Analysis Overview
SHA256
bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce
Threat Level: Known bad
The file a81de519432b6d76d9b881cff0cf9cef was found to be: Known bad.
Malicious Activity Summary
Modifies security service
Lumma Stealer
Detect Lumma Stealer payload V4
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Unsigned PE
Runs .reg file with regedit
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-27 03:36
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-27 03:36
Reported
2024-02-27 03:38
Platform
win7-20240221-en
Max time kernel
142s
Max time network
123s
Command Line
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
Suspicious use of SetThreadContext
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
"C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"
C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 512 "C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 532 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 524 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
Network
Files
memory/2208-2-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2208-4-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2208-6-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2208-8-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2208-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2208-12-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2208-14-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2208-16-0x0000000000400000-0x0000000000517000-memory.dmp
C:\a.bat
| MD5 | 0019a0451cc6b9659762c3e274bc04fb |
| SHA1 | 5259e256cc0908f2846e532161b989f1295f479b |
| SHA256 | ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876 |
| SHA512 | 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 558ce6da965ba1758d112b22e15aa5a2 |
| SHA1 | a365542609e4d1dc46be62928b08612fcabe2ede |
| SHA256 | c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb |
| SHA512 | 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 7fe70731de9e888ca911baeb99ee503d |
| SHA1 | 0073da5273512f66dbf570580dc55957535c2478 |
| SHA256 | ec8ce13a4cab475695329eddc61ff2eee378e79f0d2f9ca3a9bc7b18bd52b89a |
| SHA512 | 4421df7085fd2aac218d5544152d77080b99c1eaa24076975a6b1bb01149a19a1c0d6cc2c042cd507b37af9a220e7ce1f026103cdabfaec5994b1533c2f3eeac |
\Windows\SysWOW64\netX.exe
| MD5 | a81de519432b6d76d9b881cff0cf9cef |
| SHA1 | e35a6446307b3e55db9097cee2cdeec87e6145b6 |
| SHA256 | bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce |
| SHA512 | eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730 |
C:\Windows\SysWOW64\netX.exe
| MD5 | a44ba2322cc89663d4f956a1f29b124b |
| SHA1 | f27eabd4a09aa6063c591bd2fb64dbb0aad0955b |
| SHA256 | 70c777afc8d0c0825ac19eccec2ca19b815b24f125ad5df70e9c19fbf0494f40 |
| SHA512 | 98cb33d231971176fc8744cfa106d1791e10fe1538ca66f9b28750b7a90e9aa9b2ecf9a8f285bd2889e513c6a5535e7f9844ef93cef5ea82254510af545c55ba |
memory/2208-150-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1972-167-0x0000000000400000-0x0000000000517000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9e5db93bd3302c217b15561d8f1e299d |
| SHA1 | 95a5579b336d16213909beda75589fd0a2091f30 |
| SHA256 | f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e |
| SHA512 | b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 54ca6e3ef1c12b994043e85a8c9895f0 |
| SHA1 | 5eaccfb482cbe24cf5c3203ffdc926184097427e |
| SHA256 | 0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0 |
| SHA512 | 925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5a466127fedf6dbcd99adc917bd74581 |
| SHA1 | a2e60b101c8789b59360d95a64ec07d0723c4d38 |
| SHA256 | 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84 |
| SHA512 | 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5 |
memory/1972-277-0x0000000000400000-0x0000000000517000-memory.dmp
memory/292-306-0x0000000000400000-0x0000000000517000-memory.dmp
