Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19-01-2025 03:50
General
-
Target
https://ryos.transfernow.net/es/bld?utm_source=20250118d1daVVAq
Malware Config
Extracted
lumma
https://deedcompetlk.cyou/api
Signatures
-
Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
-
Lumma family
-
Executes dropped EXE 5 IoCs
-
Enumerates processes with tasklist 1 TTPs 12 IoCs
-
Drops file in Windows directory 32 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 39 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://ryos.transfernow.net/es/bld?utm_source=20250118d1daVVAq1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdfe8646f8,0x7ffdfe864708,0x7ffdfe8647182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5872 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4544 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,17244188105304960696,2416984532366494397,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4708 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
-
-
C:\Windows\SysWOW64\findstr.exefindstr /V "Cheese" Difficulties3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\347157\Folding.comFolding.com j3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\347157\Folding.comFolding.com j3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\347157\Folding.comFolding.com j3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\347157\Folding.comFolding.com j3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\choice.exechoice /d y /t 53⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b ..\Basement + ..\Florida + ..\Passenger + ..\Msg + ..\Welding + ..\Terrace + ..\Stretch j3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\Temp\347157\Folding.comFolding.com j3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
-
C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr /I "opssvc wrsa"3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\findstr.exefindstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"3⤵
-
-
C:\Windows\SysWOW64\cmd.execmd /c md 3471573⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\extrac32.exeextrac32 /Y /E National3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b 347157\Folding.com + Saddam + Visa + Bowling + Rt + Chapters + Advertise + Continuous + Accessibility + Destruction + Architectural + Any 347157\Folding.com3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\README.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\Bootstrapper V2.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\0P3N.ME-VER[%xEkCCOC#HuO] (1)\scripts\config.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Users\Admin\AppData\Local\Temp\Temp1_0P3N.ME-VER[%xEkCCOC#HuO].zip\Bootstrapper V2.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_0P3N.ME-VER[%xEkCCOC#HuO].zip\Bootstrapper V2.exe"1⤵
