Malware Analysis Report

2024-11-13 14:08

Sample ID 240226-3z3mcaca5v
Target a7b122b234de26887fae66072351a137
SHA256 4588cf14ad219264d9a1e100ab9590f64d48bb16a29bdb59d292d1af25ee2f64
Tags
lumma evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4588cf14ad219264d9a1e100ab9590f64d48bb16a29bdb59d292d1af25ee2f64

Threat Level: Known bad

The file a7b122b234de26887fae66072351a137 was found to be: Known bad.

Malicious Activity Summary

lumma evasion stealer

Lumma family

Detect Lumma Stealer payload V4

Lumma Stealer

Modifies security service

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-26 23:57

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A

Lumma family

lumma

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-26 23:57

Reported

2024-02-27 00:00

Platform

win7-20240221-en

Max time kernel

138s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2388 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2388 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2388 wrote to memory of 2760 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2740 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2740 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2740 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2740 wrote to memory of 2684 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2760 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2760 wrote to memory of 2680 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2680 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2680 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2680 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2680 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2760 wrote to memory of 636 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2760 wrote to memory of 636 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2760 wrote to memory of 636 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2760 wrote to memory of 636 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 636 wrote to memory of 956 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 956 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 956 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 636 wrote to memory of 956 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 956 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 956 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 956 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 956 wrote to memory of 1772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 636 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 636 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 636 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 636 wrote to memory of 2560 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2560 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2656 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2656 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2656 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2656 wrote to memory of 1960 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2560 wrote to memory of 584 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2560 wrote to memory of 584 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2560 wrote to memory of 584 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2560 wrote to memory of 584 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 584 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 584 wrote to memory of 2188 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2188 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2188 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2188 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2188 wrote to memory of 2324 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 584 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 584 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 584 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 584 wrote to memory of 3016 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 3016 wrote to memory of 900 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 900 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 900 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 3016 wrote to memory of 900 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe

"C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 512 "C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 528 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 540 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 532 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 556 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 548 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 552 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 560 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 564 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 568 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

C:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

\Windows\SysWOW64\Windows-Time.exe

MD5 a7b122b234de26887fae66072351a137
SHA1 26cd1b664332037f040183cfc6275da0ef24848f
SHA256 4588cf14ad219264d9a1e100ab9590f64d48bb16a29bdb59d292d1af25ee2f64
SHA512 dd2a3c73812ce6e405edd6d7262d517d799105693d2504aff40a8b85a46a4cd786e30ea526eac58586bfd54b97154c35785709e1f622ae897357c4f07313f10b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e2d37af73d5fe4a504db3f8c0d560e3d
SHA1 88c6bf5b485dd9c79283ccb5d2546ffbb95e563d
SHA256 e615959931f345e611ac44be7534d697c1495c641d13e50ae919a7807c8ff008
SHA512 8cb17131326361071a3ae2997cdfaa316ce10c481f48af23fa526380daffa39b2538251cbaa4cf3bd9a9c0014a9184be5a13a44cf45fb93591ba3180670ddb89

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a84d46ef81c793a90a80bc806cffdcf
SHA1 02fac9db9330040ffc613a325686ddca2678a7c5
SHA256 201891985252489d470c08e66c42a4cf5f9220be3051b9a167936c8f80a606c4
SHA512 b198b32fd9be872968644641248d4e3794aa095f446bab4e1c5a54b2c109df166bbdfb54d4fd8912d202f92ac69b1685ed0c30256e40f30d72e433ee987cc374

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 cd085b8c40e69c2bf1eb3d59f8155b99
SHA1 3499260f24020fe6d54d9d632d34ba2770bb06e0
SHA256 10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c
SHA512 3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2e2266221550edce9a27c9060d5c2361
SHA1 f39f2d8f02f8b3a877d5969a81c4cb12679609f3
SHA256 e19af90814641d2c6cd15a7a53d676a4a7f63b4a80a14126824d1e63fdccdcdb
SHA512 e962cc55d1f9537159c34349a2fa5ffffc910de3e52cafa8347c43eded78b8e986ecb8e2e9ada5e2381b034151f17e6b984c279460e8e114e50ea58a64648864