memory/292-415-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1276-445-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1276-553-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1776-582-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1776-707-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2580-721-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2580-846-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1340-860-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1340-987-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2556-993-0x0000000000400000-0x0000000000517000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5f6aefafda312b288b7d555c1fc36dc9 |
| SHA1 | f25e2fdea9dd714d0fae68af71cace7bb49302ce |
| SHA256 | 60f6d3cbf831857bf18e46a43ff403a03e2035d9430a72d768ea9cec1947917a |
| SHA512 | 97f0250ba79b008d7632a2f32a7b851d9ca87f116b2854d5343c120511cfd55551a1f3eb3e0959602656b39b3f86003a0f9d04243ceb8b73d28eb9bb9449a6de |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | b79d7c7385eb2936ecd5681762227a9b |
| SHA1 | c2a21fb49bd3cc8be9baac1bf6f6389453ad785d |
| SHA256 | fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019 |
| SHA512 | 7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b |
memory/2556-1123-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1588-1138-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2372-1271-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1588-1270-0x0000000000400000-0x0000000000517000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 908860a865f8ed2e14085e35256578dd |
| SHA1 | 7ff5ee35cc7e96a661848eb95a70d0b8d2d78603 |
| SHA256 | d2b73d92cf00a9dc61f2777a7f298e8c4bb72697236965f8931bdfc9d0924c5f |
| SHA512 | a93bb8cb180d957ef2b2c511d5ff66a25d2bcfb071af9884c146b8c422d1fadc9a4d390712bc2cb27640634854b3e59d5209803373cf1f42381d513747a65fd9 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 501effddf60a974e98b67dc8921aa7e8 |
| SHA1 | 734dfe4b508dbc1527ec92e91821a1251aec5b2e |
| SHA256 | 672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06 |
| SHA512 | 28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 6bf876cd9994f0d41be4eca36d22c42a |
| SHA1 | 50cda4b940e6ba730ce59000cfc59e6c4d7fdc79 |
| SHA256 | ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a |
| SHA512 | 605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106 |
memory/2372-1400-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2108-1416-0x0000000000400000-0x0000000000517000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-27 03:36
Reported
2024-02-27 03:38
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
148s
Command Line
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File created | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\netX.exe | C:\Windows\SysWOW64\netX.exe | N/A |
Suspicious use of SetThreadContext
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netX.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
"C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"
C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe
"C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 1136 "C:\Users\Admin\AppData\Local\Temp\a81de519432b6d76d9b881cff0cf9cef.exe"
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 1168 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe" €s¦ˆ
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe" €
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4196 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe" €H‡ÿ‘
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 1140 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
"C:\Windows\SysWOW64\netX.exe" €Y;Úc
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 1144 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 1140 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\netX.exe
C:\Windows\system32\netX.exe 1136 "C:\Windows\SysWOW64\netX.exe"
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\netX.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.180.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/3904-2-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3904-3-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3904-4-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3904-6-0x0000000000400000-0x0000000000517000-memory.dmp
\??\c:\a.bat
| MD5 | 0019a0451cc6b9659762c3e274bc04fb |
