lumma | 9dbe47354cb359eb6d95d8715bad32073e34a6967813ebb44a9f4b2d2d240987

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240903-es
resource tags

arch:x64arch:x86image:win7-20240903-eslocale:es-esos:windows7-x64systemwindows
submitted
29/01/2025, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe
Size

763.3MB
MD5

9686bb5cdd748b208016c2339d4521a7
SHA1

a281343f996125606f454eb45b2c176977200bec
SHA256

6870274af78654a78c6587586255c288a802a44ed62d1fc9dd92959cf629ab67
SHA512

ecdeda34707ee004547b30cf546a7f41aa6701ed847f371d656913677eec9f2a9f9a8f7987775d990f91d957020c7461c54b5a91d14ef3faed3aa4d77c10ab5f
SSDEEP

196608:pb0fAErblQwA7oXuX5TZYr94wRwSXYPi/5q:F04Ec7oXupq4vSXci/5

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 1 IoCs

pid	Process
3032	Fabric.com

Loads dropped DLL 1 IoCs

pid	Process
2544	cmd.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
1132	tasklist.exe
2000	tasklist.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CompatibilitySquirt	greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe
File opened for modification	C:\Windows\TempWarner	greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe
File opened for modification	C:\Windows\SaintConvenience	greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe
File opened for modification	C:\Windows\HoldsDg	greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe
File opened for modification	C:\Windows\AppsBuilding	greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fabric.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies system certificate store 2 TTPs 6 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Fabric.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Fabric.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	Fabric.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Fabric.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	Fabric.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Fabric.com

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3032	Fabric.com
3032	Fabric.com
3032	Fabric.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1132	tasklist.exe
Token: SeDebugPrivilege	2000	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3032	Fabric.com
3032	Fabric.com
3032	Fabric.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3032	Fabric.com
3032	Fabric.com
3032	Fabric.com

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 880 wrote to memory of 2544	880	greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe	28
PID 880 wrote to memory of 2544	880	greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe	28
PID 880 wrote to memory of 2544	880	greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe	28
PID 880 wrote to memory of 2544	880	greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe	28
PID 2544 wrote to memory of 1132	2544	cmd.exe	30
PID 2544 wrote to memory of 1132	2544	cmd.exe	30
PID 2544 wrote to memory of 1132	2544	cmd.exe	30
PID 2544 wrote to memory of 1132	2544	cmd.exe	30
PID 2544 wrote to memory of 2296	2544	cmd.exe	31
PID 2544 wrote to memory of 2296	2544	cmd.exe	31
PID 2544 wrote to memory of 2296	2544	cmd.exe	31
PID 2544 wrote to memory of 2296	2544	cmd.exe	31
PID 2544 wrote to memory of 2000	2544	cmd.exe	33
PID 2544 wrote to memory of 2000	2544	cmd.exe	33
PID 2544 wrote to memory of 2000	2544	cmd.exe	33
PID 2544 wrote to memory of 2000	2544	cmd.exe	33
PID 2544 wrote to memory of 1660	2544	cmd.exe	34
PID 2544 wrote to memory of 1660	2544	cmd.exe	34
PID 2544 wrote to memory of 1660	2544	cmd.exe	34
PID 2544 wrote to memory of 1660	2544	cmd.exe	34
PID 2544 wrote to memory of 1344	2544	cmd.exe	35
PID 2544 wrote to memory of 1344	2544	cmd.exe	35
PID 2544 wrote to memory of 1344	2544	cmd.exe	35
PID 2544 wrote to memory of 1344	2544	cmd.exe	35
PID 2544 wrote to memory of 2740	2544	cmd.exe	36
PID 2544 wrote to memory of 2740	2544	cmd.exe	36
PID 2544 wrote to memory of 2740	2544	cmd.exe	36
PID 2544 wrote to memory of 2740	2544	cmd.exe	36
PID 2544 wrote to memory of 376	2544	cmd.exe	37
PID 2544 wrote to memory of 376	2544	cmd.exe	37
PID 2544 wrote to memory of 376	2544	cmd.exe	37
PID 2544 wrote to memory of 376	2544	cmd.exe	37
PID 2544 wrote to memory of 3040	2544	cmd.exe	38
PID 2544 wrote to memory of 3040	2544	cmd.exe	38
PID 2544 wrote to memory of 3040	2544	cmd.exe	38
PID 2544 wrote to memory of 3040	2544	cmd.exe	38
PID 2544 wrote to memory of 1108	2544	cmd.exe	39
PID 2544 wrote to memory of 1108	2544	cmd.exe	39
PID 2544 wrote to memory of 1108	2544	cmd.exe	39
PID 2544 wrote to memory of 1108	2544	cmd.exe	39
PID 2544 wrote to memory of 3032	2544	cmd.exe	40
PID 2544 wrote to memory of 3032	2544	cmd.exe	40
PID 2544 wrote to memory of 3032	2544	cmd.exe	40
PID 2544 wrote to memory of 3032	2544	cmd.exe	40
PID 2544 wrote to memory of 2816	2544	cmd.exe	41
PID 2544 wrote to memory of 2816	2544	cmd.exe	41
PID 2544 wrote to memory of 2816	2544	cmd.exe	41
PID 2544 wrote to memory of 2816	2544	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe
"C:\Users\Admin\AppData\Local\Temp\greeting_card_factory_deluxe_v11.0.0.6_pre-cracked.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Direction Direction.cmd & Direction.cmd
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1132
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2296
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2000
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1660
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 694589
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1344
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Put
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Architects" Latino
    3⤵
    - System Location Discovery: System Language Discovery
    PID:376
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 694589\Fabric.com + Brilliant + Transexuales + Scratch + Sf + Duplicate + Horses + Argue + Particle + Homeland + Bracelets + Nuts 694589\Fabric.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Suspended + ..\Rising + ..\Dear + ..\Folk + ..\Columbus + ..\Broad + ..\Silver n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1108
- - C:\Users\Admin\AppData\Local\Temp\694589\Fabric.com
    Fabric.com n
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3032
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\694589\Fabric.com

