Malware Analysis Report

2024-11-13 14:08

Sample ID 240227-cp4hsaed9v
Target a7f52148e5518fbedbedd9097ed70183
SHA256 2890092eb02db7f5b8d048e5e54d2963c8024502bf1bf7745f70be3ffbdd52d6
Tags
lumma evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2890092eb02db7f5b8d048e5e54d2963c8024502bf1bf7745f70be3ffbdd52d6

Threat Level: Known bad

The file a7f52148e5518fbedbedd9097ed70183 was found to be: Known bad.

Malicious Activity Summary

lumma evasion stealer

Lumma Stealer

Modifies security service

Detect Lumma Stealer payload V4

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Runs .reg file with regedit

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-27 02:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-27 02:16

Reported

2024-02-27 02:18

Platform

win7-20240221-en

Max time kernel

143s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\cmd.exe
PID 2104 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3052 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3052 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3052 wrote to memory of 2996 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2104 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\nod64.exe
PID 2104 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\nod64.exe
PID 2104 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\nod64.exe
PID 2104 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\nod64.exe
PID 3008 wrote to memory of 2684 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3008 wrote to memory of 2684 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3008 wrote to memory of 2684 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3008 wrote to memory of 2684 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 2684 wrote to memory of 324 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 324 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 324 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 324 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 324 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 324 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 324 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 324 wrote to memory of 2384 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2684 wrote to memory of 1288 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 2684 wrote to memory of 1288 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 2684 wrote to memory of 1288 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 2684 wrote to memory of 1288 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 1288 wrote to memory of 900 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 900 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 900 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 1288 wrote to memory of 900 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 900 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 900 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 900 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 900 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1288 wrote to memory of 2560 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 1288 wrote to memory of 2560 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 1288 wrote to memory of 2560 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 1288 wrote to memory of 2560 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 2560 wrote to memory of 240 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 240 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 240 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 240 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 240 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 240 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 240 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 240 wrote to memory of 2032 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2560 wrote to memory of 1968 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 2560 wrote to memory of 1968 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 2560 wrote to memory of 1968 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 2560 wrote to memory of 1968 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 1968 wrote to memory of 2864 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2864 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2864 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 2864 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 2864 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2864 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2864 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2864 wrote to memory of 1728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 1968 wrote to memory of 2028 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe

"C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 512 "C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe"

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 528 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 544 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 540 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 548 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 556 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 552 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 560 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 564 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 568 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

memory/2104-0-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/2104-2-0x0000000000400000-0x000000000053C7BA-memory.dmp

C:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 4117e5a9c995bab9cd3bce3fc2b99a46
SHA1 80144ccbad81c2efb1df64e13d3d5f59ca4486da
SHA256 37b58c2d66ab2f896316ee0cdba30dcc9aac15a51995b8ba6c143c8ba34bf292
SHA512 bdb721bd3dea641a9b1f26b46311c05199de01c6b0d7ea2b973aa71a4f796b292a6964ddef32ba9dfc4a545768943d105f110c5d60716e0ff6f82914affb507c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

\Windows\SysWOW64\nod64.exe

MD5 a7f52148e5518fbedbedd9097ed70183
SHA1 50ccb973e8f65810edbf951c3e50e2304e5bb69d
SHA256 2890092eb02db7f5b8d048e5e54d2963c8024502bf1bf7745f70be3ffbdd52d6
SHA512 f2d2dc873bef9fe1096221ce046db358c9d3af3f573f484e7324f8b1e3e369059f0948a4b313a9d0f5aca6160e5d2d4dbb5fa3c75953319077be984d99677c43

memory/2104-128-0x0000000002910000-0x0000000002A4D000-memory.dmp

memory/2104-133-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3008-132-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3008-140-0x0000000002A00000-0x0000000002B3D000-memory.dmp

memory/3008-144-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3008-142-0x0000000002A00000-0x0000000002B3D000-memory.dmp

memory/2684-266-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/2684-265-0x0000000002850000-0x000000000298D000-memory.dmp

memory/1288-264-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/2560-505-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/2560-402-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/1288-507-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/2684-508-0x0000000002850000-0x000000000298D000-memory.dmp

memory/2560-514-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/2560-513-0x0000000002A60000-0x0000000002B9D000-memory.dmp

memory/1968-512-0x0000000000400000-0x000000000053C7BA-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c93c561465db53bf9a99759de9d25f07
SHA1 5386934828e2c2589bfe394ac1f03ffbfba93bfa
SHA256 32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851
SHA512 bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d5e129352c8dd0032b51f34a2bbecad3
SHA1 a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a
SHA256 ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267
SHA512 9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 cd085b8c40e69c2bf1eb3d59f8155b99
SHA1 3499260f24020fe6d54d9d632d34ba2770bb06e0
SHA256 10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c
SHA512 3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

memory/1968-637-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/1968-635-0x0000000002840000-0x000000000297D000-memory.dmp

memory/2560-755-0x0000000002A60000-0x0000000002B9D000-memory.dmp

memory/2028-761-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/2028-760-0x0000000002960000-0x0000000002A9D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f82bc8865c1f6bf7125563479421f95c
SHA1 65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d
SHA256 f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6
SHA512 00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825

memory/1968-879-0x0000000002840000-0x000000000297D000-memory.dmp

memory/1332-1001-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/2028-1002-0x0000000002960000-0x0000000002A9D000-memory.dmp

memory/2808-1008-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/2808-1007-0x00000000029F0000-0x0000000002B2D000-memory.dmp