| SHA1 | 5259e256cc0908f2846e532161b989f1295f479b |
| SHA256 | ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876 |
| SHA512 | 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 3a1a83c2ffad464e87a2f9a502b7b9f1 |
| SHA1 | 4ffa65ecdd0455499c8cd6d05947605340cbf426 |
| SHA256 | 73ed949fba75a20288ac2d1e367180d4c8837fd31c66143707768d5b0e3bd8b6 |
| SHA512 | 8232967faaf29b8b93b5042ba2bb1fcb6d0f0f2fa0e19573b1fe49f526ba434c5e76e932829e3c71beb0903e42c293ed202b619fee8aba93efe4a99e8aec55e2 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | c2d6056624c1d37b1baf4445d8705378 |
| SHA1 | 90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83 |
| SHA256 | 3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96 |
| SHA512 | d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9e5db93bd3302c217b15561d8f1e299d |
| SHA1 | 95a5579b336d16213909beda75589fd0a2091f30 |
| SHA256 | f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e |
| SHA512 | b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a |
C:\Windows\SysWOW64\netX.exe
| MD5 | eef77222a3e979f58cb3b5c08cbddd68 |
| SHA1 | e20201618d329c4cee535a85c7e64511e99c0976 |
| SHA256 | c90406c4af8728ec268159452abdca3d1f670a6af3caea7daa4796129ed8820c |
| SHA512 | 32cb83cf924f937204b2cee2f5103676d74b77a05a32e7dbaf1d07395956c0f6078ec3da3383ffdf0ae8d60075f979e7e0c33e97c5a22863a87ec363dcc1a602 |
C:\Windows\SysWOW64\netX.exe
| MD5 | a81de519432b6d76d9b881cff0cf9cef |
| SHA1 | e35a6446307b3e55db9097cee2cdeec87e6145b6 |
| SHA256 | bd8c7e7ef7ae77f7f99f3408108fd9757f71141e6e990cee3d16a4d4bb17d2ce |
| SHA512 | eb10557925254fa38759998c04dab4429e8a90574a6cd4aa3e0c3fea109c4dd80dd23781a5a92a5d4501d4befb057053d3c1e33f40181db379a932f06cf41730 |
memory/4172-126-0x0000000000400000-0x0000000000517000-memory.dmp
memory/4172-127-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3904-129-0x0000000000400000-0x0000000000517000-memory.dmp
memory/4172-131-0x0000000000400000-0x0000000000517000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | d8be0d42e512d922804552250f01eb90 |
| SHA1 | cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3 |
| SHA256 | 901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82 |
| SHA512 | f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 63ff40a70037650fd0acfd68314ffc94 |
| SHA1 | 1ab29adec6714edf286485ac5889fddb1d092e93 |
| SHA256 | 1e607f10a90fdbaffe26e81c9a5f320fb9c954391d2adcc55fdfdfca1601714b |
| SHA512 | 2b41ce69cd1541897fbae5497f06779ac8182ff84fbf29ac29b7c2b234753fe44e7dfc6e4c257af222d466536fa4e50e247dcb68a9e1ad7766245dedfcfb6fdc |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 752fd85212d47da8f0adc29004a573b2 |
| SHA1 | fa8fe3ff766601db46412879dc13dbec8d055965 |
| SHA256 | 9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e |
| SHA512 | d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | d085cde42c14e8ee2a5e8870d08aee42 |
| SHA1 | c8e967f1d301f97dbcf252d7e1677e590126f994 |
| SHA256 | a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f |
| SHA512 | de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b |
memory/4172-241-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2100-248-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2100-247-0x0000000000400000-0x0000000000517000-memory.dmp
memory/2100-252-0x0000000000400000-0x0000000000517000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | a13ff758fc4326eaa44582bc9700aead |
| SHA1 | a4927b4a3b84526c5c42a077ade4652ab308f83f |
| SHA256 | c0915178e63bf84c54e9c942b5cc80327c24d84125042767d7e1e2ef3e004588 |
| SHA512 | 86c336086a1d0ca689e133df8e3c3ec83eeef86649dbf8b9d367c3e543358ad54f69d1a20d56c56200e294f22b2741186db0f359051159b4e670d3e9b5861842 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5aa228bc61037ddaf7a22dab4a04e9a1 |
| SHA1 | b50fcd8f643ea748f989a06e38c778884b3c19f2 |
| SHA256 | 65c7c12f00303ec69556e7e108d2fb3881b761b5e68d12e8ae94d80ab1fd7d8b |
| SHA512 | 2ac1a9465083463a116b33039b4c4014433bda78a61e6312dde0e8f74f0a6a6881017041985871badee442a693d66385fe87cbfc60f1309f7a3c9fb59ec6f2aa |
