Analysis
-
max time kernel
146s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
27-02-2024 03:36
Static task
static1
Behavioral task
behavioral1
Sample
a81de519432b6d76d9b881cff0cf9cef.exe
Resource
win7-20240221-en
General
-
Target
a81de519432b6d76d9b881cff0cf9cef.exe
-
Size
304KB
-
MD5
a81de519432b6d76d9b881cff0cf9cef
-
SHA1
e35a6446307b3e55db9097cee2cdeec87e6145b6
-
SHA256
bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce
-
SHA512
eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730
-
SSDEEP
6144:qR1VpFoIbQFCgMWt14yRjfT/OlaazY660vT+YZj+0Ccdak:qR1VpWIUw/k14ojfifd60rbZQcck
Malware Config
Signatures
-
Detect Lumma Stealer payload V4 44 IoCs
Processes:
resource yara_rule behavioral2/memory/3904-2-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/3904-3-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/3904-4-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/3904-6-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/4172-126-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/4172-127-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/3904-129-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/4172-131-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/4172-241-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/2100-248-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/2100-247-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/2100-252-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/2100-362-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/3256-368-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/3256-372-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/3256-369-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/3256-483-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1948-489-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1948-490-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1948-493-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1948-604-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/552-610-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/552-611-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/552-613-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/552-725-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1096-731-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1096-732-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1096-767-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1096-846-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/5060-852-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/5060-853-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/5060-857-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/5060-967-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/4548-973-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/4548-974-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/4548-977-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/4548-1088-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1772-1094-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1772-1095-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1772-1098-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/1772-1209-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/3868-1215-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/3868-1216-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 behavioral2/memory/3868-1220-0x0000000000400000-0x0000000000517000-memory.dmp family_lumma_v4 -
Modifies security service 2 TTPs 22 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" regedit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" regedit.exe -
Executes dropped EXE 20 IoCs
Processes:
netX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exepid process 5044 netX.exe 4172 netX.exe 5052 netX.exe 2100 netX.exe 4016 netX.exe 3256 netX.exe 4088 netX.exe 1948 netX.exe 4244 netX.exe 552 netX.exe 4084 netX.exe 1096 netX.exe 3720 netX.exe 5060 netX.exe 4948 netX.exe 4548 netX.exe 4396 netX.exe 1772 netX.exe 3716 netX.exe 3868 netX.exe -
Drops file in System32 directory 22 IoCs
Processes:
a81de519432b6d76d9b881cff0cf9cef.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exedescription ioc process File created C:\Windows\SysWOW64\netX.exe a81de519432b6d76d9b881cff0cf9cef.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe a81de519432b6d76d9b881cff0cf9cef.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe File created C:\Windows\SysWOW64\netX.exe netX.exe File opened for modification C:\Windows\SysWOW64\netX.exe netX.exe -
Suspicious use of SetThreadContext 11 IoCs
Processes:
a81de519432b6d76d9b881cff0cf9cef.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exedescription pid process target process PID 864 set thread context of 3904 864 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 5044 set thread context of 4172 5044 netX.exe netX.exe PID 5052 set thread context of 2100 5052 netX.exe netX.exe PID 4016 set thread context of 3256 4016 netX.exe netX.exe PID 4088 set thread context of 1948 4088 netX.exe netX.exe PID 4244 set thread context of 552 4244 netX.exe netX.exe PID 4084 set thread context of 1096 4084 netX.exe netX.exe PID 3720 set thread context of 5060 3720 netX.exe netX.exe PID 4948 set thread context of 4548 4948 netX.exe netX.exe PID 4396 set thread context of 1772 4396 netX.exe netX.exe PID 3716 set thread context of 3868 3716 netX.exe netX.exe -
Runs .reg file with regedit 11 IoCs
Processes:
regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exepid process 3956 regedit.exe 2324 regedit.exe 756 regedit.exe 464 regedit.exe 2344 regedit.exe 4944 regedit.exe 4804 regedit.exe 3260 regedit.exe 556 regedit.exe 1004 regedit.exe 4000 regedit.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
Processes:
a81de519432b6d76d9b881cff0cf9cef.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exenetX.exepid process 864 a81de519432b6d76d9b881cff0cf9cef.exe 5044 netX.exe 5052 netX.exe 4016 netX.exe 4088 netX.exe 4244 netX.exe 4084 netX.exe 3720 netX.exe 4948 netX.exe 4396 netX.exe 3716 netX.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
a81de519432b6d76d9b881cff0cf9cef.exea81de519432b6d76d9b881cff0cf9cef.execmd.exenetX.exenetX.execmd.exenetX.exenetX.execmd.exenetX.exenetX.execmd.exedescription pid process target process PID 864 wrote to memory of 3904 864 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 864 wrote to memory of 3904 864 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 864 wrote to memory of 3904 864 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 864 wrote to memory of 3904 864 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 864 wrote to memory of 3904 864 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 864 wrote to memory of 3904 864 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 864 wrote to memory of 3904 864 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 864 wrote to memory of 3904 864 a81de519432b6d76d9b881cff0cf9cef.exe a81de519432b6d76d9b881cff0cf9cef.exe PID 3904 wrote to memory of 1764 3904 a81de519432b6d76d9b881cff0cf9cef.exe cmd.exe PID 3904 wrote to memory of 1764 3904 a81de519432b6d76d9b881cff0cf9cef.exe cmd.exe PID 3904 wrote to memory of 1764 3904 a81de519432b6d76d9b881cff0cf9cef.exe cmd.exe PID 1764 wrote to memory of 1004 1764 cmd.exe regedit.exe PID 1764 wrote to memory of 1004 1764 cmd.exe regedit.exe PID 1764 wrote to memory of 1004 1764 cmd.exe regedit.exe PID 3904 wrote to memory of 5044 3904 a81de519432b6d76d9b881cff0cf9cef.exe netX.exe PID 3904 wrote to memory of 5044 3904 a81de519432b6d76d9b881cff0cf9cef.exe netX.exe PID 3904 wrote to memory of 5044 3904 a81de519432b6d76d9b881cff0cf9cef.exe netX.exe PID 5044 wrote to memory of 4172 5044 netX.exe netX.exe PID 5044 wrote to memory of 4172 5044 netX.exe netX.exe PID 5044 wrote to memory of 4172 5044 netX.exe netX.exe PID 5044 wrote to memory of 4172 5044 netX.exe netX.exe PID 5044 wrote to memory of 4172 5044 netX.exe netX.exe PID 5044 wrote to memory of 4172 5044 netX.exe netX.exe PID 5044 wrote to memory of 4172 5044 netX.exe netX.exe PID 5044 wrote to memory of 4172 5044 netX.exe netX.exe PID 4172 wrote to memory of 2616 4172 netX.exe cmd.exe PID 4172 wrote to memory of 2616 4172 netX.exe cmd.exe PID 4172 wrote to memory of 2616 4172 netX.exe cmd.exe PID 2616 wrote to memory of 2344 2616 cmd.exe regedit.exe PID 2616 wrote to memory of 2344 2616 cmd.exe regedit.exe PID 2616 wrote to memory of 2344 2616 cmd.exe regedit.exe PID 4172 wrote to memory of 5052 4172 netX.exe netX.exe PID 4172 wrote to memory of 5052 4172 netX.exe netX.exe PID 4172 wrote to memory of 5052 4172 netX.exe netX.exe PID 5052 wrote to memory of 2100 5052 netX.exe netX.exe PID 5052 wrote to memory of 2100 5052 netX.exe netX.exe PID 5052 wrote to memory of 2100 5052 netX.exe netX.exe PID 5052 wrote to memory of 2100 5052 netX.exe netX.exe PID 5052 wrote to memory of 2100 5052 netX.exe netX.exe PID 5052 wrote to memory of 2100 5052 netX.exe netX.exe PID 5052 wrote to memory of 2100 5052 netX.exe netX.exe PID 5052 wrote to memory of 2100 5052 netX.exe netX.exe PID 2100 wrote to memory of 872 2100 netX.exe cmd.exe PID 2100 wrote to memory of 872 2100 netX.exe cmd.exe PID 2100 wrote to memory of 872 2100 netX.exe cmd.exe PID 872 wrote to memory of 4944 872 cmd.exe regedit.exe PID 872 wrote to