lumma | d08d30643e05e82f6fa2d68925151643bd71f9ff42a31c08bbb33afc46cd346b

Analysis

max time kernel
39s
max time network
43s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26/01/2025, 12:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

80.0MB
MD5

ac2c6362493b6725826580ffc2c6530d
SHA1

5f834e6697ec5ec9ecd878d25d719acfafe84fdc
SHA256

d08d30643e05e82f6fa2d68925151643bd71f9ff42a31c08bbb33afc46cd346b
SHA512

b8e019078b9c1d074580ea6d7f595a5f4ce06fb5ba37ed17cbc8b1549ce85f34d6dd98ae5e68eb70cf6d801a6dd796d1fe13cb26912a2cf0519e7f6f7f7dfc0f
SSDEEP

24576:8uMKVkMPBB2n+mRSX43Q4C1EqTY34L8gQ6cHTwkpLob7Hb7j:mK+ow+m0XgqsoL8gsTwOO

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://leerborisup.shop/api

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
2128	Repeated.com

Loads dropped DLL 1 IoCs

pid	Process
2944	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1872	tasklist.exe
2420	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\UtilizeArrive	Setup.exe
File opened for modification	C:\Windows\VictorWebsite	Setup.exe
File opened for modification	C:\Windows\DannyDomestic	Setup.exe
File opened for modification	C:\Windows\FloatDay	Setup.exe
File opened for modification	C:\Windows\RoseUniv	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Repeated.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Modifies system certificate store 2 TTPs 6 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Repeated.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Repeated.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Repeated.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Repeated.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Repeated.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Repeated.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2128	Repeated.com
2128	Repeated.com
2128	Repeated.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1872	tasklist.exe
Token: SeDebugPrivilege	2420	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2128	Repeated.com
2128	Repeated.com
2128	Repeated.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2128	Repeated.com
2128	Repeated.com
2128	Repeated.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2944	2804	Setup.exe	30
PID 2804 wrote to memory of 2944	2804	Setup.exe	30
PID 2804 wrote to memory of 2944	2804	Setup.exe	30
PID 2804 wrote to memory of 2944	2804	Setup.exe	30
PID 2944 wrote to memory of 1872	2944	cmd.exe	32
PID 2944 wrote to memory of 1872	2944	cmd.exe	32
PID 2944 wrote to memory of 1872	2944	cmd.exe	32
PID 2944 wrote to memory of 1872	2944	cmd.exe	32
PID 2944 wrote to memory of 3024	2944	cmd.exe	33
PID 2944 wrote to memory of 3024	2944	cmd.exe	33
PID 2944 wrote to memory of 3024	2944	cmd.exe	33
PID 2944 wrote to memory of 3024	2944	cmd.exe	33
PID 2944 wrote to memory of 2420	2944	cmd.exe	35
PID 2944 wrote to memory of 2420	2944	cmd.exe	35
PID 2944 wrote to memory of 2420	2944	cmd.exe	35
PID 2944 wrote to memory of 2420	2944	cmd.exe	35
PID 2944 wrote to memory of 2512	2944	cmd.exe	36
PID 2944 wrote to memory of 2512	2944	cmd.exe	36
PID 2944 wrote to memory of 2512	2944	cmd.exe	36
PID 2944 wrote to memory of 2512	2944	cmd.exe	36
PID 2944 wrote to memory of 2488	2944	cmd.exe	37
PID 2944 wrote to memory of 2488	2944	cmd.exe	37
PID 2944 wrote to memory of 2488	2944	cmd.exe	37
PID 2944 wrote to memory of 2488	2944	cmd.exe	37
PID 2944 wrote to memory of 1812	2944	cmd.exe	38
PID 2944 wrote to memory of 1812	2944	cmd.exe	38
PID 2944 wrote to memory of 1812	2944	cmd.exe	38
PID 2944 wrote to memory of 1812	2944	cmd.exe	38
PID 2944 wrote to memory of 692	2944	cmd.exe	39
PID 2944 wrote to memory of 692	2944	cmd.exe	39
PID 2944 wrote to memory of 692	2944	cmd.exe	39
PID 2944 wrote to memory of 692	2944	cmd.exe	39
PID 2944 wrote to memory of 1668	2944	cmd.exe	40
PID 2944 wrote to memory of 1668	2944	cmd.exe	40
PID 2944 wrote to memory of 1668	2944	cmd.exe	40
PID 2944 wrote to memory of 1668	2944	cmd.exe	40
PID 2944 wrote to memory of 1720	2944	cmd.exe	41
PID 2944 wrote to memory of 1720	2944	cmd.exe	41
PID 2944 wrote to memory of 1720	2944	cmd.exe	41
PID 2944 wrote to memory of 1720	2944	cmd.exe	41
PID 2944 wrote to memory of 2128	2944	cmd.exe	42
PID 2944 wrote to memory of 2128	2944	cmd.exe	42
PID 2944 wrote to memory of 2128	2944	cmd.exe	42
PID 2944 wrote to memory of 2128	2944	cmd.exe	42
PID 2944 wrote to memory of 2052	2944	cmd.exe	43
PID 2944 wrote to memory of 2052	2944	cmd.exe	43
PID 2944 wrote to memory of 2052	2944	cmd.exe	43
PID 2944 wrote to memory of 2052	2944	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Britannica Britannica.cmd & Britannica.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1872
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3024
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2420
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 682033
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2488
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Personally
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1812
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Scenic" Sparc
    3⤵
    - System Location Discovery: System Language Discovery
    PID:692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 682033\Repeated.com + Varying + Thinkpad + Affects + Movement + Pdt + Aids + Posted + Ko + Hosted + Oxide + Resorts 682033\Repeated.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Businesses + ..\Von + ..\Bufing + ..\Aberdeen + ..\Packed + ..\Lucky + ..\Shooting + ..\Gnu E
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1720
- - C:\Users\Admin\AppData\Local\Temp\682033\Repeated.com
    Repeated.com E
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2128
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\682033\E

