ef6305cc3814c68e6c8fd6daecbb27622a

SHA256
44a5af24f8d5f9c50a9e5a200a0486100afb6a0e86377e2e3e622a7bbb57cb04

SHA512
39c34554ea7b6d433c2aecfdeff87959e625e943bf7a446ebca8e5878eaf24198c1b188359a0343fb78478f2bc8b986ca4d0e69d39bac6ff80cb901fe4f113ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\Qt5Core.dll

Filesize
10.0MB

MD5
88f20b6083d740e0f5576ecaf28bd3e2

SHA1
438146cf27295fb120fa216e683449d3e087adaf

SHA256
7458ec83ab0ff3a4568b7fb7fedafb9582953547a49e075f1f85b30258e6a152

SHA512
7c32c5f5a3b10e35b03822303f126262d39eec322126906abb0d9b451eb11d702d3e4714a51cdbe273a1c35baf14552f0fdcaca1d56e57676afc359982e35f1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\VCRUNTIME140_1.dll

Filesize
36KB

MD5
d8d1a08176ba2542c58669c1c04da1b7

SHA1
e0d0059baf23fb5e1d2dadedc12e2f53c930256d

SHA256
26c29d01df73a8e35d32e430c892d925abb6e4ad62d3630ae42b69daacba1a0d

SHA512
5308790fbcf6348e87e7d5b9235ed66942527326f7ba556c910d68d94617bdd247a4ed540b4b9f8d4e73d15cf4a7204c0a57d4fd348ec26e53f39b91be8617fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
fa770bcd70208a479bde8086d02c22da

SHA1
28ee5f3ce3732a55ca60aee781212f117c6f3b26

SHA256
e677497c1baefffb33a17d22a99b76b7fa7ae7a0c84e12fda27d9be5c3d104cf

SHA512
f8d81e350cebdba5afb579a072bad7986691e9f3d4c9febca8756b807301782ee6eb5ba16b045cfa29b6e4f4696e0554c718d36d4e64431f46d1e4b1f42dc2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
4ec4790281017e616af632da1dc624e1

SHA1
342b15c5d3e34ab4ac0b9904b95d0d5b074447b7

SHA256
5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639

SHA512
80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
7a859e91fdcf78a584ac93aa85371bc9

SHA1
1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7

SHA256
b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607

SHA512
a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
972544ade7e32bfdeb28b39bc734cdee

SHA1
87816f4afabbdec0ec2cfeb417748398505c5aa9

SHA256
7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86

SHA512
5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-heap-l1-1-0.dll

Filesize
12KB

MD5
8906279245f7385b189a6b0b67df2d7c

SHA1
fcf03d9043a2daafe8e28dee0b130513677227e4

SHA256
f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f

SHA512
67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
dd8176e132eedea3322443046ac35ca2

SHA1
d13587c7cc52b2c6fbcaa548c8ed2c771a260769

SHA256
2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e

SHA512
77cb8c44c8cc8dd29997fba4424407579ac91176482db3cf7bc37e1f9f6aa4c4f5ba14862d2f3a9c05d1fdd7ca5a043b5f566bd0e9a9e1ed837da9c11803b253

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
a6a3d6d11d623e16866f38185853facd

SHA1
fbeadd1e9016908ecce5753de1d435d6fcf3d0b5

SHA256
a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0

SHA512
abbf32ceb35e5ec6c1562f9f3b2652b96b7dbd97bfc08d918f987c0ec0503e8390dd697476b2a2389f0172cd8cf16029fd2ec5f32a9ba3688bf2ebeefb081b2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-multibyte-l1-1-0.dll

Filesize
19KB

MD5
b5c8af5badcdefd8812af4f63364fe2b

SHA1
750678935010a83e2d83769445f0d249e4568a8d

SHA256
7101b3dff525ea47b7a40dd96544c944ae400447df7a6acd07363b6d7968b889

SHA512
a2a8d08d658f5ed368f9fb556bfb13b897f31e9540bfdfff6567826614d6c5f0d64bd08fec66c63e74d852ab6b083294e187507e83f2bc284dfb7ca5c86ae047

