Malware Analysis Report

2024-11-15 06:15

Sample ID 240224-svysgsgc8y
Target a22f400ce87664d7f5c214600509fcb3
SHA256 25534defb0d6daa1b4989a1aa4f4029b8333fbb31e67a90e96080bd7f365493c
Tags
lumma bootkit evasion persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

25534defb0d6daa1b4989a1aa4f4029b8333fbb31e67a90e96080bd7f365493c

Threat Level: Known bad

The file a22f400ce87664d7f5c214600509fcb3 was found to be: Known bad.

Malicious Activity Summary

lumma bootkit evasion persistence stealer

Lumma Stealer

Detect Lumma Stealer payload V4

Modifies security service

Loads dropped DLL

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs .reg file with regedit

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-24 15:27

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-24 15:27

Reported

2024-02-24 15:29

Platform

win7-20240215-en

Max time kernel

137s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\SysWOW64\cPaner.com N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1656 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1656 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1924 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1924 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1924 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1924 wrote to memory of 2412 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1656 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cPaner.com
PID 1656 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cPaner.com
PID 1656 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cPaner.com
PID 1656 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cPaner.com
PID 2128 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 2128 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 2128 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 2128 wrote to memory of 1404 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1404 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1404 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2116 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2116 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2116 wrote to memory of 1948 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1404 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1404 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1404 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1404 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1536 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1536 wrote to memory of 2460 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 2460 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2460 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2460 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2460 wrote to memory of 2532 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1536 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1536 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1536 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1536 wrote to memory of 1904 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1904 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1904 wrote to memory of 1424 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1424 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1424 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1424 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1424 wrote to memory of 1920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1904 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1904 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1904 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1904 wrote to memory of 1428 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1428 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1428 wrote to memory of 2160 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2160 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2160 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2160 wrote to memory of 2144 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1428 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1428 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1428 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1428 wrote to memory of 2688 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com

Processes

C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe

"C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 508 "C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe"

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 548 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 560 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 564 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 568 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 572 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 576 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 580 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 584 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 588 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

memory/1656-0-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1656-1-0x00000000002F0000-0x0000000000334000-memory.dmp

C:\acx.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

memory/1656-9-0x00000000002B0000-0x00000000002B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/1656-10-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1656-118-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/1656-122-0x00000000004A0000-0x00000000004A4000-memory.dmp

memory/1656-124-0x0000000000490000-0x0000000000491000-memory.dmp

memory/1656-125-0x00000000004B0000-0x00000000004B1000-memory.dmp

memory/1656-126-0x00000000003E0000-0x00000000003E1000-memory.dmp

\Windows\SysWOW64\cPaner.com

MD5 a22f400ce87664d7f5c214600509fcb3
SHA1 5a807ef099b4b71e7043d0380723becb98cb6f28
SHA256 25534defb0d6daa1b4989a1aa4f4029b8333fbb31e67a90e96080bd7f365493c
SHA512 874ab03464ae78e092c224c2356fbbaa15bb66e7d4fd95138ef36dcca75910aff1d80d8dcc7c01b63a493344a1b89c514e21eb6cc317541cc047293941d68d29

memory/1656-136-0x0000000000600000-0x0000000000601000-memory.dmp

memory/1656-127-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1656-137-0x00000000004F0000-0x00000000004F1000-memory.dmp

