Analysis Overview
SHA256
df2b1b10e01cd391a3dcb08327a887b8b534f4e6ba702c72619926c74daecad5
Threat Level: Known bad
The file 04072025_1206_ChristopherCraft was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer, LummaC
Lumma family
Reads user/profile data of web browsers
Executes dropped EXE
Reads user/profile data of local email clients
Checks computer location settings
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates processes with tasklist
Drops file in Windows directory
System Location Discovery: System Language Discovery
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Checks processor information in registry
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-07-04 12:06
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2025-07-04 12:06
Reported
2025-07-04 12:11
Platform
win10v2004-20250619-en
Max time kernel
159s
Max time network
288s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ExamplesJennifer\Enjoyed.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.32.7:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/2612-2-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp
memory/2612-4-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp
memory/2612-5-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp
memory/2612-1-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp
memory/2612-0-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp
memory/2612-3-0x00007FFF2F12D000-0x00007FFF2F12E000-memory.dmp
memory/2612-8-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp
memory/2612-7-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp
memory/2612-6-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp
memory/2612-9-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp
memory/2612-10-0x00007FFEECAC0000-0x00007FFEECAD0000-memory.dmp
memory/2612-11-0x00007FFEECAC0000-0x00007FFEECAD0000-memory.dmp
memory/2612-21-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 5001940ac5022c8abe99bc68bc8841a1 |
| SHA1 | df4f78d1e3db20803cd6f781e7be64288806c967 |
| SHA256 | 9b1eea31f2416da178b428d6d164d396c208c2a80ccd7c26b1d531c2abcf8a22 |
| SHA512 | 25755af2593aad0b3bc1f3838c52b155eaa7b9cab220be3f6ae66a4a2cc8104266a25d9c36e317864436cb8b4acd25a03b73a822542d16dba8f42f79be0fa6a8 |
memory/2612-49-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp
memory/2612-47-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp
memory/2612-50-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp
memory/2612-48-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp
memory/2612-46-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp
memory/2612-45-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2025-07-04 12:06
Reported
2025-07-04 12:11
Platform
win10v2004-20250619-en
Max time kernel
107s
Max time network
214s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Closes.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.32.7:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/3012-0-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp
memory/3012-3-0x00007FFF1BCED000-0x00007FFF1BCEE000-memory.dmp
memory/3012-2-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp
memory/3012-1-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp
memory/3012-5-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp
memory/3012-6-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp
memory/3012-8-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp
memory/3012-9-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp
memory/3012-12-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp
memory/3012-11-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp
memory/3012-13-0x00007FFED9850000-0x00007FFED9860000-memory.dmp
memory/3012-10-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp
memory/3012-7-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp
memory/3012-14-0x00007FFED9850000-0x00007FFED9860000-memory.dmp
memory/3012-4-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp
memory/3012-24-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 0a9cef57b6ce635f6f9f378495439370 |
| SHA1 | 16448cacac205df3d082d4185a0f9b5bcdb63a9b |
| SHA256 | 76ebea0f1d89368b6238212b3caaa854859984e9e190167520e9717ab99fe9d5 |
| SHA512 | 02c597b34832a72a5519656b62b221db4351ab9d97f3e6ff7fa58f780a121cfcf7cc0e356fcde1c8ef8394f7ba4c886654f40228b0c1db2caeaafec2baac2f96 |
memory/3012-48-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp
memory/3012-49-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp
memory/3012-52-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp
memory/3012-51-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp
memory/3012-50-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2025-07-04 12:06
Reported
2025-07-04 12:11
Platform
win10v2004-20250610-en
Max time kernel
108s
Max time network
220s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Euro.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/3492-0-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp
memory/3492-1-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp
memory/3492-3-0x00007FF9ABCAD000-0x00007FF9ABCAE000-memory.dmp
memory/3492-2-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp
memory/3492-5-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp
memory/3492-4-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp
memory/3492-8-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
memory/3492-11-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
memory/3492-12-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
memory/3492-13-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
memory/3492-10-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
memory/3492-14-0x00007FF9698A0000-0x00007FF9698B0000-memory.dmp
memory/3492-9-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
memory/3492-15-0x00007FF9698A0000-0x00007FF9698B0000-memory.dmp
memory/3492-7-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
memory/3492-6-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
memory/3492-25-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
memory/3492-26-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 0fd21ac973ed034036cd64616c6c15b9 |
| SHA1 | b5e7b07df814049e212186d855b2b424635a9a3d |
| SHA256 | 335ca27bb7a2f97e2184f2611ac42e2577575938e360c05d3048110ec7e70fd9 |
| SHA512 | 5eb449ed0e11e078a29ef9e00eb56bbcc438f60c5bff668074f1011268e47936530ba6cd695395b08be3a904fa2543473beb0bf8de05d789570ed95003c95cef |
memory/3492-50-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp
memory/3492-53-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp
memory/3492-52-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp
memory/3492-54-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
memory/3492-55-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp
memory/3492-51-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2025-07-04 12:06
Reported
2025-07-04 12:11
Platform
win10v2004-20250502-en
Max time kernel
109s
Max time network
215s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Opinion.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/3340-0-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp
memory/3340-1-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp
memory/3340-3-0x00007FFC3B20D000-0x00007FFC3B20E000-memory.dmp
memory/3340-2-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp
memory/3340-4-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp
memory/3340-9-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp
memory/3340-10-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp
memory/3340-8-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp
memory/3340-11-0x00007FFBF9080000-0x00007FFBF9090000-memory.dmp
memory/3340-7-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp
memory/3340-6-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp
memory/3340-14-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp
memory/3340-15-0x00007FFBF9080000-0x00007FFBF9090000-memory.dmp
memory/3340-13-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp
memory/3340-12-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp
memory/3340-5-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp
memory/3340-25-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 0991107a261c046c2f26ba2db340500c |
| SHA1 | aaee9e5bd64497ca769ee74f92246c3c6c6c231b |
| SHA256 | 207d1d79db5dc0d29a5053422b0c188d9d80f75b1341aa3f06d9762ebf1d3b64 |
| SHA512 | 05c0d862066c1ca1dfddd5dc1f767a64bdbc02bfbbd91d313835377a5692afe7bd1e2adc6deecbc49534579108ce39bfd2d4d6504e75b38bcbcaaa8cdbf3744a |
memory/3340-49-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp
memory/3340-50-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp
memory/3340-51-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp
memory/3340-52-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp
memory/3340-53-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2025-07-04 12:06
Reported
2025-07-04 12:11
Platform
win10v2004-20250502-en
Max time kernel
158s
Max time network
282s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\V.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| FR | 52.109.68.129:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/688-0-0x00007FFDF962D000-0x00007FFDF962E000-memory.dmp
memory/688-1-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp
memory/688-2-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp
memory/688-3-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp
memory/688-4-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp
memory/688-6-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-5-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-8-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-10-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-11-0x00007FFDB6E10000-0x00007FFDB6E20000-memory.dmp
memory/688-9-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-7-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp
memory/688-13-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-15-0x00007FFDB6E10000-0x00007FFDB6E20000-memory.dmp
memory/688-14-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-12-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-17-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-19-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-20-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-21-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-18-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-16-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-31-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-33-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
memory/688-32-0x00007FFDF962D000-0x00007FFDF962E000-memory.dmp
memory/688-34-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
| MD5 | 836be97943aaaea04b5ff2b6333341e1 |
| SHA1 | 53827fb50d09d9544717a13d270e75be741c53b4 |
| SHA256 | aa4ad080754c8cfa5aa5abfae18bffc8ae389d47678953cfe5cf487da39cdb47 |
| SHA512 | 9aed8f8b4e349d3121bad8047b355eaeb5dee3892d26cf70ecbc6ca0b5dbb56004dbccc4f4994c84fd6540c6185198bb46b15b6970e16b6678fe3ee37d796e1b |
memory/688-59-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp
memory/688-58-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp
memory/688-61-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp
memory/688-60-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp
memory/688-62-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2025-07-04 12:06
Reported
2025-07-04 12:11
Platform
win10v2004-20250610-en
Max time kernel
108s
Max time network
222s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Browsers.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/3928-1-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp
memory/3928-3-0x00007FFFAEE4D000-0x00007FFFAEE4E000-memory.dmp
memory/3928-0-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp
memory/3928-2-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp
memory/3928-6-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp
memory/3928-7-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp
memory/3928-5-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp
memory/3928-10-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp
memory/3928-9-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp
memory/3928-8-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp
memory/3928-4-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp
memory/3928-11-0x00007FFF6C9D0000-0x00007FFF6C9E0000-memory.dmp
memory/3928-12-0x00007FFF6C9D0000-0x00007FFF6C9E0000-memory.dmp
memory/3928-22-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp
memory/3928-42-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp
memory/3928-44-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp
memory/3928-46-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp
memory/3928-45-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp
memory/3928-43-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2025-07-04 12:06
Reported
2025-07-04 12:11
Platform
win10v2004-20250610-en
Max time kernel
108s
Max time network
214s
Command Line
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Observer.xls"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
memory/5944-0-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp
memory/5944-3-0x00007FFD19E0D000-0x00007FFD19E0E000-memory.dmp
memory/5944-2-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp
memory/5944-1-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp
memory/5944-4-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp
memory/5944-5-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp
memory/5944-10-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp
memory/5944-9-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp
memory/5944-11-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp
memory/5944-8-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp
memory/5944-12-0x00007FFCD7D90000-0x00007FFCD7DA0000-memory.dmp