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d5e129352c8dd0032b51f34a2bbecad3
SHA1 a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a
SHA256 ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267
SHA512 9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a36f3bf3750851d8732b132fa330bb4
SHA1 1cb36be31f3d7d9439aac14af3d7a27f05a980eb
SHA256 5d88aebc1d13a61609ef057cb38dc9d7b0a04a47a7670a7591f40d1ea05b6ad9
SHA512 a822885389f3b12baed60b565646bed97aea1740e163e236ca3647fb63a9c15f6e21bc5ff92eb2d47bb6b1268c71ffb8e5e84006f3c04377d9d3a7c16434e646

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-26 23:57

Reported

2024-02-27 00:00

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A
File created C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 948 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 948 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 948 wrote to memory of 3988 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1912 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 1912 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 1912 wrote to memory of 1916 N/A C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 1916 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 1916 wrote to memory of 5004 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 5004 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5004 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5004 wrote to memory of 3724 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1916 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 1916 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 1916 wrote to memory of 2080 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2080 wrote to memory of 4816 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 4816 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2080 wrote to memory of 4816 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 4816 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4816 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4816 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2080 wrote to memory of 3272 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2080 wrote to memory of 3272 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2080 wrote to memory of 3272 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 3272 wrote to memory of 3896 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 3896 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 3272 wrote to memory of 3896 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 3896 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3896 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3896 wrote to memory of 2396 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3272 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 3272 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 3272 wrote to memory of 3860 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 3860 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 3860 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 3860 wrote to memory of 3640 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 3640 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3640 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3640 wrote to memory of 3524 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3860 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 3860 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 3860 wrote to memory of 2508 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2508 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2392 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 2392 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2392 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2392 wrote to memory of 1224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2508 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2508 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 2508 wrote to memory of 4664 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 4664 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 4664 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 4664 wrote to memory of 1480 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe
PID 1480 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1480 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1480 wrote to memory of 3760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4664 wrote to memory of 3992 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 4664 wrote to memory of 3992 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 4664 wrote to memory of 3992 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\Windows-Time.exe
PID 3992 wrote to memory of 4608 N/A C:\Windows\SysWOW64\Windows-Time.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe

"C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 1052 "C:\Users\Admin\AppData\Local\Temp\a7b122b234de26887fae66072351a137.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 1172 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 1140 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 1132 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 1148 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 1156 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 1152 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 1164 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 1168 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Windows-Time.exe

C:\Windows\system32\Windows-Time.exe 1176 "C:\Windows\SysWOW64\Windows-Time.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

\??\c:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 4be01c629881eddccb675ba267a66899
SHA1 23324e7814bcd157b27e810f4c786b0c39bfc9b1
SHA256 39c14522925e5e55bf1eefcd5beb8b7aae687158163082aac7ef5690c3524a30
SHA512 7c3063badaa57e3a39eea5d87e6bdbeec00793f9afd2bea52d3aa354e0bbd83e2a63966438fe7305f29a0ee6f45cb77d4613fe2d3b4f6719e16860deae764d55

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

C:\Windows\SysWOW64\Windows-Time.exe

MD5 a7b122b234de26887fae66072351a137
SHA1 26cd1b664332037f040183cfc6275da0ef24848f
SHA256 4588cf14ad219264d9a1e100ab9590f64d48bb16a29bdb59d292d1af25ee2f64
SHA512 dd2a3c73812ce6e405edd6d7262d517d799105693d2504aff40a8b85a46a4cd786e30ea526eac58586bfd54b97154c35785709e1f622ae897357c4f07313f10b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5a466127fedf6dbcd99adc917bd74581
SHA1 a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA256 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 872656500ddac1ddd91d10aba3a8df96
SHA1 ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc
SHA256 d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8
SHA512 e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a5d4cddfecf34e5391a7a3df62312327
SHA1 04a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA256 8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA512 48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c1e5f93e2bee9ca33872764d8889de23
SHA1 167f65adfc34a0e47cb7de92cc5958ee8905796a
SHA256 8f5276e847b1c6beb572b1eeae20f98784aae11ea2d8f8860adcdb78fd9dca3a
SHA512 482741b0df7bf6e94ba9667892fe12125df30812e21de40fd60dee540922da70ffb6db4a0c0e17346e714d4bb6e49e2d4eca53c0d5194cd888903071c82b8859