Filesize
524KB

MD5
b85bc2403155c6f94a9454b1f5071171

SHA1
8ff26a08e244c56ed912fa62ab45dc7dc3fdf4a4

SHA256
baa17663976080914e10a33f4e5d59a343a3329b66d07950cc4df1e494fa6a20

SHA512
715010cbdaa130eea22d237cc48e4ecd2a7ebf6bd36d22ed1ed893483d01556a8ab1f219fdcd3287c04002fbd26f0eacd84930edc131a5885348ef74bcfd6db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\682033\Repeated.com

Filesize
2KB

MD5
731e49d108cf403be15c825a34264c2f

SHA1
68482a691b4c35402561baa93364b2052b23110a

SHA256
1f8b2cdf67cc1cd9eb9feeea538cb8e9c5bdaed9ddd12f70f8a629980ed9d947

SHA512
0d7be3f724af73aff8ff4176feb53ea4f71601b02cdcfd6dfb3fb1db13e21a33f2c2e71b77a6eeb5e1b57ef2b762381711717ef37bb88d627d70eaf2ffa1df17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aberdeen

Filesize
64KB

MD5
642d212138ae304623e68959d4ca587b

SHA1
74f74f9f7e51555c0c706126d7db569c337d0e36

SHA256
77dc6b1f12263a205743161e4a68422ce74dcd120b55af7afe99b20b1205a76e

SHA512
79517676c80e455b40f8984e40c50347b00e07df829cf16a24254b868f1088ffc03cada9b0b89649483eb909062546c5c0a50e049892e820975ec6ea47b12d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Affects

Filesize
57KB

MD5
f38b4b1f8729a32e1acdbf5cdf6c5180

SHA1
60d653a40ece8c2a55e3b8b7f4e7084d35e2cdc0

SHA256
06d853ed6bbd11ca570a0b41c796a56724e466595f7358468d788f0d3ea668e6

SHA512
0cbb9942e696f2cc52fe0bca711e117d65c5ca7d2e21acce0c2e9ab3c7241c8749aeec30b451b71ca77e351fc23e43dfcb1c38d645b9ee73e2c56d13a7a7c8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Aids

Filesize
94KB

MD5
8a3e30acb1fc8f43209418533cbafb66

SHA1
4fa4707067a7f3d96d80094fdf1a16c055716474

SHA256
d1dfd0a5720c5be50abe4966b4b8d2c02c881bf031f8ea91f988ecd46b34bc92

SHA512
89bae179816abd2d14c67c94d0c3536f39b5f1044266d58fe21a977ebe3d330936ab9e8e3c997fab72caf5acc58b4df8885e9111ce2c837856cc13c92841a074

Download Submit
C:\Users\Admin\AppData\Local\Temp\Britannica

Filesize
27KB

MD5
18d8aac9d0d940f2929d0bc872498fb7

SHA1
db7390eb0b592064e6f8684c7363c00835fd3746

SHA256
2abe94f41f37d74563a2a92b167499f2dc99c7d5188e1e291a93ec6760840f57

SHA512
d12c29338a86389278a32b70dd08eb0fa5cb2c306edb3d98b89ea0107d9a73bd72d6642609bebe44b0398a99d1717eaa789f9e0a8752b4330c78906fda4dfcfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bufing

Filesize
59KB

MD5
a2801f28006be4d6d12f543e8f112150

SHA1
a8a4aeb1e72648a83977dad471862e485c5844f3

SHA256
17f6eb34ad949ab0815495afaf0e9f57f27289bab006785ac3ae23aba2206771

SHA512
5261eb63e6a57e40f6e43fd049ee687856d8dd59382cd3ec2d4dfb6d80a632ca19c22548fa2cb6fb8dd97dacebc2accf0f62c4e24695ba8c9ccf1e66e3ccca19

Download Submit
C:\Users\Admin\AppData\Local\Temp\Businesses

Filesize
93KB

MD5
c923967941043f3994e2bd5771334c6b

SHA1
f43e07c40a10ffe55cba5ddbf54a1d86a2f0514c

SHA256
18e6fcf3afa7fc79c3812c2687871fbcdde54e9b3debbac56c42be682e98871d

SHA512
df7ba0a418250c8fef79f23340dc700ca009610be97cc09119d06630dd02a5c787e4a1a2278ee82b51282320079945e550ae4c28e0d32f5c6fe47d52e42c061f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE5DE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gnu

Filesize
29KB

MD5
8e5b06b318d76c7d8afd9279b420ab7b

SHA1
64fa64ca6599533ec36c605e370d40c42d88ccc2

SHA256
4eda447f583ab6578188a3288081cb7c8e5a175f457d75c3bfd6b676c5c0cc3e

SHA512
32f0fe4026051fa1516404ccae55950c85db0ebd04f9d6d9738da31beebec946b9c5f6c4786d53bb49c0e7253dcfd25bb7809a229d1161e4e8e816629672d625

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hosted

Filesize
59KB

MD5
c5fd3d29c9e24e2719b246bc5a926bff

SHA1
8e864f8ce0a15d749cb8b1d3a3f16c61181b1b4a

SHA256
26735515917414cdb6179f6b3bfc3cddcf28ce772da0568f4baaf840155cc7b7

SHA512
9a3b6ac692e679a5096f3485c0a1581729ecc84e007fc4a5dd0e5121fd07968db73782c98b9c57469d3d5e64d50f44f1b311580586edd26de6e69d73b0283027