- Drops file in Windows directory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c copy Briefly Briefly.cmd & Briefly.cmd2⤵
- System Location Discovery: System Language Discovery
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b8880802fc2bb880a7a869faa01315b0
SHA151d1a3fa2c272f094515675d82150bfce08ee8d3
SHA256467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812
SHA512e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2
-
Filesize
152B
MD5ba6ef346187b40694d493da98d5da979
SHA1643c15bec043f8673943885199bb06cd1652ee37
SHA256d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73
SHA5122e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c
-
Filesize
648B
MD54add753758d2a04b4b825796cefe4440
SHA171fa970a9ab660db4122dc34180b3ec46f62fb81
SHA2564db8951ca8d65ca16fa4b9145c58044a94e55e542f832dbff6b36a802f736df8
SHA5122cc2a02905c3095f23f46d23d8d9cb4be1599bffabc782bc591f0cb0c81ec729f90e3d985e266732a63094f146f712ee6b4ee7a3b57d17bce2b31b13e25c0961
-
Filesize
1KB
MD51e42fea4b6908de19a2dcc638c6d8c05
SHA1cb6eca7f1f4fbd8a0525f1341b0025d19b1fda78
SHA256cc0f9b695adaf34d3d1dc8f1fd68d7b47d997d8553c2f25d21c011242d28b2a2
SHA5128e0817f42ebd4c0529a915dacd545390be3a06ae1e1e4f24bc1cb06ef9229984b8a839cb36d696dc4ec4767b17a8ab9d0966a709512c4fe3cff6d2628b763df1
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
6KB
MD55349365286b75490d44756604668de7f
SHA15b9d23bea8a90510d878a02fb247b5492073abfa
SHA256ca008b93b088496ff6998ddcd9a27a96a26c3f95c3c48fc7894508cd30d9f463
SHA512744bb13e11e0d0e875f7923c74fc45ddb579b41935b8fd6112a840a28123188a02c52fe3cc407d1965631b8c7585ffc13568dd961e30a2d813b39e72fe4740cb
-
Filesize
5KB
MD5da3bf5419dbccdd108c88b41286afd65
SHA1668eaae345b88df939971cae4e4878dc564077a8
SHA2569fdc2e8d5d1f0fb07569a2be9f8624aeed56d8a5244fc4467784712181754635
SHA5126f80cd8334ec7c9b70091f527c068ab12e3a082f01749c63d60c4d1b7507b95b1afbf8e03c954f611dbc60fa8b8805f4d00c7180a47220593faba6b263a54ba6
-
Filesize
6KB
MD5ce8f771b4627bf91a70bb3dd74d0fb1d
SHA1cd6ed69c53144fe252c85a61e27087be40a09a6e
SHA256aef78341f45a824fe044396ba6f387093f0cb6a5fb74e2e621ceb319609c9077
SHA5121364169e37dcfbe481141d9a58dc62b4b936289022085c1bbbc8711995c7be67bd68e483d251d7842e47b916fd7d31fb0500f2e73cfa6cca72dff3c8fb814a5b
-
Filesize
1KB
MD59c6771f0cc2256c8fb0cfac30ed5a8cd
SHA12c04cb6dedf3b4208e4382dbe09d081c6e70245b
SHA25642abea254dfaa0089638ba12b37eed5d57b88a79b2a4c5ec02e4d980ec1a0e8e
SHA512c5a679a3994a552a8577c0e4748647180104252de81c65f124d132ec2a9aa48b403fa070cfd575eea37c244edf0a0cd3354000c491df450cc7a4447b70ad93b3
-
Filesize
869B
MD5443cac382b6f6dd0eb2dc868806d92eb
SHA11fad79f01ee25f9216b8cbd5ab27a3beb9103725
SHA256d558b2b71c527fa612416322873e22406dbed20c71c68cc235635fb04640727f
