Malware Analysis Report

2024-11-30 05:07

Sample ID 240228-ye866scb51
Target acb1531abfd05d85b3c002f59ebd03d9
SHA256 d473f7a6db142f8261b572314578b257bd2b3a90b5eaa4bdd1ba72c2b610e0de
Tags
lumma evasion stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d473f7a6db142f8261b572314578b257bd2b3a90b5eaa4bdd1ba72c2b610e0de

Threat Level: Known bad

The file acb1531abfd05d85b3c002f59ebd03d9 was found to be: Known bad.

Malicious Activity Summary

lumma evasion stealer

Lumma Stealer

Modifies security service

Detect Lumma Stealer payload V4

Executes dropped EXE

Loads dropped DLL

Drops file in System32 directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs .reg file with regedit

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-28 19:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-28 19:43

Reported

2024-02-28 19:45

Platform

win7-20240221-en

Max time kernel

149s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\cmd.exe
PID 1316 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1316 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1316 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1316 wrote to memory of 2788 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2512 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2512 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2512 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2512 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2816 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 2384 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2816 wrote to memory of 1640 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2816 wrote to memory of 1640 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2816 wrote to memory of 1640 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2816 wrote to memory of 1640 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 1640 wrote to memory of 1544 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1544 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1544 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 1544 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1544 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1544 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1544 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1544 wrote to memory of 1792 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1640 wrote to memory of 948 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 1640 wrote to memory of 948 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 1640 wrote to memory of 948 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 1640 wrote to memory of 948 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 948 wrote to memory of 1028 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1028 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1028 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 948 wrote to memory of 1028 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1028 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1028 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1028 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1028 wrote to memory of 2592 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 948 wrote to memory of 2988 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 948 wrote to memory of 2988 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 948 wrote to memory of 2988 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 948 wrote to memory of 2988 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2988 wrote to memory of 272 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 272 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 272 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2988 wrote to memory of 272 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 272 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 272 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 272 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 272 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2988 wrote to memory of 1112 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2988 wrote to memory of 1112 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2988 wrote to memory of 1112 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2988 wrote to memory of 1112 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 1112 wrote to memory of 2164 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 2164 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 2164 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1112 wrote to memory of 2164 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2164 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2164 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2164 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2164 wrote to memory of 2108 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe

"C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 540 "C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 532 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 536 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 544 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 548 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 552 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 556 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 564 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 560 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 568 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

N/A

Files

memory/2512-0-0x0000000000400000-0x000000000048A000-memory.dmp

C:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 558ce6da965ba1758d112b22e15aa5a2
SHA1 a365542609e4d1dc46be62928b08612fcabe2ede
SHA256 c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb
SHA512 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d5e129352c8dd0032b51f34a2bbecad3
SHA1 a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a
SHA256 ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267
SHA512 9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

\Windows\SysWOW64\WindowsW.exe

MD5 acb1531abfd05d85b3c002f59ebd03d9
SHA1 cc4fd247a435c3ae0aea9366c262c86da7831ea2
SHA256 d473f7a6db142f8261b572314578b257bd2b3a90b5eaa4bdd1ba72c2b610e0de
SHA512 58f13bd2520a4cddec9273df0942310b27c9d5fa204a526c5f362f96104e046537fa50e2f262bf5f6651606732b9a2c8cfeb57112584012b796dee6175ef3410

memory/2512-125-0x0000000001D30000-0x0000000001DBA000-memory.dmp

memory/2816-126-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2512-129-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2816-130-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2816-133-0x0000000002480000-0x000000000250A000-memory.dmp

memory/1640-135-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2816-160-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2816-251-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1640-253-0x0000000000400000-0x000000000048A000-memory.dmp

memory/948-257-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1640-372-0x0000000000400000-0x000000000048A000-memory.dmp

memory/948-374-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2988-378-0x0000000000400000-0x000000000048A000-memory.dmp

memory/948-494-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2988-495-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1112-507-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2988-499-0x0000000002620000-0x00000000026AA000-memory.dmp

memory/2988-615-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1112-617-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2080-621-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d085cde42c14e8ee2a5e8870d08aee42
SHA1 c8e967f1d301f97dbcf252d7e1677e590126f994
SHA256 a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f
SHA512 de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

memory/1112-729-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2080-730-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2292-738-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 cd085b8c40e69c2bf1eb3d59f8155b99
SHA1 3499260f24020fe6d54d9d632d34ba2770bb06e0
SHA256 10546433db0c1ab764cd632eb0d08d93a530c6e52d1ec7fcb9c1fd32193f2a9c
SHA512 3813b8a7f742f6a64da36492447f3f2fee6ea505d7d0dccebede84117ec06101321dfacc7901403ea557171085982ae1a4dc39dd666da9e67d61ea71dfbb8edb

memory/2080-854-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2292-860-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2292-864-0x0000000002740000-0x00000000027CA000-memory.dmp

memory/1988-877-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2292-980-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1988-986-0x0000000002800000-0x000000000288A000-memory.dmp

memory/1828-987-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1988-1102-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1828-1104-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2472-1115-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1828-1116-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2472-1225-0x0000000000400000-0x000000000048A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-28 19:43