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ko

Filesize
134KB

MD5
3c9e987f99c019d3b0c0e3c85e1d29a8

SHA1
cbda584977d796c27edd8e4cb2d44562fd6cd87c

SHA256
e7087a6289afa041fa6297cd5d6e7b9d8f4821344caf9ddef1b02529bd0e5916

SHA512
c71110f2e22af23de84c8573e558f55a7143ade0c637df6f35db7172f03af38a14333aad99c2769132cf396114bafadf0aad9fc4e4b6317a209c265622265707

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lucky

Filesize
61KB

MD5
bda55ae69898b4b4d3e3679735f6d2ed

SHA1
8dceddea66dd3149ae4fac1d4925573362bc73f9

SHA256
958e1b43e105fb2013a7f07422d3828d06658d4bbb3988849e150280fc35281b

SHA512
c1c95a0b28c8cf39d617dc0d56984a0a96b5d55c0f9735d0a88e338a04ca15c35a5a639db77704a1b4d96055080343c5cbc3582d69fc54a16e6bed47e444dc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Movement

Filesize
82KB

MD5
fb1a0f72bb479aaac2c6c9c96c81c6a8

SHA1
bf7caa96533a2405fc1f7c2033d4d0b5d0221603

SHA256
54d2c0c30dc291104d044751c3e3beb1a541b444a3854269bbe6f189f2d8d8fe

SHA512
8a8c371ed6a5e571712ed96716950817df2461a96c0146e8786ff8c6ad0919374682b45c86068e20051aa832e0883673109102a89470e893d3eb1c1c525bab85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oxide

Filesize
57KB

MD5
5dbd6e6166fc9d312e55517a1a5675de

SHA1
1f553d25799507cf57837a9c048b466e920b7c1c

SHA256
386612bdbb3abaa5cbbeab62f0b1b31adcd524793d6ba030692d95e18a3172b9

SHA512
c48f63a66fc9c807e437ad087bff343a1c11c3ff46b65b0c3f64ad2b8a0494c78a3efa8c42412743e321502b200073ce8bdaeb9eab5a6ca7aef1feb909ebdb3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Packed

Filesize
81KB

MD5
dbe4338af98bb8f444f172d15b6ce7b8

SHA1
0b72236dbbe146d5b2c162a80b6e58a8c64b1186

SHA256
a968959b1a5b0c1aa7a1ac523ecad4d1635fbeac1daf3f0571e7474f9ec898f5

SHA512
a3e848b2ce05495a1f6334a8f4f3bc851d7753053446fcbabb5f7775069fa9a4734a8672d79455e40ab4307aa51ac38597a983f39bfd96efe94cbed98d83fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pdt

Filesize
119KB

MD5
e8b7b35496e5a5134ae1391c43f1c799

SHA1
54c886bdc89606aa8424c5f9994ffe0667660f91

SHA256
6e666b3fa6ca471455486ba3d007edab2b25d936b1e56a3d16a6b58615277113

SHA512
c79e0d33b2d9fffe58687633b8f34c63493e59802ff83067320617af7b5cd968d4234229fa0cdd6f2d3a4a3664342cd9be71bf7cb7fd1652551205362670b71a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Personally

Filesize
479KB

MD5
c8e02687dc529b4a2e747c38ba7b6bed

SHA1
9dc5e954b1004ff6ed4747b3710d21cff6c7140c

SHA256
379afbbab50cc701bbf454bbcaedbd013c4d7c2224d607bbf0ff58daa1e1ddd3

SHA512
329a9215457887accce9783a725a21991dc23e6ca7fd0babbec42a6f1b24dabc941df15d9ff66d7860a596a916aa90d324599e62249d85ab5b918943d8d14a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Posted

Filesize
88KB

MD5
2c80521c0a008cbf58ae81620a06eb8c

SHA1
825568cd71fd765316b78327dde444689a08936d

SHA256
03ba34c7f1389cd55ccb3d4f157753a9dd5f6c7723b62abd0628ed93b5146eda

SHA512
fb6c2d62ea5a831e2211eaa287a88331dd908adf8aeeaae88e669c33043775b6c393e5fceb3ce4853d91cd5094eff9766ce6223a19fba769130aa8edb7fe4b38