SHA512c9fbd3e41888c415f3dfe177342f508e506a7a847dd87dd47a31c55245df448c414cb7987a31ddd3533c0ccc2d144c74ebae4a9885a9eac3a352953bbb2e33ca
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
10KB
MD51d4f2b9cd036c6ed4312fb1a8b77368a
SHA164ef5297d3d1ad0d9333b7bbc8aff9fb2fd92dbf
SHA25606631645745bf65d7b95238849cfa3071d66b3d2fa0b964130432ddc609ee01c
SHA5122402b5142a3b88257b863eab3b112648d1ff282e4e12800841079413283616a0c8d22e2e2494a9246ddccbd7adda1a905304b7441e217801cd723ba41b324503
-
Filesize
10KB
MD566afdd8734b9223c13264480afbf514a
SHA1deabe9ddfb55a0d2fd8ede7d18264c47940a6697
SHA256764cb108df2ef0ba7baf2b4335e3e36e03e9f90118b9b6a031ee91c7f613db0f
SHA5128a6fc029a38ef8de7a06e73c3dffbbf4d12fa124b9bef0cdd6af958a7461b3e35d94ec5379f1171e0ebc3fbb114463293e8a1a2401fb8908e35593e55987d91e
-
Filesize
1KB
MD5bc0c466ea461f70dc2bab92020f1e643
SHA1f17c66912508e95eac59bda2e773849600471a88
SHA256f3c6eb4b4f81b5e1aa458d46225dccd651a2d44d1367a14718b6bb76beec1de1
SHA512b1d03c359b8fcf46e7f07536004f7d11ab7bdd0cb044ca7bcfe63501428c4c93e43591e8367e5676478da8d554e4bd579cb6e37dc617f97f8a54a372361073c9
-
Filesize
925KB
MD562d09f076e6e0240548c2f837536a46a
SHA126bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA2561300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA51232de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f
-
Filesize
494KB
MD5549720d78c44a4ca96f98a02d7376be0
SHA1c18a7ddd59ea61df41acfac5544aadc72bb6acba
SHA25637204d5c24cd97f012e61ba6c4aab3f6bd8778237ecbec3080fa54bfa5dcaf67
SHA512392674f314a993f0eb2e22354a9922b006e28b01cb2abdf416a188e48b8fbbea8df93cb793cefd6e91259b7de71c502ac1e5c33273d94e1a3671ee1147cbdab4
-
Filesize
118KB
MD5539587208032af4b529a60d530f100a4
SHA1ef39ddfa82f53bde5a674e51318aa3ce9a8789b2
SHA256bcee5e27e34159419173575bf6e22e23f0dad46cf6fa6aa84a1bb01c96516662
SHA5124c261199485e6a40ce46147c98e244f1297446115ebd6c944a29e4242b361816980ccb6096286c8f9dbec00f13ea9fdfa417648980bf06721abc866630c5e53f
-
Filesize
55KB
MD5eaab0c7db38adca2364923dc1bb8bacf
SHA1182819623bdee90678ae233b8094d05e51d48d68
SHA2565a5c226453b9c7c7f7bdb980ad2a02838456f9420d182d14c7336f8264a894f0
SHA51253d2c6559e2d1e71b62f91444608f1e61a246433499b75d6e3193cfd645ac4af3c4e4e1359da02b522d1e121de31f51d0010d96e8ef435a92328cef69aba4910
-
Filesize
15KB
MD559051edf957c7f4fec5e278f07cfdaa9
SHA1409217185334c187412941583e5814753d3f670f
SHA25671cb36f1506fa645a90a6f06619b67c4f2f0e1e0140bac2e6f8a91ed1988446f
SHA512f1897fa7dcc38c845cc3862f1eb33d493ca6c09338a6a7817fac6e99a72ecd07001a84e1935eccddf58e163fd8396c3333fad4c365cd5c8ade281dbc84735aba
-
Filesize
102KB
MD5ac3b8c0b9d965801a696519bc3bce457
SHA1c2fb54f9d7ffbbea6e5db175ca214eccc0b8ee7c
SHA256fbc3b647efe255870931d9dfa77a43c7248a7d8613712bcf0663862a4e97fb66
SHA5120aeeb7d05c46063a892b3aae756bfb92f245aae66c2fcd4c34610a348ad0c0904addabb99d97ca0c9c3cba3df7e8e96500f084b840487a9ed2582d1badf638c6
-
Filesize
63KB
MD544a805a4e5ba191661485ef167275506
SHA145c2594c944f02e5260bd97a185c2f21ab232182
SHA256e394dccd197c59fa4e2da7146174485a6681946d34faa3007bd5c1419d7125e0
SHA512a3a8f7283ca0a0ae16b21f2b81b9cd48b953112c50e64b99daba378cd0e098108512566208365db4bb7b78355439f94bbcace6f5169091fab0202cf7d55f1952
-
Filesize
106KB
MD57cbcc0fbb084bead6d5bbb8a00cbb997
SHA175bfaaa5232ab2cf9f2291ee1ce08f2acb076ebb
SHA256e0a98926b1e0968481640078ac6b833af96773a7f715851634346379f282795d
SHA5126b33f8afe19a28e5b300e8a32c3ec98a0365fc1594c693c4527d9b0275f46f6558c50e29417499650d9c1ea7091ea7af340c4111b90af06c5ab4277170170c9a
-
Filesize
23KB
MD5bb009bb1ab11657dd763b3a85e90f26f
SHA132fb786e48105f1574e8d345e66d2b16fc051d6e
SHA256e7b3f1da61a207080f7859d12764b1243ce5c84beaf1a7f026b3d0da5f9dec4c
SHA512ac73396967c496b93f8d4084537a286b4d5fe1315b0fd5992b03cc019521c1c25bafcb9826f85af59495a01ec711a2ec789c43af5befa46557f99224d0ce92bc
-
Filesize
56KB
MD519f399e75e91c4917cce10422db7b0fb
SHA1145fb431681a91d64a77b0ca99ba31b4ed7457b9
SHA256bbe32640a1be9b9dc5570043a2c72bd3d1da1e3480e61e41a1dc8daa42b07bd7
SHA51225b85fe872e3e9fc5e70d3dfd1647a6bbf2919d67126bb9007dcc61aae549d64a9b79fd3c05bc996202b03630420ecb4eb5b5613d0a1adeab0d2670e6a5aff6f
-
Filesize
119KB
MD587cfc9cbddca81f037640e23869fd727
SHA1e71c0a8106944e238edba3b2d6194cf5cb383168
SHA256f648aed5047fa8e5b99ce81cf85f05f4cfb193b8b349e6e5656e5c6dd0917cb2
SHA5122a3c9bbdbd222f9328b1379de025bff3f8d2c693fe68558cdb24a516ee7c9ac6615a9d1d62e4682532f8567138e67e6c26b6c7068d87b00415fc915172928e4f
-
Filesize
75KB
MD5e9ed56e42470ceb7a46263c49b9d8110
SHA113794b6f705be789af214a4f81585dee3710512b
SHA256d97494026b70f37cabc0ac614f54206ae2c5a5ab601b71888ae6491241dc2b20
SHA512ca1c0f00a68267274e9d31f3a2de0fb34ccfce0a57d67ffe76633fe1a156c05f1381b0c696f75898fd8b370cb8a6e56174bdfb43729ab2668e444ee6748d8040
-
Filesize
1KB
MD5d2ac6356ed5ed3a32e46acb2f47d68f5
SHA1e41205fe32c1ed0cc4a265e942dd472a76a22592
SHA2566b6a43352b0b87107609d9c91992b30069200b308e5a2a50ed5a931315f82bdc
SHA51247bafca4c789c7fad4db0534a93b8c7b659abb999393425f58d9b28ba553be1cc45b9001da1d5820e65b107034f48cd441c6855c7d7fc08117985d81054394a0
-
Filesize
81KB
MD535ee0a5fee1964bd57f2c66347d726df
SHA1d37bb5ba2456a310891f93d8e9ae1ad196dabcf6
SHA2569b8ab89609b074479bc9fe749e12792c34ab4799ea7ea5ac67cdd3758a1c1181
SHA5122006b993a36599a56131d744ea750a3de3d5eeb629d111d751d552e86cf3a4ea1c7d9b9dbb727e77b65ec8684cf0f22476840aed73df15186041b087476c0689
-
Filesize
91KB
MD5478eae0d2d8bc46181226c275688315d
SHA1674d1c954b6ba8bc77ea6e112912b2fbde64fbeb
SHA256aae6d5fc0e80a6033d55b81e05db13c66604f5fe453f78440de3912a44c553c1
SHA5129833ef8d0d29cbf1b1738eefd4c175a169c770f70f2699bde703092e5102439c779e7474866534bba6b58f49d160a49be0750b686c171415191ddb10469eb26d
-
Filesize
478KB