\Windows\SysWOW64\nod64.exe

MD5 8411da2727ff47a72ab856710db24e81
SHA1 726e2ef167a65fed55c3e76b6fdd04098b447d56
SHA256 e2c87d03abc7bd96803fa5f675d3c91d65445ce6d5c59aa75cc9778403c2250c
SHA512 984d5107eac9e9c0b03efddb7a1d9d298f7695870a06fe227e08490eacf9f223b92abaf6e19d50caaabdf7c785ab094ceff32ce5b1c8cd675aa5a767b9b0a13f

memory/2744-1133-0x0000000002980000-0x0000000002ABD000-memory.dmp

memory/2744-1131-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/2744-1129-0x0000000002980000-0x0000000002ABD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 3bd23392c6fcc866c4561388c1dc72ac
SHA1 c4b1462473f1d97fed434014532ea344b8fc05c1
SHA256 696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43
SHA512 15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1

memory/2808-1250-0x00000000029F0000-0x0000000002B2D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-27 02:16

Reported

2024-02-27 02:18

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File created C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A
File opened for modification C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3544 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\cmd.exe
PID 3544 wrote to memory of 2084 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2084 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2084 wrote to memory of 5044 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3544 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\nod64.exe
PID 3544 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\nod64.exe
PID 3544 wrote to memory of 688 N/A C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe C:\Windows\SysWOW64\nod64.exe
PID 688 wrote to memory of 2464 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 2464 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 688 wrote to memory of 2464 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 2464 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2464 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2464 wrote to memory of 2220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 688 wrote to memory of 3704 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 688 wrote to memory of 3704 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 688 wrote to memory of 3704 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3704 wrote to memory of 1684 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 1684 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 1684 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 1684 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1684 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1684 wrote to memory of 2520 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3704 wrote to memory of 3308 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3704 wrote to memory of 3308 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3704 wrote to memory of 3308 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3308 wrote to memory of 2792 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 2792 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 2792 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2792 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2792 wrote to memory of 1348 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3308 wrote to memory of 932 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3308 wrote to memory of 932 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3308 wrote to memory of 932 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 932 wrote to memory of 3628 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 3628 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 932 wrote to memory of 3628 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 3628 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3628 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3628 wrote to memory of 2056 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 932 wrote to memory of 3304 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 932 wrote to memory of 3304 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 932 wrote to memory of 3304 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3304 wrote to memory of 732 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 3304 wrote to memory of 732 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 3304 wrote to memory of 732 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 732 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 732 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 732 wrote to memory of 4376 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3304 wrote to memory of 5108 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3304 wrote to memory of 5108 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3304 wrote to memory of 5108 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 5108 wrote to memory of 2480 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 2480 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 5108 wrote to memory of 2480 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2480 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2480 wrote to memory of 2204 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 5108 wrote to memory of 3056 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 5108 wrote to memory of 3056 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 5108 wrote to memory of 3056 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\nod64.exe
PID 3056 wrote to memory of 4044 N/A C:\Windows\SysWOW64\nod64.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe

"C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 1164 "C:\Users\Admin\AppData\Local\Temp\a7f52148e5518fbedbedd9097ed70183.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 1168 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 1136 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 1140 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 1144 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 1148 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 1152 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 1160 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 1172 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\nod64.exe

C:\Windows\system32\nod64.exe 1176 "C:\Windows\SysWOW64\nod64.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/3544-0-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3544-1-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3544-2-0x0000000000400000-0x000000000053C7BA-memory.dmp

\??\c:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 584f47a0068747b3295751a0d591f4ee
SHA1 7886a90e507c56d3a6105ecdfd9ff77939afa56f
SHA256 927fd19c24f20ac1dff028de9d73094b2591842248c95a20a8264abf1333aea5
SHA512 ca945aad3c2d9ecadff2bc30cf23902b1254cffdf572ff9d4e7c94659255fc3467899053e4a45d3b155900c7b5b91abedf03d31af7e39870015c85e424d04257

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 8d6eb64e58d3f14686110fcaf1363269
SHA1 d85c0b208716b400894ba4cb569a5af4aa178a2f
SHA256 c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5
SHA512 5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