memory of 4944 872 cmd.exe regedit.exe PID 872 wrote to memory of 4944 872 cmd.exe regedit.exe PID 2100 wrote to memory of 4016 2100 netX.exe netX.exe PID 2100 wrote to memory of 4016 2100 netX.exe netX.exe PID 2100 wrote to memory of 4016 2100 netX.exe netX.exe PID 4016 wrote to memory of 3256 4016 netX.exe netX.exe PID 4016 wrote to memory of 3256 4016 netX.exe netX.exe PID 4016 wrote to memory of 3256 4016 netX.exe netX.exe PID 4016 wrote to memory of 3256 4016 netX.exe netX.exe PID 4016 wrote to memory of 3256 4016 netX.exe netX.exe PID 4016 wrote to memory of 3256 4016 netX.exe netX.exe PID 4016 wrote to memory of 3256 4016 netX.exe netX.exe PID 4016 wrote to memory of 3256 4016 netX.exe netX.exe PID 3256 wrote to memory of 3160 3256 netX.exe cmd.exe PID 3256 wrote to memory of 3160 3256 netX.exe cmd.exe PID 3256 wrote to memory of 3160 3256 netX.exe cmd.exe PID 3160 wrote to memory of 4000 3160 cmd.exe regedit.exe PID 3160 wrote to memory of 4000 3160 cmd.exe regedit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"2⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg4⤵
- Modifies security service
- Runs .reg file with regedit
PID:1004 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 1136 "C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\netX.exeC:\Windows\SysWOW64\netX.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4172 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat5⤵
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg6⤵
- Modifies security service
- Runs .reg file with regedit
PID:2344 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 1168 "C:\Windows\SysWOW64\netX.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe" €s¦ˆ6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat7⤵
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg8⤵
- Modifies security service
- Runs .reg file with regedit
PID:4944 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe" €8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat9⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg10⤵
- Modifies security service
- Runs .reg file with regedit
PID:4000 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4088 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe" €H‡ÿ‘10⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat11⤵PID:2456
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg12⤵
- Modifies security service
- Runs .reg file with regedit
PID:3956 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 1140 "C:\Windows\SysWOW64\netX.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4244 -
C:\Windows\SysWOW64\netX.exe"C:\Windows\SysWOW64\netX.exe" €Y;Úc12⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat13⤵PID:4996
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg14⤵
- Modifies security service
- Runs .reg file with regedit
PID:2324 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 1144 "C:\Windows\SysWOW64\netX.exe"13⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4084 -
C:\Windows\SysWOW64\netX.exeC:\Windows\SysWOW64\netX.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat15⤵PID:2128
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg16⤵
- Modifies security service
- Runs .reg file with regedit
PID:756 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 1140 "C:\Windows\SysWOW64\netX.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3720 -
C:\Windows\SysWOW64\netX.exeC:\Windows\SysWOW64\netX.exe16⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5060 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat17⤵PID:5108
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg18⤵
- Modifies security service
- Runs .reg file with regedit
PID:4804 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4948 -
C:\Windows\SysWOW64\netX.exeC:\Windows\SysWOW64\netX.exe18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4548 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat19⤵PID:2296
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg20⤵
- Modifies security service
- Runs .reg file with regedit
PID:3260 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"19⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4396 -
C:\Windows\SysWOW64\netX.exeC:\Windows\SysWOW64\netX.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat21⤵PID:4476
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg22⤵
- Modifies security service
- Runs .reg file with regedit
PID:556 -
C:\Windows\SysWOW64\netX.exeC:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"21⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3716 -
C:\Windows\SysWOW64\netX.exeC:\Windows\SysWOW64\netX.exe22⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3868 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c c:\a.bat23⤵PID:4852