MD5f5406ccecddc6c9bd30ed30343c756ab
SHA1080ebf3593ee3c272e7e4f7c98fee6d326da45f8
SHA256a46bd5c1472f8b655ace3314ca667d39b10d989b6f8ed17b6c753b8b947a6938
SHA512a25eba5ea58855e65c529b858399b1574ccbed89038e90d50170562eceb11efba4f16242d54ad3b5232edc11f3f61109bbafc4398124c1bb45e43693657b1e81
-
Filesize
68KB
MD5355fafaeefdaaa291b3f48356e24216c
SHA1c675a50bffcf18f357966ec51e0adaf05a25b86b
SHA256d3210c22706049ab7ca2304fd17507bfa4a842af579a00b60644e09178f9fddb
SHA512f2fb4e46b4d6b24cba584e51c6a43e8ed1174a5048a69bd61a6e24e2772f389e55c2f6384d1ffe7c6f44eab8a6fe059608e39a0a60ad30f06eb63589c723ab4d
-
Filesize
86KB
MD5fc6c4e0bdb11443834c6af5b2ff6e6bb
SHA13c4bf0970e36371844c9a27a041fd09cbf65cf56
SHA256445d2c74ae1ba5af2eba4cc4a4deeabbda1ef920e272ce9f54a7d9374eb23402
SHA5129588272669bf2ecf277c83c836be28d4757a21b033e9919747fc11a7767abaf5d3af002d3379626b65e537aaa8fd2e30113994353592bcee577f3fbdd02dea5a
-
Filesize
54KB
MD57b8c4652937f053027395d23ef6c5b93
SHA13e203439da403069184a56d40d00b51e8a03a2cf
SHA256733b3e2f49984688e345d1acb07d22c9d5e44742f572fd610c114c50c04c3024
SHA51267b5aac27923f00fa7e39cefb6adc6714845cc9e3db51aa2fe8c910e09f95b2fe46ddc901257afa63ede0988792ee6245089ea419bd257e53f05c926793de929
-
Filesize
58KB
MD5110f9b2d470e415d55f8a0d78ae1f8a1
SHA1eeb9c0bf82f9a797fceed7d9725221348f45dcf1
SHA256fbafdc9359e5294e8410d3862aee050c5cc03aec557bd83345bdca27981c0138
SHA5121a8bf9fe93ff1b8cff52191bae71fed8822f4d99dd59ee6420709d037e26a185695e819535c793ffbe849e63637725e9ebdf487b57bb8f1ec3b4852e93954551
-
Filesize
50KB
MD56f3b4f30afb0c2fc164daaee95348815
SHA1c59e8d78f11d5af9aca282d52752c0846292d5e6
SHA256987fdfe4cb214563ecd4ba6d1990284e485a7701c323c1564d9d4afd3554c890
SHA512ce51ba253dc008b82ae51ac797362f93515b1ef481d6189f596f74c1172379bfa4bb86aa713ea62520a11c24281047aaee0d203d48fa1f3dcdc5121fff385809
-
Filesize
137KB
MD50fffca2125ec2d790c02b2bcd12ec8aa
SHA155883ab44b36fa0efe4747e2653786fbda5b60a5
SHA2569dc03047dec2d31586916298828447b291b3eadae317bab07f8917e4bf4dde96
SHA51253d6bb959d2d5ad5b3be4dde2b6c877eee4ae65e411f095bad980fc6ee58f49437dc8503186d544ab60aa6824cd70e616bf79cc13b713e27c5f75640db8ed70f
-
Filesize
83KB
MD59a2d8d245f55c0918e6a7e8b9e22ed25
SHA1827ace99c5e1570e3ea912e67dcf7ef6851c3ee1
SHA256e252cd74c35df37627de02488911ecfc1d57320be7dec21a7de03ccb9664d84b
SHA512076fba85e84cb31486a947e31c39464e08faacdad7b26645699f39fbe6f3d6bc6a7b926f46909f227e9c78f2ce8d9c2af0871e057db10345504db2226a2272c1
-
Filesize
12.0MB
MD56e0f86bd8de38abfb21f5c2ed34d322e
SHA1278e8c98c707836522bb988919ac610155de344a
SHA256a8bd7db8fd786b347734747368791d8017120cf5858453b96417c4a4ff2c6765
SHA512655ec0a1d0723a23ae5c5732e6cfed2ad64e3581265a3c28ceb2fff4075fb9f062ff3c60437f4cf635540fa5b4918c99b43514ebc8bf157aca035528a1ff2ba5
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB
-
Filesize
364KB