Reported

2024-02-28 19:45

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" C:\Windows\SysWOW64\regedit.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A
File created C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3940 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\cmd.exe
PID 3940 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\cmd.exe
PID 752 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 752 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 752 wrote to memory of 4280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3940 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\WindowsW.exe
PID 3940 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\WindowsW.exe
PID 3940 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe C:\Windows\SysWOW64\WindowsW.exe
PID 4504 wrote to memory of 4440 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4440 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4440 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 4440 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4440 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4440 wrote to memory of 3244 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4504 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 4504 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 4504 wrote to memory of 4528 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 4528 wrote to memory of 4680 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 4680 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 4528 wrote to memory of 4680 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4680 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4680 wrote to memory of 1760 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 4528 wrote to memory of 1908 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 4528 wrote to memory of 1908 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 4528 wrote to memory of 1908 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 1908 wrote to memory of 2904 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2904 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 2904 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2904 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2904 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2904 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1908 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 1908 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 1908 wrote to memory of 1416 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 1416 wrote to memory of 3992 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3992 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1416 wrote to memory of 3992 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 3992 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3992 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3992 wrote to memory of 3728 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1416 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 1416 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 1416 wrote to memory of 3760 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 3760 wrote to memory of 1824 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 1824 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 3760 wrote to memory of 1824 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 1824 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1824 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 1824 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 3760 wrote to memory of 2100 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 3760 wrote to memory of 2100 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 3760 wrote to memory of 2100 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2100 wrote to memory of 2016 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2016 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2100 wrote to memory of 2016 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe
PID 2016 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2016 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2016 wrote to memory of 3656 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\regedit.exe
PID 2100 wrote to memory of 3728 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2100 wrote to memory of 3728 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 2100 wrote to memory of 3728 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\WindowsW.exe
PID 3728 wrote to memory of 2904 N/A C:\Windows\SysWOW64\WindowsW.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe

"C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 1236 "C:\Users\Admin\AppData\Local\Temp\acb1531abfd05d85b3c002f59ebd03d9.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 1180 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 1148 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 1152 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 1156 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 1164 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 1160 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 1168 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 1184 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\WindowsW.exe

C:\Windows\system32\WindowsW.exe 1176 "C:\Windows\SysWOW64\WindowsW.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c c:\a.bat

C:\Windows\SysWOW64\regedit.exe

REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg

Network

Country Destination Domain Proto
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 138.91.171.81:80 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 29.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 53.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

memory/3940-0-0x0000000000400000-0x000000000048A000-memory.dmp

\??\c:\a.bat

MD5 0019a0451cc6b9659762c3e274bc04fb
SHA1 5259e256cc0908f2846e532161b989f1295f479b
SHA256 ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876
SHA512 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 159bb1d34a927f58fc851798c7c09b58
SHA1 c3a26565004531f3a93e29eabb0f9a196b4c1ba2
SHA256 53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd
SHA512 b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 f8a9a1aa9bab7821d25ae628e6d04f68
SHA1 c3e7a9ccc9805ae94aabfd16e2cb461fde3fae5a
SHA256 76ee7c489d11427af94d0334368ef2ed44df4a74984ffd4022c9ea9fae9c41fb
SHA512 0fb3a29367fa3c3eb36c6a7e9ff217ccdd7cce18309964aa7068a00f500ea4ea49588344ebbc52ae77d83e5042c3fdb84f56fa1dae07b8bb774aed6fffd18c0a

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 9e5db93bd3302c217b15561d8f1e299d
SHA1 95a5579b336d16213909beda75589fd0a2091f30
SHA256 f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e
SHA512 b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

C:\Windows\SysWOW64\WindowsW.exe

MD5 acb1531abfd05d85b3c002f59ebd03d9
SHA1 cc4fd247a435c3ae0aea9366c262c86da7831ea2
SHA256 d473f7a6db142f8261b572314578b257bd2b3a90b5eaa4bdd1ba72c2b610e0de
SHA512 58f13bd2520a4cddec9273df0942310b27c9d5fa204a526c5f362f96104e046537fa50e2f262bf5f6651606732b9a2c8cfeb57112584012b796dee6175ef3410