Download Submit
C:\Users\Admin\AppData\Local\Temp\Resorts

Filesize
28KB

MD5
42a4a3eb6bf0fe45f9eb76d39f112b0f

SHA1
e7e57d012583f62a399d09212ad3402802a9e04f

SHA256
3f584ddc29d766f34f0aa1ae558d8afc9b3ffa5da3e4a6ab0f9987b4c217c9e7

SHA512
f9473c107c8d1bfc67862924baf826e235e8619aa4b3224655fe5568338e6961c107acd8aa327ae574cbeedcee63ec0f08c4eabe1665f8297137dc2935485ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shooting

Filesize
64KB

MD5
9206c9d73a1459a7381ecbe90328088a

SHA1
3e164243c25045c8935a2e73f99a683194c1443f

SHA256
03fbfb0ea68c127a7f07f6bbe4ea26e02d628dfd0aef60fbc16f26d215df3297

SHA512
eb4254c10816caab0bfe7e8f7d1bccf4b38b260c987d88cd23338c2f68de1af9f7799aa58db6701306db67795f68634862a0df8686e373df990a2f0a479e3908

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sparc

Filesize
2KB

MD5
c746522d8e73120e487f7a0f5f27648e

SHA1
69c5acf17a29a5868beeac96019019017590f418

SHA256
0489155e8a1c76032594a50310f1d07841d410bd0ace42e7d3c7130ee98c3289

SHA512
ff86871483eceee1a1fd61ad11ba886b7b821d22ad31ed09c00c8bdf49215f8a80f418a9e0f293a4a59f01313c0f37e0935305f8724d885b4ac07e7d16b0e6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE64F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thinkpad

Filesize
139KB

MD5
2e23b94d25dd616fc566ff65dc7b544d

SHA1
4af7320c03282528dd0d47a12feee439636fc68b

SHA256
80332ea4daf136a8222e246e796b6a3153d6b78d80cd71d2a29672df53d593c1

SHA512
61e52d92f45c85e014c7394f053eb59c406a6f2b82f71a343abfebaf305773071b924af1af054d60d3500e0c4b7f52872858a07dadfaa0cbf783d4cbe7423cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Varying

Filesize
65KB

MD5
2afc74f33340fd06366faab37ed63b0f

SHA1
479cc7463886a172e0603f3116d83d87ef443309

SHA256
a05d3b0d74f344dbd2065c6c93acf66614df045f79428099d80f0066b0f7cf9a

SHA512
b7eb7e9e10807c421e8e2097f71d7e26d945f622a1f3b62cae65629557fdc9ee334400e98de54db3d216b8588908a2d66af18a1d1afab546f7ce161b93e87dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Von

Filesize
73KB

MD5
6d8e93859e921996d971666302c19e28

SHA1
833ac7be5c03b3aaaa337fe7ca91b129f6a75472

SHA256
90e4c3fdc2a50464c0c75cb6986326f9e50900ceeb40ccaf9b506d6d79afa282

SHA512
60031416a33e03d2682bdd35bcf5d43393de32ead0dc0b0d34e7209850b2d2b4adbf6d7e956834190fec1518ef87d4014c97357530cace7d0e839d2c9cea05dd

Download Submit
\Users\Admin\AppData\Local\Temp\682033\Repeated.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/2128-682-0x00000000038B0000-0x000000000390F000-memory.dmp

Filesize
380KB

Download
memory/2128-686-0x00000000038B0000-0x000000000390F000-memory.dmp

Filesize
380KB

Download
memory/2128-685-0x00000000038B0000-0x000000000390F000-memory.dmp

Filesize
380KB

Download
memory/2128-683-0x00000000038B0000-0x000000000390F000-memory.dmp

Filesize
380KB

Download
memory/2128-684-0x00000000038B0000-0x000000000390F000-memory.dmp

Filesize
380KB

Download