memory/5944-7-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp
memory/5944-6-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp
memory/5944-13-0x00007FFCD7D90000-0x00007FFCD7DA0000-memory.dmp
memory/5944-14-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp
memory/5944-26-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp
memory/5944-47-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp
memory/5944-48-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp
memory/5944-50-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp
memory/5944-49-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp
memory/5944-51-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-07-04 12:06
Reported
2025-07-04 12:11
Platform
win10v2004-20250619-en
Max time kernel
281s
Max time network
282s
Command Line
Signatures
Lumma Stealer, LummaC
Lumma family
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\GtkDepot | C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\findstr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\extrac32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe
"C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c copy Browsers.xls Browsers.xls.bat & Browsers.xls.bat
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "opssvc wrsa"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr "nsWscSvc ekrn bdservicehost SophosHealth AvastUI AVGUI & if not errorlevel 1 Set YhiTgBlLujKrjjSwyNzUWfJW=AutoIt3.exe & Set raPtRpuxzjwGYWHwTgdaszFhgVP=.a3x & Set NXFYuIdYQ=300
C:\Windows\SysWOW64\extrac32.exe
extrac32 /Y Phase.xls *.*
C:\Windows\SysWOW64\findstr.exe
findstr /V "Ct" Rick
C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com
Threaded.com h
C:\Windows\SysWOW64\choice.exe
choice /d n /t 5
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | iDTfastsiAoebpzFONpafSVzN.iDTfastsiAoebpzFONpafSVzN | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | mahrox.shop | udp |
| US | 8.8.8.8:53 | ycvduc.xyz | udp |
| US | 144.172.115.212:443 | ycvduc.xyz | tcp |
| US | 144.172.115.212:443 | ycvduc.xyz | tcp |
| US | 144.172.115.212:443 | ycvduc.xyz | tcp |
| US | 144.172.115.212:443 | ycvduc.xyz | tcp |
| US | 144.172.115.212:443 | ycvduc.xyz | tcp |
| US | 144.172.115.212:443 | ycvduc.xyz | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Browsers.xls
| MD5 | c7a5c5af0a4baceab363c56bc22df705 |
| SHA1 | 6cab90344cc1aed4e89a2cf10c9369b8f1c65247 |
| SHA256 | c39fdb5696afc03d20b33ab6fcea6d1daf97e7cdee47f17d0cc2e665f1bde0a0 |
| SHA512 | add03f8971f6c760aa95f4b9a5a1173d2abf2a8118576dd62673b5cbba4a7d34996e752dcf5252f15eeedf88d860246c0961c10c7838e51fd8a64783d02f2bd4 |
C:\Users\Admin\AppData\Local\Temp\Phase.xls
| MD5 | ec519420fd100373a7450c8daf7952ba |
| SHA1 | cd8db08264eb1f570a401e3f9ec4ca8a0b687b1a |
| SHA256 | 4ff2c534d0f12312f600e5f296b02922b5c722ba26a7ed56264450d694bf72fc |
| SHA512 | 9075e9e4586d0e687f78534e716981e1cd1a29c056d89cac372dc1e8e286ca99750cc31b671240a5616df9ad401c9106cefcdf7f917158b7086d74aa7271ee68 |
C:\Users\Admin\AppData\Local\Temp\Rick
| MD5 | 52f053245da34f90d9181baac6d23e12 |
| SHA1 | 0c42c0879918787e4f8dbbe57b4d3f7938a86d76 |
| SHA256 | 0cdfd1b79ee6288a175792cbf1727a2c20253e89cbf8b5ce22c82a7cd2ea535a |
| SHA512 | 937b86ecdf543597e6304f32730ff4392cae4e8c927b3fae62058e940aa9b9b1418b7b9f5dfc98193814ad10fd942d4ce471a703596cd644b6ceb286241cb445 |
C:\Users\Admin\AppData\Local\Temp\Cope
| MD5 | 20895547fa3a515d2bbfbd0481e22461 |
| SHA1 | 8b87cb53cf1d9861e24378034bc2d0d241f8f250 |
| SHA256 | 22129e2365e88107e08d24c42a9bfc1686cf535c48fc5833221fe9625f213f7b |
| SHA512 | dd5c8d2c2fcbe7b2ec70c0867530f959303f2e7dc73ad7b1605f19ce41164d379a9582dd37a5fb75bb7f2ae8d60df721dd3a63c6ec1445746395d1240da00153 |
C:\Users\Admin\AppData\Local\Temp\Porsche
| MD5 | b27e76bc94bfb17550ffad69c60875d3 |
| SHA1 | d164ed43ba3cdb396356747809ffd59d5d65a063 |
| SHA256 | 81b591ffd26a28580a3898883ecd14123f58523c78513100b1154218e8bbe92d |
| SHA512 | 139793af16e1db6e3e05017e307b20b55a984a706946b43715f21b11c40b9ddb034610e0fb28ba98778392ce32530c91b58edfada87f22c33dccfa63c5af669c |
C:\Users\Admin\AppData\Local\Temp\Together
| MD5 | 896cc5596dbc99b96e537e1ba2669f9a |
| SHA1 | 81e503420f174312ce3b8931fb65bcceede1c578 |
| SHA256 | b13e4895353432809d061efb5d593dc5d3b612697f69cabb78f99e43c344d53f |
| SHA512 | a80b9c84b7508d1bfbe108a4b93df3ee7881aff80eaaddfcddcdba7b5b73435f3758adc1d7287d1880ad51d85c1227cdb24457da95572e31bd1f7d34785fa062 |
C:\Users\Admin\AppData\Local\Temp\Hay
| MD5 | b86aeeb94a759d50dd82253e3b35b189 |
| SHA1 | a5e8c674d431eea13d2edb209983692f0be8e4c2 |
| SHA256 | 10b13f92c9445cf1a5ccf7b33cce66796018a4ffe7a6d9dba6e52a27eafc1013 |