Filesize
1KB

MD5
8a7849df216ab82e8eb45b9e53568d29

SHA1
a5d072d9fc283995bee4ab6d9bd9577790a4ee8d

SHA256
8617a217c0209ebe1a4c8a344644d73f33263464ef1c105aafb28bec221147a9

SHA512
e23d96a687f83a79a4290443edfec95ac450be7a003e58e63e82bf6450ed1a9f2b1f75b7e3a7eb19cbf5897da710fb01f6c249dcd49a04a7321dc5dd7527b526

Download Submit
C:\Users\Admin\AppData\Local\Temp\694589\n

Filesize
520KB

MD5
4a07e08c7d0396aec34085bfa63f0837

SHA1
b9d5fd4409cc66f7d95fac710a7b1e97ef5db15f

SHA256
b1887fff2700cd61c3bb6e911058d50897d41117ea87ca311b8fbd48dff65ea8

SHA512
e4af8a51eb270ab46ea3265fb85b8713c082b14b83cf1b9b96ad830a531761841e9b205df099fe36a9ab111d8e7f1e6b376957258a65f5fddcfe1bef8ee8345d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Argue

Filesize
100KB

MD5
d7603a6ca1a6034e562d651f4fae9945

SHA1
961a743b99136d9fc9fc0ca3be4e052f84356334

SHA256
07f4e05487207ca78b9b1ca59e483e7bbf2e12ad2cabde1eb6bf889bb159005c

SHA512
29f583f71d0518cd1963528f0129deaa9ba6322d8839ba8a721a99345214f767add3de90946c21d1d6281d476dd08024013abd81dd1a81c44bebfd66a51d9922

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bracelets

Filesize
59KB

MD5
0b4aed07dfad6437affaadb2fceb134f

SHA1
d4503e464d103049a2946b9c5da625c56a12f80c

SHA256
dfd1d788c8b1e0a4770d46b346668c9f925f6e036578190f441d4cdc44f0338a

SHA512
4e6e83d74458587e98687a2bc884fe97ca17fcd0126c2f72cef27529e4d496dd02a5e5bba0dedafea468ce904b065e6c02c7eb674e81f1ad8d46b8edf645a96b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Brilliant

Filesize
139KB

MD5
529ae6fc47d3d26a5846de289e36af85

SHA1
6b3355e56912c16320b9a8eddb3dd6467ac39c77

SHA256
6b0c136bc793c4eb74eafd0841230fb30a31bdc369422f1dbde69e8fdbf40973

SHA512
6c4d92939b7a621b9499b472ba65e85ad658e54c72b74f10338157bf713c61ed085d0b4d7a0a7234d8a7b0dec0bea4f4ab1c48c1e2a0977788e88638b350c538

Download Submit
C:\Users\Admin\AppData\Local\Temp\Broad

Filesize
93KB

MD5
c144a7dfe9d3b651678d7543a5827922

SHA1
3844d570bc9df06153026b03c81109795cdb080c

SHA256
5026a960eba425937a84946d2ed20d6650bea4a40061b1855d6c3accd58cfd38

SHA512
614a3eaa2397819f2df2bedceb2b106a37313f8a8c44f99fb5827e81358496396f92ace511585b4d32a12ef31774501ad053f6b73eb42adce4f43bd5eb63b786

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9ABB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Columbus

Filesize
62KB

MD5
42dd904478b3fecf9afabbcddbb78744

SHA1
eb598fb8fb16720e727f73a412d2377c71ac8c01

SHA256
ade585086038b8dc3fb2b13d9221356debdc0da675b9c6650ce36b64f51dbe5f

SHA512
ccc7b315b3087ea7be399ef36af034846858c44f04974f59088bab1beaed78ef0ab09ddfc9a84701fce42b927596cff9b20625768d75fa35fb2b882203d6674e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dear

Filesize
52KB

MD5
57dd8effe533399c373b44aa66b5bda5

SHA1
c74fcca4a10a474aca36d5552a10d06a426f402f

SHA256
572e799356445a469831dc92a9390d876e2c166941183e5a494a34f51d919f24

SHA512
357e2fe5956605bb90cfb17033dda51a243bf673fccfdbcdf44218a579fc618e2f5ffd5ea5cfb776e1be9d90c27d541aad3a876e72e232629b4d69bc9a9cac5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Direction

Filesize
26KB

MD5
ec648933f140ea613686562589a29e64

SHA1
6963ef80888c951bd3f5737789c21c3de72f3034

SHA256
078e988bc95fd95605ff2c4c6a6808488d5707fd72fb60c7cb44ac4d2f5ae7fb

SHA512
382fea9a027d95404159e59da3b3e21f900586f147d2a6b4931787b354ebcd8952e20242d4b56edd05e54abdf752c57b614d16f4ef4f3a6efa10f6b83256c976

Download Submit
C:\Users\Admin\AppData\Local\Temp\Duplicate

Filesize
92KB

MD5
d64501ca9b7c3e1da452532129401565

SHA1
29b8669f4a45d38945516fb612150187dfc293f1

SHA256
f28fbf8862f2f8dc090cbf86bd5e052dabafc704ba13a06cd1f18cf3e505ba20

SHA512
d2804bc753350892b2f83b07644c78b7df1e9700985e3477a97917488e10ed989d852959523ecab17709391e5941434e8472e28ef3d8855040a62af13c3f13e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folk

Filesize
87KB

MD5
fdd64263426f2e4ab90fb66debd1fd3d

SHA1
eac31a76f1a8e8d7a5a36c078626e54b3f03d666

SHA256
7e55be46781b6b276d3359d3b7dcd6bc0965ffca5c16cbafa1d6e2b6547a075b

SHA512
2263e32df54b7afc75be9cdbc24c1d630bf0b9edf14152896b7758c8e40215a783538c9f961aec138607a050ae9bf2dfc45da20d6c86a258114f62178a312e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Homeland

Filesize
75KB

MD5
bf1f586d34e5ce392ce4d4f2ee3f4e93

SHA1
887c235c737264d55c668fc56f2180fb5e6c9414

SHA256
f6f24c38a4751fb736a34dc6a04aaf0c3288ee9bbbebba7afc61b89b39a2b8a0

SHA512
dc5b3ccbbccf290f632ce81564ba540670f3f04a58a548f59a335d1898f08f35ce901ef1fa71ec2c7e057f01b1bbc42b8776d7708a147b71373ee974d446ddc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Horses

Filesize
85KB

MD5
068e45f3c32e3636e1e91fa9a80a783a

SHA1
67cb54c099c4044f02f0a6d3950c8df64431b395

SHA256
a51ad481ec9238edd2ce6a8dd82c9bb17dfe29cf0e31d4ca83f6783e363c2974

SHA512
d6e394d26dde1bf89b05c6711da3c2f6802f34ef2e639cc1ee3d8c1da101f32b12597ff192a9c89ae1effcb2738a4b2added5ed2c3e11e297dde2eab5527978b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Latino

Filesize
1KB

MD5
b5d39043c6c1d80ecdc27c809eee2dff

SHA1
521ff3812fd2f9c82e4d2b7c13b2a2f8a7bb68a7

SHA256
a21287a82fae905e0cfe4fcb89b1fd4400ae85ba8f218cc5b415cd1b63f9bcb9

SHA512
d58cfed42d99514f575403ac6dfa44cb1b13f4cd72130c5e59348d13c24b6076f05d743f39a7c5fef3a8639ad85b67bb7f1951ff8e9112dd10cc3ef546a4ff51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nuts

Filesize
23KB

MD5
65e3a68193219ec9a1e4168fd4ca9361

SHA1
08a4c9b228774528e10a689dc12dc32e06eef5e5

SHA256
400dd7ddc85b35786d88ad119855ab9da000c9316b07e97e2878859500848fb0

SHA512
64ec97754e36f1163bc5e1efa3ccc2cf2c4dcbaa10de5d9040c0686ca78cde42bd1701321bf65659b1d517c3d32f990a99a7a48fa1995bc67aea6b5bed89e3c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Particle

Filesize
114KB

MD5
23e75c293858efa69a20c0307af577e7

SHA1
8fd67d4ac656b2cbed307623bb8f8f0d08a020b4

SHA256
8aa20c58bf23b6b99ee13307d5e00a11169a8625d9edf78ee7f71aa2d33d0cab

SHA512
9f6a46b29ab1777c5a8cfa260fcd0f232952ecbbd12da549710c1f07910fc861829611b66cb2d184ec9117f7e3f24d1f5a1f93657ff39bea107e573739500692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Put

Filesize
478KB

MD5
09149115d2834c6cfaeeef7ef171b280

SHA1
48bcb113b1d58448b2b0445f85f6cfe863463493

SHA256
1c3f427dcd1bd37f0b2fbd250e39de371ba7026d1f6b12b882d551ea8299c324

SHA512
637631cc7bcb5b4f1343d6df843b2a3408b5631f6910de32dd7b469c7dc4d10ab1aa3a0c533750a9f8969af10d725bea2bca34313e92823cbdb93088ebefd812

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rising

Filesize
88KB

MD5
b5ee07ee294beb4593662a94a74bb136

SHA1
70d1758bbab8e107fc66466148508e19de7f7383

SHA256
8b4eb7f079e2dbc09a10f6a2e54dff345e2eab24d1c38dcd9abf3e95484beb98

SHA512
8810a82ff29d49c838f56583d6f11f1bd5e88f12cb3ef28df71ffbc3c5c356ecafd25bc4a5aaaf14cc2e0d3cf586e25434d36c4f4face84dfe51005dbfba6582

Download Submit
C:\Users\Admin\AppData\Local\Temp\Scratch

Filesize
100KB

MD5
1af0696fffcccaef80856f3dcd034381

SHA1
d35f690cf40afa878f884ab066cea11511583bd0

SHA256
b8c3ca4e0c61981883776fa3ddd27244b1338f275da36fb517d97c7c4a3c77e7

SHA512
d99e1c27471e94c73948654bfe894fc899eee27b85ea7b8effd2e01960dda5c6a47a6ce2756c7696dbc53ccaa085f26ed9bf19f9146e04d7305ac38ace931e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sf

Filesize
82KB

MD5
7d72a511d7f0ed2aaba151d535be6e8b

SHA1
e46b93f30a01e302a719ac69968f3f7f393064bf

SHA256
0fcc9d703da577f04ebf57c2c62d2133153ffeddca08f28f13a8e5b165f7310d

SHA512
0b23a161f09e3c0762d190f80456a7c3e6745cce94f3b60cab3cc041b2f1fae657db345059cce57571aa5cc6d3f0817014c1435886bdec92e1936504c0996244

Download Submit
C:\Users\Admin\AppData\Local\Temp\Silver

Filesize
87KB

MD5
99888cb66813ea983806e57e47951e1c

SHA1
c5d507fc3de7ab04bb9bac435c2a8070202cef53

SHA256
d81815f94875bac6b0ada91617b25f99f7c019e817c2b9a7ecf13c621e4766e0

SHA512
e4cc46b1c1d1c59b71e654ceec657d976c4b0ba2e328f0ba51eef6ec20272b1974718a8ca5be06ea8adbc9a0bed59ca6438b505b7d8f9139c25ba4673bdb5dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Suspended

Filesize
51KB

MD5
3a6ec49290b7cd2749e9be78ce07d2ce

SHA1
0eeb1ea538b24d63ae5b7a78dc98c2d8aacee376

SHA256
cf704a55cea44662813da1522e1f07368ff7e14f71eaf62f0bf6cb40b310cacf

SHA512
59759930df60df48e2d6123affdfa8c4779f46cede2d31e7f66edae3fd6ed0356c53cb019a799d87d0cc3fc0a9e9a52debdbd2e087e7f09c898e0afc5bfead7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9ADE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Transexuales

Filesize
54KB

MD5
eca2b4c8225920585c1b1215b090356b

SHA1
60d95858863f9b9f74cfb26d4fe1ca6c8a79c67c

SHA256
c028bd74018893766bf20d594c7bfe10dde66da02e1af4f355a954024fa5578f

SHA512
999e16a8299098631d5d5c580dc8abd448d1283793456229cc9b33a2916334b61f8d6630185ceff38881a666ff3993107171a18638e8bd9b90a0d4c858582137

Download Submit
\Users\Admin\AppData\Local\Temp\694589\Fabric.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
memory/3032-673-0x00000000038C0000-0x000000000391F000-memory.dmp

Filesize
380KB

Download
memory/3032-672-0x00000000038C0000-0x000000000391F000-memory.dmp

Filesize
380KB

Download
memory/3032-674-0x00000000038C0000-0x000000000391F000-memory.dmp

Filesize
380KB

Download
memory/3032-675-0x00000000038C0000-0x000000000391F000-memory.dmp

Filesize
380KB

Download
memory/3032-676-0x00000000038C0000-0x000000000391F000-memory.dmp

Filesize
380KB

Download