memory/4504-117-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5a466127fedf6dbcd99adc917bd74581
SHA1 a2e60b101c8789b59360d95a64ec07d0723c4d38
SHA256 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84
SHA512 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5575ef034e791d4d3b09da6c0c4ee764
SHA1 50a0851ddf4b0c4014ad91f976e953baffe30951
SHA256 9697ec584ef188873daa789eb779bb95dd3efa2c4c98a55dffa30cac4d156c14
SHA512 ecf52614d3a16d8e558751c799fde925650ef3e6d254d172217e1b0ed76a983d45b74688616d3e3432a16cec98b986b17eaecd319a18df9a67e4d47f17380756

memory/3940-228-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4504-229-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4528-231-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4504-342-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4528-343-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1908-345-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 752fd85212d47da8f0adc29004a573b2
SHA1 fa8fe3ff766601db46412879dc13dbec8d055965
SHA256 9faa69e9dabfb4beb40790bf12d0ae2ac0a879fb045e38c03b9e4d0ab569636e
SHA512 d7bbadb2ed764717dc01b012832e5c1debd6615bbdc121b5954e61d6364a03b2dd03718bdea26c5c2a6dbb6e33c5a7657c76862f6d8c0a916f7a0f9f8dd3b209

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 872656500ddac1ddd91d10aba3a8df96
SHA1 ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc
SHA256 d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8
SHA512 e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

memory/4528-456-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1908-457-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1416-459-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 c8441ec8a2edf9b2f4f631fe930ea4d9
SHA1 2855ee21116b427d280fcaa2471c9bd3d2957f6f
SHA256 dd2fa55643d4e02b39ef5a619f2ca63e49d6cc1e6513d953c2d9400d46b88184
SHA512 b0b03828275f895adf93ef6b9d40d31e10f166d40c1ee0f5697aadcee1b6d5e8b81637ccfcf66ba9dfd92295f106cfac0eca2320b71a15ad96fdbe06f6764ef7

memory/1908-570-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1416-571-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 a5d4cddfecf34e5391a7a3df62312327
SHA1 04a3c708bab0c15b6746cf9dbf41a71c917a98b9
SHA256 8961a4310b2413753851ba8afe2feb4c522c20e856c6a98537d8ab440f48853a
SHA512 48024549d0fcb88e3bd46f7fb42715181142cae764a3daeb64cad07f10cf3bf14153731aeafba9a191557e29ddf1c5b62a460588823df215e2246eddaeff6643

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 e427a32326a6a806e7b7b4fdbbe0ed4c
SHA1 b10626953332aeb7c524f2a29f47ca8b0bee38b1
SHA256 b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839
SHA512 6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 d5e129352c8dd0032b51f34a2bbecad3
SHA1 a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a
SHA256 ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267
SHA512 9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

memory/1416-683-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3760-684-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2100-686-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 fa83299c5a0d8714939977af6bdafa92
SHA1 46a4abab9b803a7361ab89d0ca000a367550e23c
SHA256 f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03
SHA512 85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 7fe70731de9e888ca911baeb99ee503d
SHA1 0073da5273512f66dbf570580dc55957535c2478
SHA256 ec8ce13a4cab475695329eddc61ff2eee378e79f0d2f9ca3a9bc7b18bd52b89a
SHA512 4421df7085fd2aac218d5544152d77080b99c1eaa24076975a6b1bb01149a19a1c0d6cc2c042cd507b37af9a220e7ce1f026103cdabfaec5994b1533c2f3eeac

memory/3760-797-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2100-798-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3728-800-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 fadf3805f68986d2ee9c82f560a564e4
SHA1 87bcab6ab1fb66ace98eb1d36e54eb9c11628aa6
SHA256 d6e4760c4554b061363e89648dc4144f8a9ba8a300dde1a1621f22ecc62ab759
SHA512 e3e495385da6d181a2411554a61b27c480ff31fa49225e8b2dc46b9ec4f618343475a8d189786b956c91efc65bfb05be19065bfdf3288eb011c5ec427e764cb9

memory/2100-911-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3728-912-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4516-914-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5088b4be1b90717121e76c1fc33c033a
SHA1 090676b012c30e6b0d6493ca1e9a31f3093cad6f
SHA256 d1d8c8ac4136082ac60938e8148c43d81fa91a124eccf34048e629d22daeef3a
SHA512 0cac2dcf138b1a66f857a54c92afe467ef7544655cd1c4aec3b4084c92c9186d9ba10e0e74a54a6e43e676068d3747f668f7286d44fcefce7ee4d385a3a96962

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 5da7efcc8d0fcdf2bad7890c3f8a27ca
SHA1 681788d5a3044eee8426d431bd786375cd32bf13
SHA256 7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8
SHA512 6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 6bf876cd9994f0d41be4eca36d22c42a
SHA1 50cda4b940e6ba730ce59000cfc59e6c4d7fdc79
SHA256 ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a
SHA512 605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

memory/3728-1025-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4516-1026-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3584-1028-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4516-1139-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3584-1140-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4092-1142-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3584-1253-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4092-1254-0x0000000000400000-0x000000000048A000-memory.dmp