| SHA512 | 30b6a21443ac2b4de56d7c7db0ac01283d09f3e820ccf5de9cc2add76a2bf1bf6b4a8b8c4feb6e5be332ba0b8f6f4c21050a4658985da41ea091e85836cea965 |
C:\Users\Admin\AppData\Local\Temp\Suck
| MD5 | d26e449dbd419e33b1649d281120e95d |
| SHA1 | 2536fbcca7a6a50f18dafd52b55c868265ffcb1e |
| SHA256 | 1925e81e6f9d510c21859ac048f1f70b6e14f8e993748d0284c2ad86f3a46a6a |
| SHA512 | 37675505b66e5dd223e5b7b64310c9df860e331cd5acae1af2dfdffaf57306324360808b6da12e4e620699c58b2609e02fda75ca6b9ef64d2037330eb923f8b8 |
C:\Users\Admin\AppData\Local\Temp\Saying
| MD5 | 2efb121a4f18c03ecd7793f19c035c81 |
| SHA1 | 3fb5891056d17deaf8024717800b98caf26bcb18 |
| SHA256 | 19c38507f88adef9dde548e215b01549a306ec3bb2c75b142fe389eb216cbf8f |
| SHA512 | 2967164bf30ce30e4be7517d0f3f87b20c102f27b15c85501806e46caa04f3eb91d77fba76085742500a40d9674508ab942b03c04417a9f8ba94d189f19220e3 |
C:\Users\Admin\AppData\Local\Temp\Ahead
| MD5 | 45b00ef6c0ff6b7e107ab38501aa9b8d |
| SHA1 | 1d7239f1ac9d2fdc68bf42cb4c922ef30f0b9ff3 |
| SHA256 | 92c778c32620fcfa92294432fb584c0aa3387865d31ad9417c2cf410a984ec77 |
| SHA512 | 9361d2a5eb2b540edae4bfdd2b807ca055f23edc7fda560c1197fbd7b2c7ebcb8af66c444d343fbcdd7b19e87c5a4b49e2b3ff6b9595f9398793799e087c8660 |
C:\Users\Admin\AppData\Local\Temp\Tell
| MD5 | 8ebbdd0335faa715a3738576f0f36f83 |
| SHA1 | 94117f75ce3f4376ae6726ca91b2cf815592ffc9 |
| SHA256 | d60935ad257a55db709ea03f4decc6cb54a8dcabb50e0aa22c8b6ec528e41686 |
| SHA512 | 21bc1437b26cfc917a8d91db33ccd0272f5cb008ab5e6b235ae7e0e79fcb14855a3b380c2461668c869c270f712df6525e68f23f88c18481ff3629df1f1e70fd |
C:\Users\Admin\AppData\Local\Temp\Observer.xls
| MD5 | 44c2060e55b67e3a1e6c1c6d9718732a |
| SHA1 | 0517ad7625d36b11a8ce2bb8f10d9ff196d5dc20 |
| SHA256 | c71df96688a046f890fa005f28b89b9a806e4519db689f55914aeb3ac04390e5 |
| SHA512 | 087b07b06a84ea9b93779028aa80423624d8a038d5f8f2e8b57397d2afd2046230d31ede1bf40f1ca778a4af7a8d89d4cddd97fd025fbe0d48dfff3c12465312 |
C:\Users\Admin\AppData\Local\Temp\V.xls
| MD5 | dd293664223c227fa5a3502f021449cb |
| SHA1 | 5a91a61c061f3e148e65c06e2f9bd5ebea131327 |
| SHA256 | 4b68746f26924785b0648f91b165808d06b9ce74e6f07f69b2a634728923b784 |
| SHA512 | 5efff838a94a15def500819bfc7d21e2f77330eb2e3c262bad521f5f1aaa9db9634e37cbc2e6bb03781a20fa463fd431c79fb06a358b9d9c2c8c41bc36b5a8de |
C:\Users\Admin\AppData\Local\Temp\Closes.xls
| MD5 | ca026bf277621b9558c201d296aff9fa |
| SHA1 | 50b4aec1db438a0abe70d1e3870b45948f9e9492 |
| SHA256 | 040c31e1dd4726b2c22f7ceba9a613fa13b31d5a5ec665f0fe7167e2b060a8a0 |
| SHA512 | ed018c8e0d4c1fed340cc31c5014e1e9ae6b113922acdfa72bc0bc208925b830e8380a535484e7b2f8ba08d581a66ce9672e03a64c9c161a3cae46645ae9ae0e |
C:\Users\Admin\AppData\Local\Temp\Enjoyed.xls
| MD5 | d429c47f0cc10ad4611eca4e3af6b175 |
| SHA1 | 87464cd046524092d076cd8493a87e6ef437164e |
| SHA256 | 30167494f93fe884630f33d0db988794f24bf7cd1e4677f6b98da99c7fcbe4c5 |
| SHA512 | 4e2c6ce9a3b1ca703874cfba03c74344fc936773a6333cc6b786db828541b3e46b28fedf84591562ab14150587eaa1542b43c41ff45960e8c584d736e2f9b0f0 |
C:\Users\Admin\AppData\Local\Temp\Euro.xls
| MD5 | d469b9ac05657dcc68db99926bcef248 |
| SHA1 | 0f806e115a21ae525576c38ec249edc2a7c7b7c5 |
| SHA256 | a87eca97001728a9f08f7a01e4af5962315a31206757bbd844ee132f1b284b77 |
| SHA512 | 0a4ddbeddb2931c545f7c9924e42679298457b6f7336196d0608c6ba4337666e74abd7aa480c1e692e0d516cc8738cf9f2d3bb1989dd4d01408bc536c4ffe3d4 |
C:\Users\Admin\AppData\Local\Temp\Opinion.xls
| MD5 | 2b5fcb3cd72546ec42e467574044d822 |
| SHA1 | 253ba53ed24d55c422e38f5bd66ff4448de08c93 |
| SHA256 | ddfd3dc555d81c08940e0632d7ad5c21891999d4e005361069f8a2beacfd3228 |
| SHA512 | 79d2ffdb33766b62201ee356d5b4ebcdbad9587a2bcc5e33c3dd258fad5a54aaf509668a324a4789ebb6bad0e4a131eebf8822561f2d3a52a4afb9ce9b549e59 |
C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com
| MD5 | 62d09f076e6e0240548c2f837536a46a |
| SHA1 | 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2 |
| SHA256 | 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49 |
| SHA512 | 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f |
C:\Users\Admin\AppData\Local\Temp\542417\h
| MD5 | 1a4ab95c26df7d9baa249513a86822f8 |
| SHA1 | f3aeb8d2dd77b02ab0dd974f1f4ad76053023729 |
| SHA256 | 80574740431658db73706300ac53a4cad9962f8bb5d19264ce2fd922a2638628 |
| SHA512 | 2339cbb91f6199d5bff6110bd568c1c5a76c4d9b0564cd285622d8047b2f765cdb50073c00f8076284ec2a973418d7984147e803cafe9af1e1e4584a1436db80 |
memory/5040-703-0x00000000041C0000-0x000000000421E000-memory.dmp
memory/5040-704-0x00000000041C0000-0x000000000421E000-memory.dmp
memory/5040-705-0x00000000041C0000-0x000000000421E000-memory.dmp
memory/5040-706-0x00000000041C0000-0x000000000421E000-memory.dmp
memory/5040-707-0x00000000041C0000-0x000000000421E000-memory.dmp