lumma | 1c9140a0d2304adf5a9473b4d0d85e7dad564dbb1cfac21de272a93d214c8245

Resubmissions

08/03/2025, 15:37

250308-s2xtrsyrz3 10

08/03/2025, 08:36

250308-khk2vstyfx 10

Analysis

max time kernel
432s
max time network
450s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
08/03/2025, 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀.zip
Size

43.4MB
MD5

e3f02a42327b0d91c6d82869825dfccf
SHA1

fe7fa671b244d692eabc181d6ea5960031fa6466
SHA256

1c9140a0d2304adf5a9473b4d0d85e7dad564dbb1cfac21de272a93d214c8245
SHA512

a0f04836bcb272598453707bd7c45344985eebaf11d879bd3ab03d584a29cbb7d72305ae91c0912fe1d7e600e970f26ac648532d6690396a7bf47216cc9a424f
SSDEEP

786432:g5FQV7tUfYmV/AQTPdUy6F6hgxMLO2ZlA/jcG3mcM/68O0OkU6w7Lv:6QnUfFddUy1uxMLO2ZlA/jcGWv/6Byq3

Score

10^/10

lumma cryptone discovery packer spyware stealer

Malware Config

Extracted

Family

lumma

https://tonedanswered.today/api

https://begindecafer.world/api

https://garagedrootz.top/api

https://modelshiverd.icu/api

https://arisechairedd.shop/api

https://catterjur.run/api

https://orangemyther.live/api

https://fostinjec.today/api

https://sterpickced.digital/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

CryptOne packer 1 IoCs

Detects CryptOne packer defined in NCC blogpost.

cryptone packer

resource	yara_rule
behavioral1/files/0x0002000000025c07-22.dat	cryptone

Executes dropped EXE 4 IoCs

pid	Process
920	Xeno.exe
852	Elite.com
2992	Xeno.exe
3460	Elite.com

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2568	tasklist.exe
2852	tasklist.exe
4824	tasklist.exe
3456	tasklist.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\OpinionDeleted	Xeno.exe
File opened for modification	C:\Windows\DairyPropose	Xeno.exe
File opened for modification	C:\Windows\DaddyPottery	Xeno.exe
File opened for modification	C:\Windows\JimFujitsu	Xeno.exe
File opened for modification	C:\Windows\OpinionDeleted	Xeno.exe
File opened for modification	C:\Windows\DairyPropose	Xeno.exe
File opened for modification	C:\Windows\DaddyPottery	Xeno.exe
File opened for modification	C:\Windows\RecruitmentOaks	Xeno.exe
File opened for modification	C:\Windows\RecruitmentOaks	Xeno.exe
File opened for modification	C:\Windows\InterestingWalter	Xeno.exe
File opened for modification	C:\Windows\InterestingWalter	Xeno.exe
File opened for modification	C:\Windows\JimFujitsu	Xeno.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xeno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xeno.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elite.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Elite.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
852	Elite.com
852	Elite.com
852	Elite.com
852	Elite.com
852	Elite.com
852	Elite.com
3460	Elite.com
3460	Elite.com
3460	Elite.com
3460	Elite.com
3460	Elite.com
3460	Elite.com
3460	Elite.com
3460	Elite.com
3460	Elite.com
3460	Elite.com
852	Elite.com
852	Elite.com
852	Elite.com
852	Elite.com

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeRestorePrivilege	3084	7zG.exe
Token: 35	3084	7zG.exe
Token: SeSecurityPrivilege	3084	7zG.exe
Token: SeSecurityPrivilege	3084	7zG.exe
Token: SeRestorePrivilege	4732	7zG.exe
Token: 35	4732	7zG.exe
Token: SeSecurityPrivilege	4732	7zG.exe
Token: SeSecurityPrivilege	4732	7zG.exe
Token: SeDebugPrivilege	2568	tasklist.exe
Token: SeDebugPrivilege	2852	tasklist.exe
Token: SeDebugPrivilege	4824	tasklist.exe
Token: SeDebugPrivilege	3456	tasklist.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3084	7zG.exe
4732	7zG.exe
852	Elite.com
852	Elite.com
852	Elite.com
3460	Elite.com
3460	Elite.com
3460	Elite.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
852	Elite.com
852	Elite.com
852	Elite.com
3460	Elite.com
3460	Elite.com
3460	Elite.com

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3164	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 920 wrote to memory of 3152	920	Xeno.exe	93
PID 920 wrote to memory of 3152	920	Xeno.exe	93
PID 920 wrote to memory of 3152	920	Xeno.exe	93
PID 3152 wrote to memory of 3120	3152	cmd.exe	95
PID 3152 wrote to memory of 3120	3152	cmd.exe	95
PID 3152 wrote to memory of 3120	3152	cmd.exe	95
PID 3152 wrote to memory of 2568	3152	cmd.exe	96
PID 3152 wrote to memory of 2568	3152	cmd.exe	96
PID 3152 wrote to memory of 2568	3152	cmd.exe	96
PID 3152 wrote to memory of 4532	3152	cmd.exe	97
PID 3152 wrote to memory of 4532	3152	cmd.exe	97
PID 3152 wrote to memory of 4532	3152	cmd.exe	97
PID 3152 wrote to memory of 2852	3152	cmd.exe	99
PID 3152 wrote to memory of 2852	3152	cmd.exe	99
PID 3152 wrote to memory of 2852	3152	cmd.exe	99
PID 3152 wrote to memory of 3188	3152	cmd.exe	100
PID 3152 wrote to memory of 3188	3152	cmd.exe	100
PID 3152 wrote to memory of 3188	3152	cmd.exe	100
PID 3152 wrote to memory of 4816	3152	cmd.exe	101
PID 3152 wrote to memory of 4816	3152	cmd.exe	101
PID 3152 wrote to memory of 4816	3152	cmd.exe	101
PID 3152 wrote to memory of 3340	3152	cmd.exe	102
PID 3152 wrote to memory of 3340	3152	cmd.exe	102
PID 3152 wrote to memory of 3340	3152	cmd.exe	102
PID 3152 wrote to memory of 4784	3152	cmd.exe	103
PID 3152 wrote to memory of 4784	3152	cmd.exe	103
PID 3152 wrote to memory of 4784	3152	cmd.exe	103
PID 3152 wrote to memory of 1148	3152	cmd.exe	104
PID 3152 wrote to memory of 1148	3152	cmd.exe	104
PID 3152 wrote to memory of 1148	3152	cmd.exe	104
PID 3152 wrote to memory of 4292	3152	cmd.exe	105
PID 3152 wrote to memory of 4292	3152	cmd.exe	105
PID 3152 wrote to memory of 4292	3152	cmd.exe	105
PID 3152 wrote to memory of 852	3152	cmd.exe	106
PID 3152 wrote to memory of 852	3152	cmd.exe	106
PID 3152 wrote to memory of 852	3152	cmd.exe	106
PID 3152 wrote to memory of 876	3152	cmd.exe	107
PID 3152 wrote to memory of 876	3152	cmd.exe	107
PID 3152 wrote to memory of 876	3152	cmd.exe	107
PID 2992 wrote to memory of 1880	2992	Xeno.exe	109
PID 2992 wrote to memory of 1880	2992	Xeno.exe	109
PID 2992 wrote to memory of 1880	2992	Xeno.exe	109
PID 1880 wrote to memory of 1336	1880	cmd.exe	111
PID 1880 wrote to memory of 1336	1880	cmd.exe	111
PID 1880 wrote to memory of 1336	1880	cmd.exe	111
PID 1880 wrote to memory of 4824	1880	cmd.exe	112
PID 1880 wrote to memory of 4824	1880	cmd.exe	112
PID 1880 wrote to memory of 4824	1880	cmd.exe	112
PID 1880 wrote to memory of 388	1880	cmd.exe	113
PID 1880 wrote to memory of 388	1880	cmd.exe	113
PID 1880 wrote to memory of 388	1880	cmd.exe	113
PID 1880 wrote to memory of 3456	1880	cmd.exe	114
PID 1880 wrote to memory of 3456	1880	cmd.exe	114
PID 1880 wrote to memory of 3456	1880	cmd.exe	114
PID 1880 wrote to memory of 1032	1880	cmd.exe	115
PID 1880 wrote to memory of 1032	1880	cmd.exe	115
PID 1880 wrote to memory of 1032	1880	cmd.exe	115
PID 1880 wrote to memory of 2668	1880	cmd.exe	116
PID 1880 wrote to memory of 2668	1880	cmd.exe	116
PID 1880 wrote to memory of 2668	1880	cmd.exe	116
PID 1880 wrote to memory of 3964	1880	cmd.exe	117
PID 1880 wrote to memory of 3964	1880	cmd.exe	117
PID 1880 wrote to memory of 3964	1880	cmd.exe	117
PID 1880 wrote to memory of 1692	1880	cmd.exe	118

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀.zip
1⤵
PID:3120

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3164

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2580

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\" -spe -an -ai#7zMap29472:148:7zEvent15472
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3084

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\" -spe -an -ai#7zMap7632:164:7zEvent29191
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4732

C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\Xeno.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:920
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Sake.mpeg Sake.mpeg.bat & Sake.mpeg.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\SysWOW64\expand.exe
    expand Sake.mpeg Sake.mpeg.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3120
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2568
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4532
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2852
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3188
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 627100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4816
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Commissioners.mpeg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3340
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Depth" Baghdad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 627100\Elite.com + Iv + Pen + Specialized + Entirely + Routine + Prediction + Dance + Helmet + Governor 627100\Elite.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1148
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Alleged.mpeg + ..\Violations.mpeg + ..\Better.mpeg + ..\Der.mpeg + ..\Informed.mpeg + ..\Library.mpeg + ..\Sample.mpeg q
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4292
- - C:\Users\Admin\AppData\Local\Temp\627100\Elite.com
    Elite.com q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:852
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:876

C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\Xeno.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c expand Sake.mpeg Sake.mpeg.bat & Sake.mpeg.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1880
- - C:\Windows\SysWOW64\expand.exe
    expand Sake.mpeg Sake.mpeg.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1336
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4824
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:388
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3456
- - C:\Windows\SysWOW64\findstr.exe
    findstr "bdservicehost AvastUI AVGUI nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 627100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Commissioners.mpeg
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 627100\Elite.com + Iv + Pen + Specialized + Entirely + Routine + Prediction + Dance + Helmet + Governor 627100\Elite.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1692
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Alleged.mpeg + ..\Violations.mpeg + ..\Better.mpeg + ..\Der.mpeg + ..\Informed.mpeg + ..\Library.mpeg + ..\Sample.mpeg q
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- - C:\Users\Admin\AppData\Local\Temp\627100\Elite.com
    Elite.com q
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3460
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\7663c46d-75da-4579-82ed-13dc4cd207b7.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
5726af350fb53362b67f203382fd2eaa

SHA1
11f6367d87b92d6c13deed8bc641422d0bcea990

SHA256
5423fff1b9a87ffaf764d572000f10ff80994fc8662eeef2e2c55d90f03de93b

SHA512
db9afd3bb5a52e8412fd1c6481dcc707269a04655b2528ce2c05282e7f34768e133a393302263ee99c6432ee622f0953360f33b010d5cdb4149422154d36ece7

Download Submit
C:\Users\Admin\AppData\Local\Temp\627100\Elite.com

Filesize
1KB

MD5
fe4a47e30e44898a72336994ee37bcf9

SHA1
8fde71eba1d4cea2630fc190d11af8d959216ed0

SHA256
939be6ce62bd2fa040c148d78aa59e945909eaaf3082b5f8ea17b8f0a3d3eda2

SHA512
a04baf020a0877a48413c7da822cb74623b2c7fdf962b88a8f9fa2f679160e5597897aae6598a1425693a47906dc9f0490584314c0a099fb7878b28f0eb1689e

Download Submit
C:\Users\Admin\AppData\Local\Temp\627100\Elite.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\627100\q

Filesize
512KB

MD5
ac70fbd1211cbdfa66cb6587bc4ecc55

SHA1
a2c00dacb75b4dcd52046297b7e73a154c0e1288

SHA256
c32a5069e5c067dfdd701c57b8a7639f2f2da094f28eb0fba4e7d7fd400ddd3f

SHA512
de14c2ec4db7d0028cd1de205bc402a627628b6cc702cb2333f3541bc49dac433f4225fa8142a0a497787853be60c9c7c17e5b94e029c59124ce90bc7ad059be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Alleged.mpeg

Filesize
75KB

MD5
1829cf2cda1b1e4c1af4aa48a5ac4ab1

SHA1
b227182ee9cc580b77483d4c4587fecb7039f077

SHA256
94238b145e9343b60cbc9f694f30ac007c7abb44514d78c4abb71e0dee2d0657

SHA512
f4cae01dbeb67da1d3a8f424efeb116e99f3cabdf8a167e0a80fe6645072af26e0e927e91de72b4b85bdb271f7dc0f836b01e75c9291042d78d46a2af9eda852

Download Submit
C:\Users\Admin\AppData\Local\Temp\Baghdad

Filesize
1KB

MD5
af8375cb7a9727382d08ebbd612b79a0

SHA1
63263ef10d46b3f15bf94242b97cbe6af652a63e

SHA256
14f0770a5e9f63db995798aaf30a9828a1da9b87f3f8e9dfabca4ca2a77af68f

SHA512
d227afbb7cbaaa286703045cf44bf48ce67c4fe7ac6d73f5dc40376e7d20c29f8449ae018334062cf720a90a0337bb3b2da678efef7624ca810d2828419f7337

Download Submit
C:\Users\Admin\AppData\Local\Temp\Better.mpeg

Filesize
78KB

MD5
146d4cc09fd20005b2899f6b44f68bbf

SHA1
368eed4a19670ac9444015ff2194ee2e0b0b859c

SHA256
d17e6317079a94e74f6fe31d3772d398144f2924bc18e7abe6569c3096e4511e

SHA512
700cd119b2cb576351fec997aaaca627a05ee15e74440669e27ec3b2158946c3fb6286f3c3a4ed9a39bd6a7764f0b25ed55a3b9a473c8a240c7755f7ae933e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Commissioners.mpeg

Filesize
477KB

MD5
4ccd46acee34c369ec34a8c621e19f17

SHA1
2b0b10f3766d37f624810f29c6612e5790408608

SHA256
24b1b6cecd27d0289eff8b7683d527115c48c8e2bf63f88d59e8d9d4159ff489

SHA512
2d1da02fafaff11880e1a738896036f1e7a2aaeabe94f5fc95bc3ccd6393863e9800583949a7e9f26047c5b24a9cb67348db32c2806c025a205e3675437865bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dance

Filesize
89KB

MD5
b6e206f75cfb297db4e5b66b21f2b23a

SHA1
fb8d49c71e7cde19ecbf298c23330b1c058e874f

SHA256
86d9324f288c5c2a6547d065b4e0a93eb2bc62d7f8a33741ef17e77ff0a50c59

SHA512
40614328fd7ba50fdc123039b25df20e71e3e12c7d867e4697f2d51a684b4611f0990485013edc6e490f0ad8dbb4ed8b4692c01173d4beefa076a56720dcfb8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Der.mpeg

Filesize
87KB

MD5
784bb120449ddcc0877119dd9adb58ad

SHA1
1069a0220aaa122c41727647a02d5f9beeb15b75

SHA256
55a857e4a2a37c21ae1702597126219fe073f22cdf80be35ab16569390be2920

SHA512
3a40a37e8805d07af385510bb605408cee53a50125c153595f21da5ca650a41d288f50fc6fcd7c390053e461184fff27497083139c9b50931d04c6151c09dc43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Entirely

Filesize
82KB

MD5
341c79d83d7ac8c8b4c34c1906a5e77d

SHA1
e88e60eb44945bef37e177bbba4f7b26e2a55a9c

SHA256
047a19ad0bf30a97576eaf443862c64630edb10b6b6f6f7222d0931fa5b89b37

SHA512
00820d2fd05f2333169754b5f411e51c774bdb3a581ecf3b7f4e6d3b4c50bfb35154fe30685ccc1521cda24a2f8b7f61da82f06def68b6c7671dd17f971e7757

Download Submit
C:\Users\Admin\AppData\Local\Temp\Governor

Filesize
62KB

MD5
e4431d379c5423df0e30aa6de7371da9

SHA1
1378fc682ee7d1cbe1a5d4f7cf8d2f08c53092fe

SHA256
de69cd1f6001d0f35a920ef3dee39569f9a2fd2747391b31285cdd78d1ed1823

SHA512
f1226e20c6a0e49da4affbba6e0426846d5b91bea8a92a4515617da45e314ff3feeb4da1f660193ae1a2d4b81104a069b4fc6470cde3df024a627647e37cafd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Helmet

Filesize
107KB

MD5
e8bf5faafb1291519c0f81849ef4e446

SHA1
0c5b4aba22fdeb4b2be21aa7aaa5d69113cb0bba

SHA256
63e18608ff015b2c0d203c0c54576f0e6ca60493d7b284eb5bfbb262cf0beebe

SHA512
0336851a0f01e33a1e771083bae01fdc865327c9963d22a3f8d1a94b281d2fec8c7731099f0a2241053e3017591f8bdcc71a94c866905f9e34b3624fbc635439

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informed.mpeg

Filesize
91KB

MD5
366eaa00de650c7e0c51dfbd64689f05

SHA1
cc682a87230b291a82cb23c1b5e754b69e45b5f8

SHA256
a92e044fcd9cc433d5f8aac78afd72da4ed31877b25d259dc1d259452ffe7bbc

SHA512
8df6672481c775d39a6f7c957086a304f3ccfa2790dd551848c08c36969491265ed6be0d32e28b8c64013cb3433d0049e3f237185bb3bc045cc2acd226c66fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Iv

Filesize
120KB

MD5
c4ef7dd056d4c31db48d9da03b732648

SHA1
79893fafe734ccf66d792eaa8047a6c5326a865c

SHA256
36d402a58d390d2c14ca9566a6c319ffd090d1e8be5826af0bc148b4d8d02258

SHA512
d643ac5b9dcf36a7982a37284a6d34db92682e8777301d3c54c7cd61496c1c8dea25342a17e4a06d957796f871813688aa2441a8f4a056beb4780994b7d9a535

Download Submit
C:\Users\Admin\AppData\Local\Temp\Library.mpeg

Filesize
86KB

MD5
d74575fc1a31a85be78cdb8596f7cd61

SHA1
0074b4239aee3187df21d114ceb4adc4a0e6673c

SHA256
9ead7ce6cfc377bf27a9482964853b22983c779d4cf57551760544e0f308a9d2

SHA512
e7f1a28f6bb068a196f9eb8dd5833ca1525002762f216d509a22bd61a2d83cbd0c0dc4738ccc024b8d083ad1bfac83c9b69285ad6f7a7a1aaabe3b98b9782482

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pen

Filesize
139KB

MD5
c258a480db7eda77ee0bbbc2b956969e

SHA1
d180ac78dd378d3126429395ffe88ee31a9748c6

SHA256
74c7abaa72a3eedda6300898ecfa5c0c32f7bb508cdd76b85bcc5eeedccd9654

SHA512
fc61ce88b99eafd251c294c902059dcef9b9b09b4c885e913476f15375d82c254f8a3338a717b2f6f660fc43aa82ed5c1f99735c2cc5c2fe745b5053a86c44b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prediction

Filesize
83KB

MD5
3ee499c6fc8280bc7dfb743b515a41e2

SHA1
30664e477f83ebd3c24c7a4a01d140b41fa0403b

SHA256
e0017a2f94babee8b16740aced58e1ebac872ff91ff070050d296f351576c842

SHA512
eaaa727784c9a7320bca74f54cdc5e7fd4b0eb89800cd1cde834297235ab19bcb093087d1468ca37ad537520b8bb4072ec8455d59440fc92b3bdf4ceb1eb7b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Routine

Filesize
108KB

MD5
3b15f324fc1046867c865b9209e65a5c

SHA1
0180edf599c00510b751fc22d8cb5b7ce0f94f2d

SHA256
d2ea01651c7bb6b2de7ff81f9e422b653abc6fc94f3781045c15e52b9c106f3d

SHA512
e929250f43ba562ddad0a659bd3ca2e95d8ed63b65d3427a40ff6167c3d2e0f0733d59ac3e028e0037bca8f327e6526c08d528643af682752c2cbebe19f24d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sample.mpeg

Filesize
10KB

MD5
2f60b0321e3a1e982337177b59d829ad

SHA1
a97d3ae408706c19b10af6046e0cf9bc2689f9cc

SHA256
045b6d6be2902d33ff4a4588a01384836118a911938bf1250762163f955edcfd

SHA512
c5ab31747a44f066f4820ef7c823d8791a80a74e08eb4f5251e370d3cc34fc1a22965b45758455fabd923f9ca6bf5bef8668245d1c93fc8193f4993d5018377f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Specialized