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-private-l1-1-0.dll

Filesize
62KB

MD5
d76e7aaecb3d1ca9948c31bdae52eb9d

SHA1
142a2bb0084faa2a25d0028846921545f09d9ae9

SHA256
785c49fd9f99c6eb636d78887aa186233e9304921dd835dee8f72e2609ff65c4

SHA512
52da403286659cf201c72fa0ab3c506ade86c7e2fef679f35876a5cec4aee97afbc5bb13a259c51efb8706f6ae7f5a6a3800176b89f424b6a4e9f3d5b8289620

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
074b81a625fb68159431bb556d28fab5

SHA1
20f8ead66d548cfa861bc366bb1250ced165be24

SHA256
3af38920e767bd9ebc08f88eaf2d08c748a267c7ec60eab41c49b3f282a4cf65

SHA512
36388c3effa0d94cf626decaa1da427801cc5607a2106abdadf92252c6f6fd2ce5bf0802f5d0a4245a1ffdb4481464c99d60510cf95e83ebaf17bd3d6acbc3dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
f1a23c251fcbb7041496352ec9bcffbe

SHA1
be4a00642ec82465bc7b3d0cc07d4e8df72094e8

SHA256
d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198

SHA512
31f8c5cd3b6e153073e2e2edf0ca8072d0f787784f1611a57219349c1d57d6798a3adbd6942b0f16cef781634dd8691a5ec0b506df21b24cb70aee5523a03fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
55b2eb7f17f82b2096e94bca9d2db901

SHA1
44d85f1b1134ee7a609165e9c142188c0f0b17e0

SHA256
f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb

SHA512
0cf0770f5965a83f546253decfa967d8f85c340b5f6ea220d3caa14245f3cdb37c53bf8d3da6c35297b22a3fa88e7621202634f6b3649d7d9c166a221d3456a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
9b79965f06fd756a5efde11e8d373108

SHA1
3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50

SHA256
1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6

SHA512
7d4155c00d65c3554e90575178a80d20dc7c80d543c4b5c4c3f508f0811482515638fe513e291b82f958b4d7a63c9876be4e368557b07ff062961197ed4286fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
1d48a3189a55b632798f0e859628b0fb

SHA1
61569a8e4f37adc353986d83efc90dc043cdc673

SHA256
b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0

SHA512
47f329102b703bfbb1ebaeb5203d1c8404a0c912019193c93d150a95bb0c5ba8dc101ac56d3283285f9f91239fc64a66a5357afe428a919b0be7194bada1f64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\api-ms-win-crt-utility-l1-1-0.dll

Filesize
11KB

MD5
dbc27d384679916ba76316fb5e972ea6

SHA1
fb9f021f2220c852f6ff4ea94e8577368f0616a4

SHA256
dd14133adf5c534539298422f6c4b52739f80aca8c5a85ca8c966dea9964ceb1

SHA512
cc0d8c56749ccb9d007b6d3f5c4a8f1d4e368bb81446ebcd7cc7b40399bbd56d0acaba588ca172ecb7472a8cbddbd4c366ffa38094a832f6d7e343b813ba565e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\concrt140.dll

Filesize
308KB

MD5
8e658a8572dbe14ea8af0420d7238a13

SHA1
121695b55a4c920a23f52c3a0f34db289342c800

SHA256
8330266110921bd09707b5e1dd5e78b26c43a7c90fa3851cd890a9a95b59cb43

SHA512
f4212fad6c057633f6ba177b9fcf83f3ab4b3805970da1cdefe756f5456ff9ed69a56cd47cfadffd79d8320a3e8c9d73522b7f613f2fe02bcd3aac19f5099b78

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\libcueify.dll

Filesize
2.3MB

MD5
506d7cf2810e4d3ff7e50ee7c71b62d0

SHA1
aba5e009696554ca768211f2f906f00c81fa6a38

SHA256
a43722085c8c223aeefe3779bf3242cd69b1e80765ffce03d228c72dd2d6aae5

SHA512
82965bd4b2263d878e99fe51d57f4895f036db847e14033224a8ba54c631a538d92e83aaa54f2eb1697ad4aff4a025017e06cc0d0f40f3e2909c920646de5fee

