Malware Analysis Report

2024-11-30 04:48

Sample ID 240221-zb4mysfe33
Target 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad
SHA256 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad
Tags
lumma stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad

Threat Level: Known bad

The file 6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad was found to be: Known bad.

Malicious Activity Summary

lumma stealer

Lumma Stealer

Detect Lumma Stealer payload V4

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-21 20:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-21 20:33

Reported

2024-02-21 20:36

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CITUF.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe

"C:\Users\Admin\AppData\Local\Temp\6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe"

C:\Users\Admin\AppData\Local\Temp\CITUF.exe

C:\Users\Admin\AppData\Local\Temp\CITUF.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\CITUF.exe

MD5 180b488d50dcb49bdef3ebb5874767c8
SHA1 c5cc8fe1477b511f4782d425d12a6086056385ae
SHA256 23e5870fb24b7b9015927abb469e3bf09d7985c7f02fabad7e43289dd12cbd4a
SHA512 e908e13e67c289b3f1fa4c579051aa22293ccb0128805bb69bc4bb0362c8ed3c666d71e0482fef052d5640a875cd3f6e64bbb835bd77f88857922feb7548546d

C:\Users\Admin\AppData\Local\Temp\CITUF.exe

MD5 178330434eacc121faf0f7cc8c41b516
SHA1 936420c82a466dc54ab4d0f6de0d04b041c10e17
SHA256 e4e64b932c7c015f8e49f37c6900482e90e3bcaa68d05c21542039f3be1bf497
SHA512 61b1e6dd927dad393b04d258d1c1905c54e129d1f4418e580aabf4e22dd4472508e75fe9b70da6272ecf318431fa73fb653c59a2fddf796de778ac3ba590f491

memory/2772-5-0x0000000002510000-0x0000000002D1D000-memory.dmp

memory/2940-6-0x0000000010000000-0x000000001080D000-memory.dmp

memory/2940-7-0x00000000759B0000-0x00000000759F7000-memory.dmp

memory/2940-818-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-817-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-820-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-822-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-824-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-826-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-828-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-830-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-832-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-834-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-836-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-838-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-840-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-842-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-846-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-844-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-848-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-850-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-852-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-856-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-854-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-858-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-860-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-862-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-864-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-866-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-868-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-872-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-870-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-874-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-876-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-878-0x00000000020F0000-0x0000000002201000-memory.dmp

memory/2940-2554-0x0000000001D60000-0x0000000001EE1000-memory.dmp

memory/2940-8693-0x00000000020F0000-0x0000000002201000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CITUF.exe

MD5 7021afcc5fba762ef0320d5a6ec78f02
SHA1 7ae1e3d93a67e3198aae634161b6869107e68202
SHA256 b516d8aefb6864f5d77720bb03197c072121ffe7ee2d7a065ccdc4cd2c92cf01
SHA512 51dca6da28126c81b7d9f4bdc7d707f8884d2361c3d0c67605f063a1b6e83996ac21c0fc6de36657eed34b2f0f3fbc5c52e7700e2cbea4c9e1d4dcaba3238681

memory/2940-8701-0x0000000010000000-0x000000001080D000-memory.dmp

memory/2940-8702-0x0000000010000000-0x000000001080D000-memory.dmp

memory/2940-8703-0x0000000010000000-0x000000001080D000-memory.dmp

memory/2940-8704-0x0000000010000000-0x000000001080D000-memory.dmp

memory/2940-8705-0x0000000010000000-0x000000001080D000-memory.dmp

memory/2940-8708-0x0000000010000000-0x000000001080D000-memory.dmp

memory/2940-8709-0x0000000010000000-0x000000001080D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-21 20:33

Reported

2024-02-21 20:36

Platform

win10v2004-20240221-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\XFKLN.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe

"C:\Users\Admin\AppData\Local\Temp\6f9cce343781ac700700049de9d91013482fda8ca13ba8660a5b97c25b354cad.exe"

C:\Users\Admin\AppData\Local\Temp\XFKLN.exe

C:\Users\Admin\AppData\Local\Temp\XFKLN.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 25.63.96.20.in-addr.arpa udp
US 8.8.8.8:53 11.2.37.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\XFKLN.exe

MD5 70e2a5441ff815abe5a6d82ef4a8bda8
SHA1 dd45b3fb8fbeff69273f570075bfaae280dcb9fd
SHA256 13fec20b1f4f691814ec9416c892977e0b6554d70cdab320e28caa06a14b60c8
SHA512 2e9a3098f94d5f3a3d57f416e00ca1c053cd5d4670a454b88aae69126aa7dcbada6191bcabcbf80b49727df0ee9bda7245ba57a6fa310fe56c7f5bb96db9c4e6

C:\Users\Admin\AppData\Local\Temp\XFKLN.exe

MD5 f6f13f509acd3f40d38f2531eafe982f
SHA1 676d36796d47892482fd3cf421b20849c322bd0e
SHA256 a9448932f0140d39378e56c63d1be30aa77cd72ce433b26e695dafd98691b216
SHA512 f47b161040ac5b7d658342139ca7944b1530b0a8f9d07d9c245991493f135944609c64c4cf923ce3e35b4773f76e2bb7f1ff6721728e5b520dbd801f545f86e4

memory/640-4-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-5-0x0000000075210000-0x0000000075425000-memory.dmp

memory/640-3879-0x0000000076C10000-0x0000000076DB0000-memory.dmp

memory/640-5888-0x0000000075C10000-0x0000000075C8A000-memory.dmp

memory/640-13073-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13074-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13075-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13076-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13078-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13079-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13080-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13081-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13082-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13083-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13084-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13085-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13086-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13087-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13088-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13089-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13090-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13091-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13092-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13093-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13094-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13095-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13096-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13097-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13098-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13099-0x0000000010000000-0x000000001080D000-memory.dmp

memory/640-13100-0x0000000010000000-0x000000001080D000-memory.dmp