Filesize
133KB

MD5
c422cff1e466a6a0802b42a24d3385a5

SHA1
d4e4f6625ea49fdbbe5679f9e55345a0f8cd750b

SHA256
2a14eb03567ce41700be5156be106278f506ae3ae61254f91d5645bc84401c84

SHA512
5ab937cad5ddcc1b86aa3e00d083448e39ea175977c93b5012fa50f0eb53b4d5d976772e9e0ab26e4438730c0fb531b406126c3d8971196bb789d35cbda383d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Violations.mpeg

Filesize
85KB

MD5
eacb8e5f0bd07603ffac9b2284569108

SHA1
7fa7d2343313d316156f7487be934b14f45e2080

SHA256
4270eb130079192243c0f03f648c9546bf7651be3392dc3b80e38c8b301a1345

SHA512
12ae6b5d7eba50ceffe16d60824eb138042ca873183e10286c44d606069ae289316def4e7dfce186d3e4dabdce96bd6aaddd80b95c188c3720bf85690a6fd7cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\sake.mpeg

Filesize
12KB

MD5
ef0c24bdeaedf9ce76b94ba897d61b96

SHA1
c8b81be9dc66e312c7551e5c46f42636fbf29b72

SHA256
f58a162b05c52b98dba4a1ce9bb878e3c7f9950418c459790959b38faa11ea2d

SHA512
a4bcfac5c8db83a81da9390151e1e714534b6b9351a7cedfee2f2114f63f001badf65cb48e41f75553f85dfb88a472f2f728612b2d18d2912cec6c2d52051699

Download Submit
C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release.zip

Filesize
43.4MB

MD5
fdd21bcc5933c030e4935ebfe7cc8df9

SHA1
5d895dfd6b700adc7c6411acaefce1af39248667

SHA256
02d9b3fb9187e729c451b018502164784329a4f9c8bd9fc05bab2c505d476572

SHA512
492a44e8f6caca173910cc393ee2627c6470bfdfb37b6adb498f55bf0544338dd1449bdf3d4a9218f74ef23ef98148319a2496adf4191070296391cf5d796817

Download Submit
C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\autoexec\scripts

Filesize
18.7MB

MD5
88fd7dbf04bcf75123d02009aea3f7f7

SHA1
cecf16bdad71e54afc941179ea2b7438a04efa1d

SHA256
01481b9a862936fbc090bda4033f22d7ffa5a7bfe5dc32f47c7794332b34eec4

SHA512
2c6298b5adf91b51f0042d48e0846f5b196d52a588fd4fc577bf19ec26ad8e547382279a15f8bf131b08b0d7c140534aff25f82d5e8998818b812e72c9493917

Download Submit
C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\workspace\.tests\isfile.txt

Filesize
7B

MD5
260ca9dd8a4577fc00b7bd5810298076

SHA1
53a5687cb26dc41f2ab4033e97e13adefd3740d6

SHA256
aee408847d35e44e99430f0979c3357b85fe8dbb4535a494301198adbee85f27

SHA512
51e85deb51c2b909a21ec5b8e83b1cb28da258b1be227620105a345a2bd4c6aea549cd5429670f2df33324667b9f623a420b3a0bdbbd03ad48602211e75478a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
a833653a021f29ee2ec1a845e0c2308f

SHA1
05071159d3c2516d67b765cef012a0a2d3337759

SHA256
8e9f3538e43a68caa472fd47adaf43906e097cfb53ef55d1361caf1cc97efca7

SHA512
0902a886c95cee1b34f9419ab0a10ce0fe96eae57c59ab4cefba99ba3fc2a0237741f31076ce065db14fe3dfecd325458209f0d1e9fcc8b9ac7bff8328e1744f

Download Submit
C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\𝙓3𝙉𝙊-𝙑1.1.5-𝙓64-𝙍3𝙇𝙀𝘼𝙎𝙀\Release\workspace\Xeno.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
memory/852-663-0x0000000003D20000-0x0000000003D84000-memory.dmp

Filesize
400KB

Download
memory/852-666-0x0000000003D20000-0x0000000003D84000-memory.dmp

Filesize
400KB

Download
memory/852-662-0x0000000003D20000-0x0000000003D84000-memory.dmp

Filesize
400KB

Download
memory/852-665-0x0000000003D20000-0x0000000003D84000-memory.dmp

Filesize
400KB

Download
memory/852-664-0x0000000003D20000-0x0000000003D84000-memory.dmp

Filesize
400KB

Download