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\msvcp140_1.dll

Filesize
23KB

MD5
be0a66fb57f23c904f3ed2bb14dac688

SHA1
78dbb1de942f35e81154339ae1e8e4cedc2e5dad

SHA256
6599ae8785f4ce2fe28ceb2c313e418ae690a72bbff74d120f8c8f54cf7ff7f3

SHA512
d23d03e8c89cada02734331337cf8a86b7ae26b03c6ee0515855061efecfd093663a96a4115b1f6614f3304cd32b45ebfeb65dada11cdd1a468c8026e870106b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\msvcp140_2.dll

Filesize
181KB

MD5
e295254863c16050233c102baea803d9

SHA1
4aed63d2e75c034569107564d9d62b30deaf7f78

SHA256
d4579c608880afefccdcaa40b392bca578c7d29a1fa2bec592e2fa5615e598a8

SHA512
f68161e8913d91fb9d66c7514889cb6e73b98bbfa4840200c32915d3620ea3904a2e869d160c079b33ec307a8a9507149db648b22931f28c31ada202e7bfce5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\msvcp140_atomic_wait.dll

Filesize
54KB

MD5
b0b12a70523474dfa921cfab93b3b4d1

SHA1
b32bd6e6cee84d782c37a58837e5134614148ad7

SHA256
5f7f53042fb676ce44b5ac727aad4b455406f468386002be58d0a921ab8e6b60

SHA512
96c717a895100cf7b478746de71598c83c7c24689fdf0dc2d01db92acde9fc4cd73a28072654b32001302421e7c60edc0ea04a298a4fbf6790cd5542aa104fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\msvcp140_codecvt_ids.dll

Filesize
19KB

MD5
9e2c3f3f64d1dc9c9250b57e9aba9c65

SHA1
01b5ba668fe14d1ef2cbc11f4c7b1e1637dd8191

SHA256
72cf299b6202746283aa34a24a09e4a379f1c55b204c45051c25806831231d30

SHA512
cca38e3c51a1b9d94666208dac643d45cdf62845d9c4c9b00a92385d0a8237e1b4bfdf56627b2bd9a3a0207d9fbcf90aa6a2a8dab7b85fd84ce363b514e31f1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\ucrtbase.dll

Filesize
1011KB

MD5
849959a003fa63c5a42ae87929fcd18b

SHA1
d1b80b3265e31a2b5d8d7da6183146bbd5fb791b

SHA256
6238cbfe9f57c142b75e153c399c478d492252fda8cb40ee539c2dcb0f2eb232

SHA512
64958dabdb94d21b59254c2f074db5d51e914ddbc8437452115dff369b0c134e50462c3fdbbc14b6fa809a6ee19ab2fb83d654061601cc175cddcb7d74778e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\vcomp140.dll

Filesize
176KB

MD5
5135a292d5762ecc7577b90fbf4189eb

SHA1
7f9c0c4a1f08e458857bebd1bbcd84b8f6d0b7d0

SHA256
def922f1fce75c46765e04daa5a598e77c941f001481da9f0dc9b47ca8570a8e

SHA512
fa3cd95cec8a73fc560f536e9c7e41cea7af6b96258e1381a2a140f9b609be7cd7843da849977b436beb9760924a5b70d97373c0816f4fd56f501d5f4fd511ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\9d96c1198061a6a370b51a7ab10fba79\vcruntime140.dll

Filesize
94KB

MD5
02794a29811ba0a78e9687a0010c37ce

SHA1
97b5701d18bd5e25537851614099e2ffce25d6d8

SHA256
1729421a22585823493d5a125cd43a470889b952a2422f48a7bc8193f5c23b0f

SHA512
caf2a478e9c78c8e93dd2288ed98a9261fcf2b7e807df84f2e4d76f8130c2e503eb2470c947a678ac63e59d7d54f74e80e743d635428aa874ec2d06df68d0272

Download Submit
memory/216-98-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/216-97-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads