Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    908s
  • max time network
    867s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    14/06/2023, 15:03

General

  • Target

    lua2exe.zip

  • Size

    199.9MB

  • MD5

    85be5d886585bf69d7ed17dbb02b6946

  • SHA1

    2ae001bc66000b19a13bf2cdf14866256bd28d45

  • SHA256

    3ce09172fdc7be44b974fc544d775c712e1b220a79847b4ce9403e7529101356

  • SHA512

    19d780a51935022e3d2ad7aa2c47221c2a02047b646dbd2bd96d1fc203b83c2eceb69de0c895529c96000b3a7ff7a8cf895ba00d30cb13fb8b9c53740d0e8d35

  • SSDEEP

    6291456:NDDCNTIpHNjKzxj+bNZfQE5CK2jYbHmmFOg:ZIIFpaqNZoEQKFJl

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Program crash 2 IoCs
  • Modifies registry class 23 IoCs
  • Opens file in notepad (likely ransom note) 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 37 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Windows\Explorer.exe
    C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\lua2exe.zip
    1⤵
      PID:2516
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:980
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\lua2exe\lte.bat" "
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:3964
        • C:\Users\Admin\Desktop\lua2exe\source\lualib\lua.exe
          lualib\lua.exe convert.lua C:\Users\Admin\Desktop\lua2exe\
          2⤵
            PID:3404
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4016
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\source\convert.lua
            2⤵
            • Opens file in notepad (likely ransom note)
            PID:360
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe"
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1584
          • C:\Users\Admin\Desktop\lua2exe\source\lualib\lua.exe
            lualib\lua.exe convert.lua C:\Users\Admin\Desktop\lua2exe\
            2⤵
              PID:2420
            • C:\Users\Admin\Desktop\lua2exe\source\lualib\lua.exe
              lualib\lua.exe convert.lua in.lua -o out.exe C:\Users\Admin\Desktop\lua2exe\
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1932
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /c lualib\luac54.exe -o generated_lua_bytecode.luac C:\Users\Admin\Desktop\lua2exe\in.lua
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1964
                • C:\Users\Admin\Desktop\lua2exe\source\lualib\luac54.exe
                  lualib\luac54.exe -o generated_lua_bytecode.luac C:\Users\Admin\Desktop\lua2exe\in.lua
                  4⤵
                    PID:2904
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /c compiler\mingw64\bin\gcc.exe generated_c.c -o C:\Users\Admin\Desktop\lua2exe\out.exe
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4536
                  • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exe
                    compiler\mingw64\bin\gcc.exe generated_c.c -o C:\Users\Admin\Desktop\lua2exe\out.exe
                    4⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3896
                    • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exe
                      C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT generated_c.c -quiet -dumpdir C:\Users\Admin\Desktop\lua2exe\out- -dumpbase generated_c.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\cctkPs5d.s
                      5⤵
                        PID:2600
                • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exe
                  gcc.exe
                  2⤵
                    PID:3600
                  • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exe
                    gcc.exe lol.c -o doge.exe
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:872
                    • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exe
                      C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT lol.c -quiet -dumpdir doge- -dumpbase lol.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\ccSirhCD.s
                      3⤵
                        PID:2824
                    • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exe
                      gcc.exe lol.c -o doge.exe
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1744
                      • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exe
                        C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT lol.c -quiet -dumpdir doge- -dumpbase lol.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\ccamUgwA.s
                        3⤵
                          PID:4008
                        • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\as.exe
                          C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/as.exe -o C:\Users\Admin\AppData\Local\Temp\ccC2m6jA.o C:\Users\Admin\AppData\Local\Temp\ccamUgwA.s
                          3⤵
                            PID:3616
                          • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\collect2.exe
                            C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/collect2.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccXAPSvT.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccC2m6jA.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:2212
                            • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\ld.exe
                              C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccXAPSvT.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccC2m6jA.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o
                              4⤵
                                PID:3784
                          • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\gcc.exe
                            gcc.exe lol.c -o doge.exe
                            2⤵
                            • Suspicious use of WriteProcessMemory
                            PID:3964
                            • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\cc1.exe
                              C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/cc1.exe -quiet -iprefix C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/ -D_REENTRANT lol.c -quiet -dumpdir doge- -dumpbase lol.c -dumpbase-ext .c -mtune=core2 -march=nocona -o C:\Users\Admin\AppData\Local\Temp\ccf9SMVZ.s
                              3⤵
                                PID:4856
                              • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\as.exe
                                C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/as.exe -o C:\Users\Admin\AppData\Local\Temp\ccjtRy47.o C:\Users\Admin\AppData\Local\Temp\ccf9SMVZ.s
                                3⤵
                                  PID:5096
                                • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\libexec\gcc\x86_64-w64-mingw32\13.1.0\collect2.exe
                                  C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/collect2.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccpMC4Pe.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccjtRy47.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o
                                  3⤵
                                  • Suspicious use of WriteProcessMemory
                                  PID:4004
                                  • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\x86_64-w64-mingw32\bin\ld.exe
                                    C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/bin/ld.exe -plugin C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/liblto_plugin.dll -plugin-opt=C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../libexec/gcc/x86_64-w64-mingw32/13.1.0/lto-wrapper.exe -plugin-opt=-fresolution=C:\Users\Admin\AppData\Local\Temp\ccpMC4Pe.res -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-lpthread -plugin-opt=-pass-through=-ladvapi32 -plugin-opt=-pass-through=-lshell32 -plugin-opt=-pass-through=-luser32 -plugin-opt=-pass-through=-lkernel32 -plugin-opt=-pass-through=-liconv -plugin-opt=-pass-through=-lmingw32 -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lgcc_eh -plugin-opt=-pass-through=-lmoldname -plugin-opt=-pass-through=-lmingwex -plugin-opt=-pass-through=-lmsvcrt -plugin-opt=-pass-through=-lkernel32 --sysroot=C:/buildroot/x86_64-1310-posix-seh-msvcrt-rt_v11-rev1/mingw64 -m i386pep -Bdynamic -o doge.exe C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib/crt2.o C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtbegin.o -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0 -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib/../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../../../x86_64-w64-mingw32/lib -LC:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/../../.. C:\Users\Admin\AppData\Local\Temp\ccjtRy47.o -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 -lpthread -ladvapi32 -lshell32 -luser32 -lkernel32 -liconv -lmingw32 -lgcc -lgcc_eh -lmoldname -lmingwex -lmsvcrt -lkernel32 C:/Users/Admin/Desktop/lua2exe/source/compiler/mingw64/bin/../lib/gcc/x86_64-w64-mingw32/13.1.0/crtend.o
                                    4⤵
                                      PID:1616
                              • C:\Windows\system32\OpenWith.exe
                                C:\Windows\system32\OpenWith.exe -Embedding
                                1⤵
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                • Suspicious use of WriteProcessMemory
                                PID:2368
                                • C:\Windows\system32\NOTEPAD.EXE
                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\in.lua
                                  2⤵
                                  • Opens file in notepad (likely ransom note)
                                  PID:4260
                              • C:\Windows\system32\OpenWith.exe
                                C:\Windows\system32\OpenWith.exe -Embedding
                                1⤵
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                • Suspicious use of WriteProcessMemory
                                PID:4888
                                • C:\Windows\system32\NOTEPAD.EXE
                                  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\lol.c
                                  2⤵
                                  • Opens file in notepad (likely ransom note)
                                  PID:3064
                              • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe
                                "C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"
                                1⤵
                                • Executes dropped EXE
                                PID:4952
                                • C:\Windows\system32\WerFault.exe
                                  C:\Windows\system32\WerFault.exe -u -p 4952 -s 164
                                  2⤵
                                  • Program crash
                                  PID:2624
                              • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe
                                "C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"
                                1⤵
                                • Executes dropped EXE
                                PID:3720
                                • C:\Windows\system32\WerFault.exe
                                  C:\Windows\system32\WerFault.exe -u -p 3720 -s 132
                                  2⤵
                                  • Program crash
                                  PID:4928
                              • C:\Windows\system32\NOTEPAD.EXE
                                "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\lol.c
                                1⤵
                                • Opens file in notepad (likely ransom note)
                                PID:4160
                              • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe
                                "C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe"
                                1⤵
                                • Executes dropped EXE
                                PID:3436

                              Network

                              MITRE ATT&CK Matrix

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • C:\Users\Admin\AppData\Local\Temp\ccC2m6jA.o

                                Filesize

                                1KB

                                MD5

                                ea4bdefbe5ad111bd32a23fe558c9ff5

                                SHA1

                                b611b44cd762f2d1776872315731eed7174b48ba

                                SHA256

                                8e97e804be76c3f3b052b2ddbc966a3fefb5317f56c5c80719888c054cfa946a

                                SHA512

                                68c8329b1c98ed02d782830df9cbe44ed3cb8334151a385eb692da83a3c5790fe0b31975c77e12f66ff0f09fa483f4e2b2d6aed79ab66f3e318196367ce6b2dd

                              • C:\Users\Admin\AppData\Local\Temp\ccamUgwA.s

                                Filesize

                                1KB

                                MD5

                                0f338409784779e4b75b1e443acba04f

                                SHA1

                                27b7d8d6351a4d38ed0a8e612753714c7431e589

                                SHA256

                                bf47f41584059ddf057e898236a1db3e5911aecf7a517932a7010b868ff2feb0

                                SHA512

                                f93800d0d6347a355deeb1fd482efbf3ec0b67aaef09be34134ef7c35549541307b1cf3c78e1c43ce549ab58cee155a8d07c967a1b92e853685f54ab891e2f38

                              • C:\Users\Admin\AppData\Local\Temp\ccf9SMVZ.s

                                Filesize

                                1KB

                                MD5

                                10e0ef28dad3c9db5bd891bd62f821ab

                                SHA1

                                d2b13d9ed669b4dd36e0a42913b896577d150148

                                SHA256

                                8bdebc49501f2ebb0a10b2a0d107a206f2a76dc31ef6f686d61c7268f6652585

                                SHA512

                                6b4b0b03ce8609558ddae08333d1a592a2d9a2617e7fd1b6ade6b1e72ffd17f3aa7b4ddcbe43369a53d26e68920ff9ec388d3eab60d7e0e79e839fe1efde628e

                              • C:\Users\Admin\AppData\Local\Temp\ccjtRy47.o

                                Filesize

                                1KB

                                MD5

                                29e1c9b1a68dc471f39ce16428656f34

                                SHA1

                                884cbb28c30b0edad51fc29c6b3917c17bdd1a97

                                SHA256

                                41ea9685dadbfe06edab9fcc8785f805d06ef37cfc554b361e02f817d7412999

                                SHA512

                                b9ac94b01d36201d320cc4ea90de1c04ed704e92ecb656d8d95a071218a242ee0be146f8d2d6d0eac2643f1b189387ad13fb31d4e5e782172353d3fcb1435a75

                              • C:\Users\Admin\Desktop\lua2exe\in.lua

                                Filesize

                                21B

                                MD5

                                a34b35c4670e93e7e6b045017dcf50a8

                                SHA1

                                0e272ac247eb64b53c48a6c17ee1f9d686165f01

                                SHA256

                                830c23c40505782a4fd7b5517783696a69856956266b7a26a4a55ccbdf22ba9e

                                SHA512

                                4da353fcd8e4cac8be252ea8bcd1252de54ac941f322e3bf64385bbc4dca78dfd04b4464ea4029b761e9bb5b8148e738bc66c02b4170d483c03fdaadde66f1c6

                              • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe

                                Filesize

                                74KB

                                MD5

                                05abd537551101f4d8acc86b7135203b

                                SHA1

                                78d96bd306119073a175482e0125a6e8aa7aa552

                                SHA256

                                01db93d19015ad10d31345c1bc685a9922ac1e7d3dce4c3eae3a9639f904be81

                                SHA512

                                30365741bbbcb822a7ac3053881bed7eb0d2cda94ebd1599154865b5beffa4438084300766765a10b11763abc98894a25a75671785380bf08ca9ee6b8bf6d970

                              • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe

                                Filesize

                                74KB

                                MD5

                                05abd537551101f4d8acc86b7135203b

                                SHA1

                                78d96bd306119073a175482e0125a6e8aa7aa552

                                SHA256

                                01db93d19015ad10d31345c1bc685a9922ac1e7d3dce4c3eae3a9639f904be81

                                SHA512

                                30365741bbbcb822a7ac3053881bed7eb0d2cda94ebd1599154865b5beffa4438084300766765a10b11763abc98894a25a75671785380bf08ca9ee6b8bf6d970

                              • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe

                                Filesize

                                74KB

                                MD5

                                05abd537551101f4d8acc86b7135203b

                                SHA1

                                78d96bd306119073a175482e0125a6e8aa7aa552

                                SHA256

                                01db93d19015ad10d31345c1bc685a9922ac1e7d3dce4c3eae3a9639f904be81

                                SHA512

                                30365741bbbcb822a7ac3053881bed7eb0d2cda94ebd1599154865b5beffa4438084300766765a10b11763abc98894a25a75671785380bf08ca9ee6b8bf6d970

                              • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\doge.exe

                                Filesize

                                74KB

                                MD5

                                f67162fbb7d26e5949e2a5c225c4a8d2

                                SHA1

                                f125071a8135160793be998ec1b18f3ceea06e16

                                SHA256

                                6978b37d7c468ef15f1fe2c9d505be2771238fead13637ed705cd1e5adbdb33c

                                SHA512

                                02843cd88ac260132ac0bc60cd60d82a35f22ce034bd768b07b73abc58e63e286f1e7bcbd940bb8afb01eb98edcc665f52dfde3c5802939df0bfae14e0a32491

                              • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\lol.c

                                Filesize

                                65B

                                MD5

                                852f936202df02015a8a51a420a35f31

                                SHA1

                                168fd07c5eaca67836085677b07a61de29a0a7b9

                                SHA256

                                37adc3aae952b9a6c4bf77c20b507bc7817004874925927c27430f2e2ef17902

                                SHA512

                                9bab6bab57d744d2df148be8a684e974ecdc0b9288cb2ea5d6dbf0f34ca2c3d2d97d58b0eb4f96bd67f30bf5df5ce8a5cecdb90d9f98a5655f13b2fb512816d7

                              • C:\Users\Admin\Desktop\lua2exe\source\compiler\mingw64\bin\lol.c

                                Filesize

                                76B

                                MD5

                                28eea32f2580ee70fc1c762474ae1150

                                SHA1

                                b74fa8ef93510ceedddfb39782fd5e533ac2968e

                                SHA256

                                ac407b299de469141ea97494a08e24e5d83b1100aea53650c2e824bbb397e38a

                                SHA512

                                626d59d6e32c26688b413f102d1672d9e63bd8683b830107bbde768fcb79311fb26804a2403a841194175029812d50af032c549564b656afaa66505ad3882aa1

                              • C:\Users\Admin\Desktop\lua2exe\source\convert.lua

                                Filesize

                                10KB

                                MD5

                                6cb720d7db35589a53e966213de89ef4

                                SHA1

                                d32d04856ebdb3f8db37b26b6aafc3d56cbedd0a

                                SHA256

                                eeb2e66c82a919bd7bb0cedeb65bd80e73edee69b99485d9ead0bdbce188688c

                                SHA512

                                e437e634eb472178b894c8e65687c79380faf0fb36e4669f3586d75df01dee2d3a6f31c2ccc7eeb3c74ef39a5abda016bc7dd4eec811a30b6448d49c69fd4205

                              • C:\Users\Admin\Desktop\lua2exe\source\generated_c.c

                                Filesize

                                1.8MB

                                MD5

                                0fa2a15da68603e4e4023568e1ea3d41

                                SHA1

                                860acfc307153711559caabf7f7857a114518ec4

                                SHA256

                                b2e36992b046106cec81b2057136d01aae85e91d33bbea8a63fd05e16a71f3f2

                                SHA512

                                e76564e892ada8d9ad4e63498a06b52c347a9fb63e5f55bcd8d1ca03e9c95215af9790aac1d62de054f0dc9f9351c1051d3dce89e49a71071bed97040dcc2730

                              • C:\Users\Admin\Desktop\lua2exe\source\generated_lua_bytecode.luac

                                Filesize

                                138B

                                MD5

                                7de270b816e6f84d1b0c883df4a1e602

                                SHA1

                                b09c7c05699878d6293d40644fdeba3f1ca949f0

                                SHA256

                                174715b8e40509a169b0465676e5329806aba1d384c38b09c9f81b8caadc72c8

                                SHA512

                                5f1fc22477d55a07257089a1918a68813d2422dd5d63e92908bb0b74840606770cab4614a1c33e317c87c75c2ce33db8bebe85bd73d02957428a56fb85a78884

                              • memory/872-147-0x0000000140000000-0x000000014028A000-memory.dmp

                                Filesize

                                2.5MB

                              • memory/1616-180-0x00007FF75C470000-0x00007FF75C623000-memory.dmp

                                Filesize

                                1.7MB

                              • memory/1744-162-0x0000000140000000-0x000000014028A000-memory.dmp

                                Filesize

                                2.5MB

                              • memory/1932-135-0x0000000065B80000-0x0000000065BCF000-memory.dmp

                                Filesize

                                316KB

                              • memory/1932-140-0x0000000000400000-0x000000000041E000-memory.dmp

                                Filesize

                                120KB

                              • memory/1932-141-0x0000000065B80000-0x0000000065BCF000-memory.dmp

                                Filesize

                                316KB

                              • memory/1932-134-0x0000000000400000-0x000000000041E000-memory.dmp

                                Filesize

                                120KB

                              • memory/2212-160-0x0000000140000000-0x00000001401D4000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/2420-126-0x0000000065B80000-0x0000000065BCF000-memory.dmp

                                Filesize

                                316KB

                              • memory/2420-125-0x0000000000400000-0x000000000041E000-memory.dmp

                                Filesize

                                120KB

                              • memory/2824-145-0x0000000140000000-0x0000000142209000-memory.dmp

                                Filesize

                                34.0MB

                              • memory/2904-130-0x0000000000400000-0x0000000000443000-memory.dmp

                                Filesize

                                268KB

                              • memory/3404-121-0x0000000000400000-0x000000000041E000-memory.dmp

                                Filesize

                                120KB

                              • memory/3404-122-0x0000000065B80000-0x0000000065BCF000-memory.dmp

                                Filesize

                                316KB

                              • memory/3436-186-0x00007FF7F6FE0000-0x00007FF7F6FF8000-memory.dmp

                                Filesize

                                96KB

                              • memory/3600-143-0x00007FFD67180000-0x00007FFD67196000-memory.dmp

                                Filesize

                                88KB

                              • memory/3600-142-0x0000000140000000-0x000000014028A000-memory.dmp

                                Filesize

                                2.5MB

                              • memory/3616-155-0x00007FF69AA50000-0x00007FF69AC1C000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/3720-168-0x00007FF755080000-0x00007FF755098000-memory.dmp

                                Filesize

                                96KB

                              • memory/3784-159-0x00007FF75C470000-0x00007FF75C623000-memory.dmp

                                Filesize

                                1.7MB

                              • memory/3896-136-0x0000000140000000-0x000000014028A000-memory.dmp

                                Filesize

                                2.5MB

                              • memory/3896-139-0x00007FFD61460000-0x00007FFD61476000-memory.dmp

                                Filesize

                                88KB

                              • memory/3896-138-0x0000000140000000-0x000000014028A000-memory.dmp

                                Filesize

                                2.5MB

                              • memory/3896-137-0x00007FFD61460000-0x00007FFD61476000-memory.dmp

                                Filesize

                                88KB

                              • memory/3964-183-0x0000000140000000-0x000000014028A000-memory.dmp

                                Filesize

                                2.5MB

                              • memory/4004-181-0x0000000140000000-0x00000001401D4000-memory.dmp

                                Filesize

                                1.8MB

                              • memory/4008-152-0x00007FFD67180000-0x00007FFD67196000-memory.dmp

                                Filesize

                                88KB

                              • memory/4008-151-0x0000000140000000-0x0000000142209000-memory.dmp

                                Filesize

                                34.0MB

                              • memory/4856-172-0x0000000140000000-0x0000000142209000-memory.dmp

                                Filesize

                                34.0MB

                              • memory/4856-173-0x00007FFD67180000-0x00007FFD67196000-memory.dmp

                                Filesize

                                88KB

                              • memory/4952-166-0x00007FF755080000-0x00007FF755098000-memory.dmp

                                Filesize

                                96KB

                              • memory/5096-176-0x00007FF69AA50000-0x00007FF69AC1C000-memory.dmp

                                Filesize

                                1.8MB