memory/1656-135-0x00000000004C0000-0x00000000004C1000-memory.dmp

memory/1656-138-0x0000000000620000-0x0000000000621000-memory.dmp

memory/1656-139-0x0000000000610000-0x0000000000611000-memory.dmp

memory/1656-140-0x0000000000640000-0x0000000000641000-memory.dmp

memory/1656-142-0x0000000000660000-0x0000000000661000-memory.dmp

memory/1656-141-0x0000000000630000-0x0000000000631000-memory.dmp

memory/1656-143-0x0000000000650000-0x0000000000651000-memory.dmp

memory/1656-144-0x0000000000680000-0x0000000000681000-memory.dmp

memory/1656-145-0x0000000000670000-0x0000000000671000-memory.dmp

memory/1656-146-0x00000000006B0000-0x00000000006B1000-memory.dmp

memory/1656-147-0x0000000000690000-0x0000000000691000-memory.dmp

memory/1656-148-0x0000000002010000-0x0000000002011000-memory.dmp

memory/1656-149-0x0000000002000000-0x0000000002001000-memory.dmp

memory/1656-150-0x0000000002030000-0x0000000002031000-memory.dmp

memory/1656-151-0x0000000002020000-0x0000000002021000-memory.dmp

memory/1656-152-0x0000000002050000-0x0000000002051000-memory.dmp

memory/1656-153-0x0000000002040000-0x0000000002041000-memory.dmp

memory/1656-154-0x0000000002070000-0x0000000002071000-memory.dmp

memory/1656-155-0x0000000002060000-0x0000000002061000-memory.dmp

memory/1656-156-0x0000000002090000-0x0000000002091000-memory.dmp

memory/1656-157-0x0000000002080000-0x0000000002081000-memory.dmp

memory/1656-158-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/1656-159-0x00000000020A0000-0x00000000020A1000-memory.dmp

memory/1656-160-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/1656-161-0x00000000024D0000-0x00000000024D1000-memory.dmp

memory/1656-162-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1656-163-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/1656-164-0x0000000002520000-0x0000000002521000-memory.dmp

memory/1656-165-0x0000000002510000-0x0000000002511000-memory.dmp

memory/1656-166-0x0000000002960000-0x0000000002961000-memory.dmp

memory/1656-167-0x0000000002990000-0x0000000002991000-memory.dmp

memory/1656-168-0x0000000002980000-0x0000000002981000-memory.dmp

memory/1656-169-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/1656-170-0x00000000029A0000-0x00000000029A1000-memory.dmp

memory/1656-171-0x00000000029D0000-0x00000000029D1000-memory.dmp

memory/1656-172-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/1656-173-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/1656-174-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1656-175-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

memory/1656-176-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/1656-177-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

memory/1656-178-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/1656-179-0x0000000002C10000-0x0000000002C11000-memory.dmp

memory/1656-180-0x0000000002C00000-0x0000000002C01000-memory.dmp

memory/1656-181-0x0000000002C40000-0x0000000002C41000-memory.dmp

memory/1656-182-0x0000000002C20000-0x0000000002C21000-memory.dmp

memory/1656-184-0x0000000002C50000-0x0000000002C51000-memory.dmp

memory/1656-183-0x0000000002C60000-0x0000000002C61000-memory.dmp

memory/1656-185-0x0000000002C80000-0x0000000002C81000-memory.dmp

memory/1656-186-0x0000000002C70000-0x0000000002C71000-memory.dmp

memory/1656-187-0x0000000002DD0000-0x0000000002E60000-memory.dmp

memory/2128-188-0x00000000005B0000-0x00000000005B1000-memory.dmp

memory/1656-212-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2128-219-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2128-341-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1404-460-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1536-512-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1536-634-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1904-754-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1428-824-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2688-911-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2688-1047-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1068-1052-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1068-1189-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2784-1195-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2444-1337-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2444-1460-0x0000000000400000-0x0000000000490000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-24 15:27

Reported

2024-02-24 15:30

Platform

win10v2004-20240221-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\aspr_keys.ini C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File created C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A
File opened for modification C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1612 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1612 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cmd.exe
PID 1636 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1636 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1636 wrote to memory of 392 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1612 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cPaner.com
PID 1612 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cPaner.com
PID 1612 wrote to memory of 4968 N/A C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe C:\Windows\SysWOW64\cPaner.com
PID 4968 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4968 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4868 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4868 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4868 wrote to memory of 880 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4968 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4968 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4968 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1788 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 1788 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 5040 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5040 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5040 wrote to memory of 1360 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1788 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1788 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 1788 wrote to memory of 3220 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3220 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3220 wrote to memory of 4136 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4136 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4136 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4136 wrote to memory of 4452 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3220 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3220 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3220 wrote to memory of 3868 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3868 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3868 wrote to memory of 4360 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4360 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4360 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4360 wrote to memory of 3280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3868 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3868 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3868 wrote to memory of 4496 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4496 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 4468 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 4468 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4468 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4468 wrote to memory of 3756 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4496 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4496 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4496 wrote to memory of 3420 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3420 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 3420 wrote to memory of 2748 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2748 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2748 wrote to memory of 3564 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3420 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3420 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 3420 wrote to memory of 4248 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cPaner.com
PID 4248 wrote to memory of 212 N/A C:\Windows\SysWOW64\cPaner.com C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe

"C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1240 "C:\Users\Admin\AppData\Local\Temp\a22f400ce87664d7f5c214600509fcb3.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1204 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1180 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1176 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1184 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1192 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1188 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1200 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1196 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cPaner.com

C:\Windows\system32\cPaner.com 1212 "C:\Windows\SysWOW64\cPaner.com"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\acx.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

memory/1612-0-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1612-1-0x00000000009A0000-0x00000000009E4000-memory.dmp

memory/1612-2-0x00000000022D0000-0x00000000022D1000-memory.dmp

memory/1612-4-0x00000000005F0000-0x00000000005F1000-memory.dmp

memory/1612-6-0x00000000022F0000-0x00000000022F1000-memory.dmp

memory/1612-7-0x0000000002340000-0x0000000002344000-memory.dmp

memory/1612-8-0x0000000002320000-0x0000000002321000-memory.dmp

memory/1612-10-0x0000000002350000-0x0000000002351000-memory.dmp

memory/1612-5-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/1612-12-0x0000000002310000-0x0000000002311000-memory.dmp

memory/1612-11-0x0000000002300000-0x0000000002301000-memory.dmp

memory/1612-13-0x0000000002360000-0x0000000002361000-memory.dmp

memory/1612-16-0x0000000002390000-0x0000000002391000-memory.dmp

\??\c:\acx.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

memory/1612-41-0x00000000023C0000-0x00000000023C1000-memory.dmp

memory/1612-14-0x00000000023A0000-0x00000000023A1000-memory.dmp

memory/1612-43-0x00000000023E0000-0x00000000023E1000-memory.dmp

memory/1612-42-0x00000000023B0000-0x00000000023B1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 fadf3805f68986d2ee9c82f560a564e4
SHA1 87bcab6ab1fb66ace98eb1d36e54eb9c11628aa6
SHA256 d6e4760c4554b061363e89648dc4144f8a9ba8a300dde1a1621f22ecc62ab759
SHA512 e3e495385da6d181a2411554a61b27c480ff31fa49225e8b2dc46b9ec4f618343475a8d189786b956c91efc65bfb05be19065bfdf3288eb011c5ec427e764cb9

memory/1612-44-0x00000000023D0000-0x00000000023D1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 117efa689c5631c1a1ee316f123182bd
SHA1 f477bf1e9f4db8452bd9fe314cd18715f7045689
SHA256 79ed2f9f9de900b4f0a4869fc5dd40f1dcfb11a3f50bd7a5f362b30fe51b52e7
SHA512 abe34afa94cca236205e9ea954b95a78c986612cebd847f5146f792c00a5c58ca1fdc55be2befd974b5be77b1b117e28d8c4996f34b41c78b653725f21da4671

memory/1612-89-0x0000000002510000-0x0000000002511000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

memory/1612-129-0x0000000002530000-0x0000000002531000-memory.dmp

memory/1612-123-0x0000000002500000-0x0000000002501000-memory.dmp

memory/1612-130-0x0000000002520000-0x0000000002521000-memory.dmp

memory/1612-131-0x0000000002550000-0x0000000002551000-memory.dmp

memory/1612-132-0x0000000002540000-0x0000000002541000-memory.dmp

memory/1612-133-0x0000000002570000-0x0000000002571000-memory.dmp

memory/1612-134-0x0000000002560000-0x0000000002561000-memory.dmp

memory/1612-135-0x00000000025A0000-0x00000000025A1000-memory.dmp

memory/1612-136-0x0000000002590000-0x0000000002591000-memory.dmp

memory/1612-137-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/1612-138-0x00000000025E0000-0x00000000025E1000-memory.dmp

memory/1612-140-0x0000000002600000-0x0000000002601000-memory.dmp

memory/1612-139-0x00000000025D0000-0x00000000025D1000-memory.dmp

memory/1612-141-0x00000000025F0000-0x00000000025F1000-memory.dmp

memory/1612-143-0x0000000002610000-0x0000000002611000-memory.dmp

memory/1612-142-0x0000000002620000-0x0000000002621000-memory.dmp

memory/1612-144-0x0000000002640000-0x0000000002641000-memory.dmp

memory/1612-145-0x0000000002630000-0x0000000002631000-memory.dmp

memory/1612-146-0x0000000002660000-0x0000000002661000-memory.dmp

memory/1612-148-0x0000000002650000-0x0000000002651000-memory.dmp

memory/1612-149-0x0000000002670000-0x0000000002671000-memory.dmp

memory/1612-150-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/1612-151-0x0000000002680000-0x0000000002681000-memory.dmp

memory/1612-155-0x0000000003320000-0x0000000003321000-memory.dmp

memory/1612-156-0x0000000003310000-0x0000000003311000-memory.dmp

memory/1612-157-0x0000000003340000-0x0000000003341000-memory.dmp

C:\Windows\SysWOW64\cPaner.com

MD5 a22f400ce87664d7f5c214600509fcb3
SHA1 5a807ef099b4b71e7043d0380723becb98cb6f28
SHA256 25534defb0d6daa1b4989a1aa4f4029b8333fbb31e67a90e96080bd7f365493c
SHA512 874ab03464ae78e092c224c2356fbbaa15bb66e7d4fd95138ef36dcca75910aff1d80d8dcc7c01b63a493344a1b89c514e21eb6cc317541cc047293941d68d29

memory/1612-163-0x0000000003350000-0x0000000003351000-memory.dmp

memory/1612-161-0x0000000003360000-0x0000000003361000-memory.dmp

memory/1612-159-0x0000000003330000-0x0000000003331000-memory.dmp

memory/1612-167-0x0000000003370000-0x0000000003371000-memory.dmp

memory/1612-171-0x00000000033A0000-0x00000000033A1000-memory.dmp

memory/1612-194-0x0000000003390000-0x0000000003391000-memory.dmp

memory/1612-165-0x0000000003380000-0x0000000003381000-memory.dmp

memory/1612-195-0x00000000033C0000-0x00000000033C1000-memory.dmp

memory/1612-216-0x00000000033E0000-0x00000000033E1000-memory.dmp

memory/1612-217-0x00000000033D0000-0x00000000033D1000-memory.dmp

memory/1612-281-0x0000000003400000-0x0000000003401000-memory.dmp

memory/1612-282-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1612-285-0x00000000009A0000-0x00000000009E4000-memory.dmp

memory/1612-286-0x0000000003420000-0x0000000003421000-memory.dmp

memory/4968-287-0x0000000002360000-0x0000000002361000-memory.dmp

memory/4968-288-0x0000000002370000-0x0000000002371000-memory.dmp

memory/1612-283-0x00000000033F0000-0x00000000033F1000-memory.dmp

memory/1612-196-0x00000000033B0000-0x00000000033B1000-memory.dmp

memory/4968-289-0x00000000023B0000-0x00000000023B1000-memory.dmp

memory/4968-290-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/4968-440-0x0000000000400000-0x0000000000490000-memory.dmp

memory/1788-460-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5aa228bc61037ddaf7a22dab4a04e9a1
SHA1 b50fcd8f643ea748f989a06e38c778884b3c19f2
SHA256 65c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b
SHA512 2ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa

memory/1788-587-0x0000000000400000-0x0000000000490000-memory.dmp

memory/3220-595-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f5fa5178657d29a36c5dc4ac9445cbdc
SHA1 4be1a87a89715d24d52b23c59006f9cb74437ba0
SHA256 f5df5a0913b98b4c5ef35c76ba8c7601adb2698300bef0a47f23845a95942114
SHA512 54272b6eaead06588ac6605a5d995c928f2270c2bccb18891f83dc5cae98eb2c88a98b49bd553f6305659cbf51c36842840dd98fa0b44a3b693de8c7af1f6b6f

memory/3220-719-0x0000000000400000-0x0000000000490000-memory.dmp

memory/3868-729-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e78a2688839aaee80b2bfdc4639329c5
SHA1 818a0dd05493b075a9f2eaf063e64d5a653f470a
SHA256 bd056b778b99213f8eb81f452e96f275da92f129457fae23da4e2986cf465a5d
SHA512 2821f753aa03221061be778aa9d5cffaee58fc0e1e712d8021894d91d963a3859e06afd6bd94ca6e23386e513d0be092e7b2e6a53439e14e4cbc75f5ccd97847

memory/3868-855-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4496-864-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4496-988-0x0000000000400000-0x0000000000490000-memory.dmp

memory/3420-995-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4248-1129-0x0000000000400000-0x0000000000490000-memory.dmp

memory/4248-1258-0x0000000000400000-0x0000000000490000-memory.dmp

memory/3044-1269-0x0000000000400000-0x0000000000490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d085cde42c14e8ee2a5e8870d08aee42
SHA1 c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256 a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512 de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

memory/3224-1401-0x0000000000400000-0x0000000000490000-memory.dmp

memory/3224-1529-0x0000000000400000-0x0000000000490000-memory.dmp