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a437192517c26d96c8cee8d5a27dd560
SHA1 f665a3e5e5c141e4527509dffd30b0320aa8df6f
SHA256 d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23
SHA512 f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 2299014e9ce921b7045e958d39d83e74
SHA1 26ed64f84417eb05d1d9d48441342ca1363084da
SHA256 ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57
SHA512 0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 fa83299c5a0d8714939977af6bdafa92
SHA1 46a4abab9b803a7361ab89d0ca000a367550e23c
SHA256 f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03
SHA512 85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 4117e5a9c995bab9cd3bce3fc2b99a46
SHA1 80144ccbad81c2efb1df64e13d3d5f59ca4486da
SHA256 37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292
SHA512 bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 eee5718ce97d259fd8acec31375fc375
SHA1 989c64b0c9a049f1b7ad9e677c4566ab1559744f
SHA256 1975123645c58e5160d63cc6ab8430f9dd0bc70d5cddafccf3687d655730dcfb
SHA512 6c2e14846b20128ac8bea8470b4455fd4b65de7457c216824cfa7008fafa41c29445290de6780dc4f6f3beea97ec3137c02c9b7504877d6c845e573a7b7db610

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 bef09dc596b7b91eec4f38765e0965b7
SHA1 b8bb8d2eb918e0979b08fd1967dac127874b9de5
SHA256 8dab724d5941eb7becff35ce1a76e8525dcdca024900e70758300dcdddf8e265
SHA512 0bbce4150b47bafb674f2074fdfc20df86edadb85037f93c541d1d53f721ed52e37a49d14522dac56e9d2e9ce801bcdb701509fa02285778a086d547f1be966a

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f82bc8865c1f6bf7125563479421f95c
SHA1 65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d
SHA256 f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6
SHA512 00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8c6aa92ac8ffdfb7a0fb3dafd14d65f1
SHA1 cac3992d696a99a5dec2ab1c824c816117414b16
SHA256 dc98a84d679d0ba1e36e3142000fa9fd7c5cd4606e07cbcb33f12c98bc1510fa
SHA512 f17a7cbfc11ce2a258aee2857720dcc72ddcfd17ebe9c9b1b04bedb52835c2b35ca4bb649fd5ef3d7ef3f9585f87ef321efec52cb7524be3b83a919999c4900c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a57e37dfb6f88b2d04424936ed0b4afb
SHA1 35e2f81486b8420b88b7693ad3e92f846367cb12
SHA256 411f47af20b97f1fe35d3ff6f2a03a77301c8bee20cdfd4638a68430af77456d
SHA512 41f683cc837a2ac36eaf8c32ac336534d329eb482c1a7bd23728b3878492ce79488647df4746701c15254e552e3460f8efa8cec9448a252146596c7926dff448

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1b2949b211ab497b739b1daf37cd4101
SHA1 12cad1063d28129ddd89e80acc2940f8dfbbaab3
SHA256 3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c
SHA512 a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8a36f3bf3750851d8732b132fa330bb4
SHA1 1cb36be31f3d7d9439aac14af3d7a27f05a980eb
SHA256 5d88aebc1d13a61609ef057cb38dc9d7b0a04a47a7670a7591f40d1ea05b6ad9
SHA512 a822885389f3b12baed60b565646bed97aea1740e163e236ca3647fb63a9c15f6e21bc5ff92eb2d47bb6b1268c71ffb8e5e84006f3c04377d9d3a7c16434e646

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d085cde42c14e8ee2a5e8870d08aee42
SHA1 c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256 a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512 de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b