C:\Windows\SysWOW64\nod64.exe

MD5 a7f52148e5518fbedbedd9097ed70183
SHA1 50ccb973e8f65810edbf951c3e50e2304e5bb69d
SHA256 2890092eb02db7f5b8d048e5e54d2963c8024502bf1bf7745f70be3ffbdd52d6
SHA512 f2d2dc873bef9fe1096221ce046db358c9d3af3f573f484e7324f8b1e3e369059f0948a4b313a9d0f5aca6160e5d2d4dbb5fa3c75953319077be984d99677c43

memory/688-121-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/688-122-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3544-199-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3704-237-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/688-239-0x0000000000400000-0x000000000053C7BA-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5088b4be1b90717121e76c1fc33c033a
SHA1 090676b012c30e6b0d6493ca1e9a31f3093cad6f
SHA256 d1d8c8ac4136082ac60938e8148c43d81fa91a124eccf34048e629d22daeef3a
SHA512 0cac2dcf138b1a66f857a54c92afe467ef7544655cd1c4aec3b4084c92c9186d9ba10e0e74a54a6e43e676068d3747f668f7286d44fcefce7ee4d385a3a96962

memory/3308-353-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3308-352-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3704-421-0x0000000000400000-0x000000000053C7BA-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 501effddf60a974e98b67dc8921aa7e8
SHA1 734dfe4b508dbc1527ec92e91821a1251aec5b2e
SHA256 672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06
SHA512 28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c

memory/3308-469-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/932-468-0x0000000000400000-0x000000000053C7BA-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e1df6d58e6c905e4628df434384b3c9
SHA1 e67dd641da70aa9654ed24b19ed06a3eb8c0db43
SHA256 25bb4f644e47b4b64b0052ec7edfd4c27f370d07ef884078fea685f30b9c1bb0
SHA512 93c9f24dc530e08c85776955c200be468d099d8f1d2efe5e20cbb3a1d803fe23e0ba9b589df2498832082a283d79f6f1053a26d15f49e31a0da395ecc7225ad3

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1c6131354c6987300ea512b765475b82
SHA1 2ad74e27ee9080f65d1b2b2e537f73d8f6b59f53
SHA256 3a16ce0b62d9b7bc6832082d30e37163bbde0eddcffe9b09f20fc118b1e0d640
SHA512 b1274a40e10dea26834d3839a4c64a593252640a8a55bcbf642b661f1711451ea81ca712cc98d0c0b9132b4aaf5c8aaac6cc974fc8cbe0eed6ffc13d1b01db68

memory/932-583-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3304-584-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3304-699-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/5108-698-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3056-814-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/5108-927-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3056-929-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3324-1044-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/1080-1046-0x0000000000400000-0x000000000053C7BA-memory.dmp

memory/3324-1045-0x0000000000400000-0x000000000053C7BA-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 67a0c98a371995d5434cb9788ee1c42f
SHA1 7171d3dca52f038ca9d9e8b13f356462dbc8f3cc
SHA256 2ac5bd7466724458c6f36bbbe6be697bfbc95d3b8f8ad486b83d595bd295dbc3
SHA512 f5b31a9e68044db25853f9a158dd4ff1da717beb5802dd11a6d3b705b5bf065304c98df3c81c8487e922d4f94690ecfb2662077bffb50cba036bcd8e50935191

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 fadf3805f68986d2ee9c82f560a564e4
SHA1 87bcab6ab1fb66ace98eb1d36e54eb9c11628aa6
SHA256 d6e4760c4554b061363e89648dc4144f8a9ba8a300dde1a1621f22ecc62ab759
SHA512 e3e495385da6d181a2411554a61b27c480ff31fa49225e8b2dc46b9ec4f618343475a8d189786b956c91efc65bfb05be19065bfdf3288eb011c5ec427e764cb9

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 ad9e5e67282bb74482c05e3bf2eb188b
SHA1 10b02442ea4b1151a2334645c3e290a82ecfad1f
SHA256 7af82efceff1e9221d76472e6ffd6aa78ca00ccbb5fa32cb2238ed08812b931f
SHA512 b0ca37f35618547b4e5ab94eb367940a9d5a500b5c91cf2bbdddba8d1725bcc619c5acd2365711a970c307bbe0aa539b50803d119963b9f0c6da198e3157ded7

memory/3324-1161-0x0000000000400000-0x000000000053C7BA-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a7784814f96f4d714d70f0a64afd3520
SHA1 4204eb27ed46350f6608fe1717bb8ef745b94732
SHA256 c0040494b6a8c2f40ab157ccc5be9e99cbb7bb285fa39131f340a8501758b0fc
SHA512 f4fbd4d6d571a2399b997269966623dcda83085a85476b4166dbe41c507519ded016a13f92e8a37c9ea5a8b756ed601fee302a6a8122f581efcd99771b975474

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5575ef034e791d4d3b09da6c0c4ee764
SHA1 50a0851ddf4b0c4014ad91f976e953baffe30951
SHA256 9697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14
SHA512 ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756