-
C:\Windows\SysWOW64\regedit.exeREGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg24⤵
- Modifies security service
- Runs .reg file with regedit
PID:464
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4196 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:81⤵PID:3536
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
360B
MD53a1a83c2ffad464e87a2f9a502b7b9f1
SHA14ffa65ecdd0455499c8cd6d05947605340cbf426
SHA25673ed949fba75a20288ac2d1e367180d4c8837fd31c66143707768d5b0e3bd8b6
SHA5128232967faaf29b8b93b5042ba2bb1fcb6d0f0f2fa0e19573b1fe49f526ba434c5e76e932829e3c71beb0903e42c293ed202b619fee8aba93efe4a99e8aec55e2
-
Filesize
1KB
MD5c2d6056624c1d37b1baf4445d8705378
SHA190c0b48eca9016a7d07248ecdb7b93bf3e2f1a83
SHA2563c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96
SHA512d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29
-
Filesize
3KB
MD59e5db93bd3302c217b15561d8f1e299d
SHA195a5579b336d16213909beda75589fd0a2091f30
SHA256f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a
-
Filesize
2KB
MD5d8be0d42e512d922804552250f01eb90
SHA1cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3
SHA256901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82
SHA512f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97
-
Filesize
2KB
MD563ff40a70037650fd0acfd68314ffc94
SHA11ab29adec6714edf286485ac5889fddb1d092e93
SHA2561e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b
SHA5122b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc
-
Filesize
3KB
MD5752fd85212d47da8f0adc29004a573b2
SHA1fa8fe3ff766601db46412879dc13dbec8d055965
SHA2569faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e
SHA512d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209
-
Filesize
3KB
MD5d085cde42c14e8ee2a5e8870d08aee42
SHA1c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b
-
Filesize
851B
MD5a13ff758fc4326eaa44582bc9700aead
SHA1a4927b4a3b84526c5c42a077ade4652ab308f83f
SHA256c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588
SHA51286c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842
-
Filesize
3KB
MD55aa228bc61037ddaf7a22dab4a04e9a1
SHA1b50fcd8f643ea748f989a06e38c778884b3c19f2
SHA25665c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b
SHA5122ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa
-
Filesize
2KB
MD5294976e85ad11a45853f99c1b208723f
SHA18d83101d69420b5af97ec517165d849d3ab498fc
SHA25604fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff
SHA512e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6
-
Filesize
1KB
MD5f1cbbc2ce0d93c45a92edcc86780e9f0
SHA1d893306caae2584cdeba4c80c3bfe18548fa227a
SHA2566646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7
SHA512b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7
-
Filesize
2KB
MD51b2949b211ab497b739b1daf37cd4101
SHA112cad1063d28129ddd89e80acc2940f8dfbbaab3
SHA2563e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c
SHA512a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef
-
Filesize
1KB
MD55002319f56002f8d7ceacecf8672ce25
SHA13b26b6801be4768cc7582e29bc93facdf2a74be3
SHA256f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c
SHA5128eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef
-
Filesize
1KB
MD5a437192517c26d96c8cee8d5a27dd560
SHA1f665a3e5e5c141e4527509dffd30b0320aa8df6f
SHA256d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23
SHA512f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41
-
Filesize
3KB
MD58d6eb64e58d3f14686110fcaf1363269
SHA1d85c0b208716b400894ba4cb569a5af4aa178a2f
SHA256c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5
SHA5125022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7
-
Filesize
17KB
MD5eef77222a3e979f58cb3b5c08cbddd68
SHA1e20201618d329c4cee535a85c7e64511e99c0976
SHA256c90406c4af8728ec268159452abdca3d1f670a6af3caea7daa4796129ed8820c
SHA51232cb83cf924f937204b2cee2f5103676d74b77a05a32e7dbaf1d07395956c0f6078ec3da3383ffdf0ae8d60075f979e7e0c33e97c5a22863a87ec363dcc1a602
-
Filesize
304KB
MD5a81de519432b6d76d9b881cff0cf9cef
SHA1e35a6446307b3e55db9097cee2cdeec87e6145b6
SHA256bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce
SHA512eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730
-
Filesize
285KB
MD53e18bc121e44850ac941541a4ad7126e
SHA15e8e589d5ce5d6c119fa879b64606060a04ff0b7
SHA256ee067497e476ac34d73c10dd72a992020bcceb2165d3454e6c7efc7eaf41027e
SHA512ff53391ae2f51e6e3acc8e39e75d0d20268b369fa6f268cb24ab37d2ad9160f16d6323a81805becaaacd648c8d34f62d89033cfd3d3aeb47925bffd74d3f69f6
-
Filesize
5KB
MD50019a0451cc6b9659762c3e274bc04fb
SHA15259e256cc0908f2846e532161b989f1295f479b
SHA256ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904