memory/2100-362-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3256-368-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3256-372-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3256-369-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3256-483-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1948-489-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1948-490-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1948-493-0x0000000000400000-0x0000000000517000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 294976e85ad11a45853f99c1b208723f |
| SHA1 | 8d83101d69420b5af97ec517165d849d3ab498fc |
| SHA256 | 04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff |
| SHA512 | e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6 |
memory/1948-604-0x0000000000400000-0x0000000000517000-memory.dmp
memory/552-610-0x0000000000400000-0x0000000000517000-memory.dmp
memory/552-611-0x0000000000400000-0x0000000000517000-memory.dmp
memory/552-613-0x0000000000400000-0x0000000000517000-memory.dmp
memory/552-725-0x0000000000400000-0x0000000000517000-memory.dmp
C:\Windows\SysWOW64\netX.exe
| MD5 | 3e18bc121e44850ac941541a4ad7126e |
| SHA1 | 5e8e589d5ce5d6c119fa879b64606060a04ff0b7 |
| SHA256 | ee067497e476ac34d73c10dd72a992020bcceb2165d3454e6c7efc7eaf41027e |
| SHA512 | ff53391ae2f51e6e3acc8e39e75d0d20268b369fa6f268cb24ab37d2ad9160f16d6323a81805becaaacd648c8d34f62d89033cfd3d3aeb47925bffd74d3f69f6 |
memory/1096-731-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1096-732-0x0000000000400000-0x0000000000517000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | f1cbbc2ce0d93c45a92edcc86780e9f0 |
| SHA1 | d893306caae2584cdeba4c80c3bfe18548fa227a |
| SHA256 | 6646122747280612f7cb0e88c16544e472aae7c20217b711bbee8f10562e49c7 |
| SHA512 | b4ba834ab846d1dc9bbeca52e54705cdbf010687a5c1c54a82fddc15c64025528ef874213a59d1be5fb7ada7abd0862235a0c924f10819fbbfb36bd2ba29adf7 |
memory/1096-767-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1096-846-0x0000000000400000-0x0000000000517000-memory.dmp
memory/5060-852-0x0000000000400000-0x0000000000517000-memory.dmp
memory/5060-853-0x0000000000400000-0x0000000000517000-memory.dmp
memory/5060-857-0x0000000000400000-0x0000000000517000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 1b2949b211ab497b739b1daf37cd4101 |
| SHA1 | 12cad1063d28129ddd89e80acc2940f8dfbbaab3 |
| SHA256 | 3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c |
| SHA512 | a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef |
memory/5060-967-0x0000000000400000-0x0000000000517000-memory.dmp
memory/4548-973-0x0000000000400000-0x0000000000517000-memory.dmp
memory/4548-974-0x0000000000400000-0x0000000000517000-memory.dmp
memory/4548-977-0x0000000000400000-0x0000000000517000-memory.dmp
memory/4548-1088-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1772-1094-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1772-1095-0x0000000000400000-0x0000000000517000-memory.dmp
memory/1772-1098-0x0000000000400000-0x0000000000517000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5002319f56002f8d7ceacecf8672ce25 |
| SHA1 | 3b26b6801be4768cc7582e29bc93facdf2a74be3 |
| SHA256 | f23f4854d17525744e8028db6dde6eb7d5d664b0ee1b08870c9c01b639e0124c |
| SHA512 | 8eae0fabc7f5a7e452abacf988a3632874c556af409da5e60c5e529524732b40f22d4e1d860ccceae87642875c819fc8a8120eceaabd25861f920c8c066a9aef |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | a437192517c26d96c8cee8d5a27dd560 |
| SHA1 | f665a3e5e5c141e4527509dffd30b0320aa8df6f |
| SHA256 | d0ec3ddd0503ee6ddae52c33b6c0b8780c73b8f27ca3aadc073f7fa512702e23 |
| SHA512 | f9538163b6c41ff5419cb12a9c103c0da5afbfe6237317985d45ff243c4f15ee89a86eab2b4d02cbda1a14596d2f24d3d1cdf05bb3e5fd931fbe9be4b869aa41 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 8d6eb64e58d3f14686110fcaf1363269 |
| SHA1 | d85c0b208716b400894ba4cb569a5af4aa178a2f |
| SHA256 | c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5 |
| SHA512 | 5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7 |
memory/1772-1209-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3868-1215-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3868-1216-0x0000000000400000-0x0000000000517000-memory.dmp
memory/3868-1220-0x0000000000400000-0x0000000000517000-memory.dmp