Analysis Overview
SHA256
98c4e2e6f4ec3d9e0f3f60526e856e947947548c172f9dfd1dc22d638554a633
Threat Level: Known bad
The file 5aabef8a91fbdddbbc3127b836ffda59 was found to be: Known bad.
Malicious Activity Summary
Detect Lumma Stealer payload V4
Modifies security service
Lumma Stealer
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Runs .reg file with regedit
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-14 07:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-14 07:40
Reported
2024-01-14 07:43
Platform
win7-20231215-en
Max time kernel
152s
Max time network
145s
Command Line
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5aabef8a91fbdddbbc3127b836ffda59.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5aabef8a91fbdddbbc3127b836ffda59.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rundll.exe | C:\Users\Admin\AppData\Local\Temp\5aabef8a91fbdddbbc3127b836ffda59.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll.exe | C:\Users\Admin\AppData\Local\Temp\5aabef8a91fbdddbbc3127b836ffda59.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File created | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rundll.exe | C:\Windows\SysWOW64\rundll.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\5aabef8a91fbdddbbc3127b836ffda59.exe
"C:\Users\Admin\AppData\Local\Temp\5aabef8a91fbdddbbc3127b836ffda59.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\rundll.exe
C:\Windows\system32\rundll.exe 480 "C:\Users\Admin\AppData\Local\Temp\5aabef8a91fbdddbbc3127b836ffda59.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\rundll.exe
C:\Windows\system32\rundll.exe 536 "C:\Windows\SysWOW64\rundll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\rundll.exe
C:\Windows\system32\rundll.exe 540 "C:\Windows\SysWOW64\rundll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\rundll.exe
C:\Windows\system32\rundll.exe 528 "C:\Windows\SysWOW64\rundll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\rundll.exe
C:\Windows\system32\rundll.exe 548 "C:\Windows\SysWOW64\rundll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\rundll.exe
C:\Windows\system32\rundll.exe 532 "C:\Windows\SysWOW64\rundll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\rundll.exe
C:\Windows\system32\rundll.exe 556 "C:\Windows\SysWOW64\rundll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\rundll.exe
C:\Windows\system32\rundll.exe 560 "C:\Windows\SysWOW64\rundll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\rundll.exe
C:\Windows\system32\rundll.exe 564 "C:\Windows\SysWOW64\rundll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\rundll.exe
C:\Windows\system32\rundll.exe 572 "C:\Windows\SysWOW64\rundll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
Network
Files
C:\a.bat
| MD5 | 0019a0451cc6b9659762c3e274bc04fb |
| SHA1 | 5259e256cc0908f2846e532161b989f1295f479b |
| SHA256 | ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876 |
| SHA512 | 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | a5d4cddfecf34e5391a7a3df62312327 |
| SHA1 | 04a3c708bab0c15b6746cf9dbf41a71c917a98b9 |
| SHA256 | 8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a |
| SHA512 | 48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | e427a32326a6a806e7b7b4fdbbe0ed4c |
| SHA1 | b10626953332aeb7c524f2a29f47ca8b0bee38b1 |
| SHA256 | b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839 |
| SHA512 | 6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9e5db93bd3302c217b15561d8f1e299d |
| SHA1 | 95a5579b336d16213909beda75589fd0a2091f30 |
| SHA256 | f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e |
| SHA512 | b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a |
\Windows\SysWOW64\rundll.exe
| MD5 | 5aabef8a91fbdddbbc3127b836ffda59 |
| SHA1 | cdfd99718f1881d487cd85c1d59c2504fc9bb03e |
| SHA256 | 98c4e2e6f4ec3d9e0f3f60526e856e947947548c172f9dfd1dc22d638554a633 |
| SHA512 | 289032583ba4f260f3b812812bd46e0a81de0796c5b284fdeeadb648519b652a9db2ab13c7557e7d370f7dab2a2157a0f0caadd5fa71451e2cd287bc79e49b5f |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 4be01c629881eddccb675ba267a66899 |
| SHA1 | 23324e7814bcd157b27e810f4c786b0c39bfc9b1 |
| SHA256 | 39c14522925e5e55bf1eefcd5beb8b7aae687158163082aac7ef5690c3524a30 |
| SHA512 | 7c3063badaa57e3a39eea5d87e6bdbeec00793f9afd2bea52d3aa354e0bbd83e2a63966438fe7305f29a0ee6f45cb77d4613fe2d3b4f6719e16860deae764d55 |
memory/2144-141-0x0000000000400000-0x00000000004AC000-memory.dmp
memory/2940-142-0x0000000000400000-0x00000000004AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | eee5718ce97d259fd8acec31375fc375 |
| SHA1 | 989c64b0c9a049f1b7ad9e677c4566ab1559744f |
| SHA256 | 1975123645c58e5160d63cc6ab8430f9dd0bc70d5cddafccf3687d655730dcfb |
| SHA512 | 6c2e14846b20128ac8bea8470b4455fd4b65de7457c216824cfa7008fafa41c29445290de6780dc4f6f3beea97ec3137c02c9b7504877d6c845e573a7b7db610 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 872656500ddac1ddd91d10aba3a8df96 |
| SHA1 | ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc |
| SHA256 | d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8 |
| SHA512 | e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9 |
memory/2776-262-0x0000000000400000-0x00000000004AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 908860a865f8ed2e14085e35256578dd |
| SHA1 | 7ff5ee35cc7e96a661848eb95a70d0b8d2d78603 |
| SHA256 | d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f |
| SHA512 | a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9 |
memory/2508-382-0x0000000000400000-0x00000000004AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | f1cbbc2ce0d93c45a92edcc86780e9f0 |
| SHA1 | d893306caae2584cdeba4c80c3bfe18548fa227a |
| SHA256 | 6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7 |
| SHA512 | b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 6b0182442d6e09100c34904ae6d8ee0c |
| SHA1 | 6255e65587505629521ea048a4e40cc48b512f2c |
| SHA256 | cb34af7065e6c95f33fee397991045dae5dfae9d510660e6981ee6263542f9a4 |
| SHA512 | 64395a0c6fce50a64a2067522b798f9b27c577da96e8d68f830a075ba833f1d644af27a9c6fc941ebb3d79999ac31576763378c9997a5b38eb5fdf075918eb46 |
memory/368-502-0x0000000000400000-0x00000000004AC000-memory.dmp
memory/1900-622-0x0000000000400000-0x00000000004AC000-memory.dmp
memory/2728-742-0x0000000000400000-0x00000000004AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | d67d51b859c99a46a906a4c3a6ff6560 |
| SHA1 | b685cc703a1c86ba8ad681b545a6f3014b80d585 |
| SHA256 | 33d0a27d49cd3cfa5a4ef5027d3defe60a3f7be1a3914870390b9829d360937a |
| SHA512 | c986416a115ca162ee28d5dfd1159538d81a751e4961340415718c0d1f0ffa4d80675b4b698ed039eef86cbe1b2c0b01a0004dea39111056013d3e0a0179cedd |
memory/1920-862-0x0000000000400000-0x00000000004AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5a466127fedf6dbcd99adc917bd74581 |
| SHA1 | a2e60b101c8789b59360d95a64ec07d0723c4d38 |
| SHA256 | 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84 |
| SHA512 | 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5 |
memory/1092-982-0x0000000000400000-0x00000000004AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 6fe56f6715b4c328bc5b2b35cb51c7e1 |
| SHA1 | 8f4c2a2e2704c52fd6f01d9c58e4c7d843d69cc3 |
| SHA256 | 0686dfa785bc9687be1a2bb42ef6c2e805a03f62b4af6c83bac7031e515189be |
| SHA512 | 8a19ba3f6e5678e92a6fd92a84f077e851a53a71a02622d87d5213a79f40540c7bbda17219f9349387e94edc75eb12fd2cb93e3b0abbcf9a85fc7d5e8bf3be0d |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | c2d6056624c1d37b1baf4445d8705378 |
| SHA1 | 90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83 |
| SHA256 | 3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96 |
| SHA512 | d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 8d6eb64e58d3f14686110fcaf1363269 |
| SHA1 | d85c0b208716b400894ba4cb569a5af4aa178a2f |
| SHA256 | c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5 |
| SHA512 | 5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7 |
memory/1972-1102-0x0000000000400000-0x00000000004AC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 8a84d46ef81c793a90a80bc806cffdcf |
| SHA1 | 02fac9db9330040ffc613a325686ddca2678a7c5 |
| SHA256 | 201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4 |
| SHA512 | b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | d8be0d42e512d922804552250f01eb90 |
| SHA1 | cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3 |
| SHA256 | 901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82 |
| SHA512 | f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 63ff40a70037650fd0acfd68314ffc94 |
| SHA1 | 1ab29adec6714edf286485ac5889fddb1d092e93 |
| SHA256 | 1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b |
| SHA512 | 2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | d085cde42c14e8ee2a5e8870d08aee42 |
| SHA1 | c8e967f1d301f97dbcf252d7e1677e590126f994 |
| SHA256 | a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f |
| SHA512 | de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b |
memory/796-1222-0x0000000000400000-0x00000000004AC000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-14 07:40
Reported
2024-01-14 07:43
Platform
win10v2004-20231215-en
Max time kernel
152s
Max time network
140s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\5aabef8a91fbdddbbc3127b836ffda59.exe
"C:\Users\Admin\AppData\Local\Temp\5aabef8a91fbdddbbc3127b836ffda59.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |