Malware Analysis Report

2025-08-10 20:04

Sample ID 250704-n9rkhahj81
Target 04072025_1206_ChristopherCraft
SHA256 df2b1b10e01cd391a3dcb08327a887b8b534f4e6ba702c72619926c74daecad5
Tags
lumma discovery spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

df2b1b10e01cd391a3dcb08327a887b8b534f4e6ba702c72619926c74daecad5

Threat Level: Known bad

The file 04072025_1206_ChristopherCraft was found to be: Known bad.

Malicious Activity Summary

lumma discovery spyware stealer

Lumma Stealer, LummaC

Lumma family

Reads user/profile data of web browsers

Executes dropped EXE

Reads user/profile data of local email clients

Checks computer location settings

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

Enumerates processes with tasklist

Drops file in Windows directory

System Location Discovery: System Language Discovery

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Checks processor information in registry

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 12:06

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 12:06

Reported

2025-07-04 12:11

Platform

win10v2004-20250619-en

Max time kernel

159s

Max time network

288s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ExamplesJennifer\Enjoyed.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ExamplesJennifer\Enjoyed.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/2612-2-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp

memory/2612-4-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp

memory/2612-5-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp

memory/2612-1-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp

memory/2612-0-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp

memory/2612-3-0x00007FFF2F12D000-0x00007FFF2F12E000-memory.dmp

memory/2612-8-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp

memory/2612-7-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp

memory/2612-6-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp

memory/2612-9-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp

memory/2612-10-0x00007FFEECAC0000-0x00007FFEECAD0000-memory.dmp

memory/2612-11-0x00007FFEECAC0000-0x00007FFEECAD0000-memory.dmp

memory/2612-21-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 5001940ac5022c8abe99bc68bc8841a1
SHA1 df4f78d1e3db20803cd6f781e7be64288806c967
SHA256 9b1eea31f2416da178b428d6d164d396c208c2a80ccd7c26b1d531c2abcf8a22
SHA512 25755af2593aad0b3bc1f3838c52b155eaa7b9cab220be3f6ae66a4a2cc8104266a25d9c36e317864436cb8b4acd25a03b73a822542d16dba8f42f79be0fa6a8

memory/2612-49-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp

memory/2612-47-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp

memory/2612-50-0x00007FFF2F090000-0x00007FFF2F285000-memory.dmp

memory/2612-48-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp

memory/2612-46-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp

memory/2612-45-0x00007FFEEF110000-0x00007FFEEF120000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2025-07-04 12:06

Reported

2025-07-04 12:11

Platform

win10v2004-20250619-en

Max time kernel

107s

Max time network

214s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Closes.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Closes.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.32.7:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/3012-0-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp

memory/3012-3-0x00007FFF1BCED000-0x00007FFF1BCEE000-memory.dmp

memory/3012-2-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp

memory/3012-1-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp

memory/3012-5-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp

memory/3012-6-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp

memory/3012-8-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp

memory/3012-9-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp

memory/3012-12-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp

memory/3012-11-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp

memory/3012-13-0x00007FFED9850000-0x00007FFED9860000-memory.dmp

memory/3012-10-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp

memory/3012-7-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp

memory/3012-14-0x00007FFED9850000-0x00007FFED9860000-memory.dmp

memory/3012-4-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp

memory/3012-24-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 0a9cef57b6ce635f6f9f378495439370
SHA1 16448cacac205df3d082d4185a0f9b5bcdb63a9b
SHA256 76ebea0f1d89368b6238212b3caaa854859984e9e190167520e9717ab99fe9d5
SHA512 02c597b34832a72a5519656b62b221db4351ab9d97f3e6ff7fa58f780a121cfcf7cc0e356fcde1c8ef8394f7ba4c886654f40228b0c1db2caeaafec2baac2f96

memory/3012-48-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp

memory/3012-49-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp

memory/3012-52-0x00007FFF1BC50000-0x00007FFF1BE45000-memory.dmp

memory/3012-51-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp

memory/3012-50-0x00007FFEDBCD0000-0x00007FFEDBCE0000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2025-07-04 12:06

Reported

2025-07-04 12:11

Platform

win10v2004-20250610-en

Max time kernel

108s

Max time network

220s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Euro.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Euro.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
GB 52.109.28.47:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/3492-0-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp

memory/3492-1-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp

memory/3492-3-0x00007FF9ABCAD000-0x00007FF9ABCAE000-memory.dmp

memory/3492-2-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp

memory/3492-5-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp

memory/3492-4-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp

memory/3492-8-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

memory/3492-11-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

memory/3492-12-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

memory/3492-13-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

memory/3492-10-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

memory/3492-14-0x00007FF9698A0000-0x00007FF9698B0000-memory.dmp

memory/3492-9-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

memory/3492-15-0x00007FF9698A0000-0x00007FF9698B0000-memory.dmp

memory/3492-7-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

memory/3492-6-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

memory/3492-25-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

memory/3492-26-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 0fd21ac973ed034036cd64616c6c15b9
SHA1 b5e7b07df814049e212186d855b2b424635a9a3d
SHA256 335ca27bb7a2f97e2184f2611ac42e2577575938e360c05d3048110ec7e70fd9
SHA512 5eb449ed0e11e078a29ef9e00eb56bbcc438f60c5bff668074f1011268e47936530ba6cd695395b08be3a904fa2543473beb0bf8de05d789570ed95003c95cef

memory/3492-50-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp

memory/3492-53-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp

memory/3492-52-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp

memory/3492-54-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

memory/3492-55-0x00007FF9ABC10000-0x00007FF9ABE05000-memory.dmp

memory/3492-51-0x00007FF96BC90000-0x00007FF96BCA0000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2025-07-04 12:06

Reported

2025-07-04 12:11

Platform

win10v2004-20250502-en

Max time kernel

109s

Max time network

215s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Opinion.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Opinion.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/3340-0-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp

memory/3340-1-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp

memory/3340-3-0x00007FFC3B20D000-0x00007FFC3B20E000-memory.dmp

memory/3340-2-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp

memory/3340-4-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp

memory/3340-9-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp

memory/3340-10-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp

memory/3340-8-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp

memory/3340-11-0x00007FFBF9080000-0x00007FFBF9090000-memory.dmp

memory/3340-7-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp

memory/3340-6-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp

memory/3340-14-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp

memory/3340-15-0x00007FFBF9080000-0x00007FFBF9090000-memory.dmp

memory/3340-13-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp

memory/3340-12-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp

memory/3340-5-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp

memory/3340-25-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 0991107a261c046c2f26ba2db340500c
SHA1 aaee9e5bd64497ca769ee74f92246c3c6c6c231b
SHA256 207d1d79db5dc0d29a5053422b0c188d9d80f75b1341aa3f06d9762ebf1d3b64
SHA512 05c0d862066c1ca1dfddd5dc1f767a64bdbc02bfbbd91d313835377a5692afe7bd1e2adc6deecbc49534579108ce39bfd2d4d6504e75b38bcbcaaa8cdbf3744a

memory/3340-49-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp

memory/3340-50-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp

memory/3340-51-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp

memory/3340-52-0x00007FFBFB1F0000-0x00007FFBFB200000-memory.dmp

memory/3340-53-0x00007FFC3B170000-0x00007FFC3B365000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2025-07-04 12:06

Reported

2025-07-04 12:11

Platform

win10v2004-20250502-en

Max time kernel

158s

Max time network

282s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\V.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\V.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
FR 52.109.68.129:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/688-0-0x00007FFDF962D000-0x00007FFDF962E000-memory.dmp

memory/688-1-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp

memory/688-2-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp

memory/688-3-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp

memory/688-4-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp

memory/688-6-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-5-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-8-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-10-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-11-0x00007FFDB6E10000-0x00007FFDB6E20000-memory.dmp

memory/688-9-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-7-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp

memory/688-13-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-15-0x00007FFDB6E10000-0x00007FFDB6E20000-memory.dmp

memory/688-14-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-12-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-17-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-19-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-20-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-21-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-18-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-16-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-31-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-33-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

memory/688-32-0x00007FFDF962D000-0x00007FFDF962E000-memory.dmp

memory/688-34-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

MD5 836be97943aaaea04b5ff2b6333341e1
SHA1 53827fb50d09d9544717a13d270e75be741c53b4
SHA256 aa4ad080754c8cfa5aa5abfae18bffc8ae389d47678953cfe5cf487da39cdb47
SHA512 9aed8f8b4e349d3121bad8047b355eaeb5dee3892d26cf70ecbc6ca0b5dbb56004dbccc4f4994c84fd6540c6185198bb46b15b6970e16b6678fe3ee37d796e1b

memory/688-59-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp

memory/688-58-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp

memory/688-61-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp

memory/688-60-0x00007FFDB9610000-0x00007FFDB9620000-memory.dmp

memory/688-62-0x00007FFDF9590000-0x00007FFDF9785000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2025-07-04 12:06

Reported

2025-07-04 12:11

Platform

win10v2004-20250610-en

Max time kernel

108s

Max time network

222s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Browsers.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Browsers.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/3928-1-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp

memory/3928-3-0x00007FFFAEE4D000-0x00007FFFAEE4E000-memory.dmp

memory/3928-0-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp

memory/3928-2-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp

memory/3928-6-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp

memory/3928-7-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp

memory/3928-5-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp

memory/3928-10-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp

memory/3928-9-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp

memory/3928-8-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp

memory/3928-4-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp

memory/3928-11-0x00007FFF6C9D0000-0x00007FFF6C9E0000-memory.dmp

memory/3928-12-0x00007FFF6C9D0000-0x00007FFF6C9E0000-memory.dmp

memory/3928-22-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp

memory/3928-42-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp

memory/3928-44-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp

memory/3928-46-0x00007FFFAEDB0000-0x00007FFFAEFA5000-memory.dmp

memory/3928-45-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp

memory/3928-43-0x00007FFF6EE30000-0x00007FFF6EE40000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2025-07-04 12:06

Reported

2025-07-04 12:11

Platform

win10v2004-20250610-en

Max time kernel

108s

Max time network

214s

Command Line

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Observer.xls"

Signatures

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Processes

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\TvcomFreight\Observer.xls"

Network

Country Destination Domain Proto
US 8.8.8.8:53 roaming.officeapps.live.com udp
NL 52.109.89.19:443 roaming.officeapps.live.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

memory/5944-0-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp

memory/5944-3-0x00007FFD19E0D000-0x00007FFD19E0E000-memory.dmp

memory/5944-2-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp

memory/5944-1-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp

memory/5944-4-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp

memory/5944-5-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp

memory/5944-10-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp

memory/5944-9-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp

memory/5944-11-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp

memory/5944-8-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp

memory/5944-12-0x00007FFCD7D90000-0x00007FFCD7DA0000-memory.dmp

memory/5944-7-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp

memory/5944-6-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp

memory/5944-13-0x00007FFCD7D90000-0x00007FFCD7DA0000-memory.dmp

memory/5944-14-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp

memory/5944-26-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp

memory/5944-47-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp

memory/5944-48-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp

memory/5944-50-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp

memory/5944-49-0x00007FFCD9DF0000-0x00007FFCD9E00000-memory.dmp

memory/5944-51-0x00007FFD19D70000-0x00007FFD19F65000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 12:06

Reported

2025-07-04 12:11

Platform

win10v2004-20250619-en

Max time kernel

281s

Max time network

282s

Command Line

"C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe"

Signatures

Lumma Stealer, LummaC

stealer lumma

Lumma family

lumma

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4097847965-469305640-2969917343-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\GtkDepot C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\findstr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\tasklist.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\extrac32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2684 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 228 N/A C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe C:\Windows\SysWOW64\cmd.exe
PID 228 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 2292 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 1976 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 228 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 4196 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 228 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 228 wrote to memory of 4456 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\extrac32.exe
PID 228 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 3148 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 228 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com
PID 228 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com
PID 228 wrote to memory of 5040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com
PID 228 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 228 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe
PID 228 wrote to memory of 2628 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\choice.exe

Processes

C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe

"C:\Users\Admin\AppData\Local\Temp\04072025_1206_ChristopherCraft.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c copy Browsers.xls Browsers.xls.bat & Browsers.xls.bat

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "opssvc wrsa"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr "nsWscSvc ekrn bdservicehost SophosHealth AvastUI AVGUI & if not errorlevel 1 Set YhiTgBlLujKrjjSwyNzUWfJW=AutoIt3.exe & Set raPtRpuxzjwGYWHwTgdaszFhgVP=.a3x & Set NXFYuIdYQ=300

C:\Windows\SysWOW64\extrac32.exe

extrac32 /Y Phase.xls *.*

C:\Windows\SysWOW64\findstr.exe

findstr /V "Ct" Rick

C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com

Threaded.com h

C:\Windows\SysWOW64\choice.exe

choice /d n /t 5

Network

Country Destination Domain Proto
US 8.8.8.8:53 iDTfastsiAoebpzFONpafSVzN.iDTfastsiAoebpzFONpafSVzN udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 mahrox.shop udp
US 8.8.8.8:53 ycvduc.xyz udp
US 144.172.115.212:443 ycvduc.xyz tcp
US 144.172.115.212:443 ycvduc.xyz tcp
US 144.172.115.212:443 ycvduc.xyz tcp
US 144.172.115.212:443 ycvduc.xyz tcp
US 144.172.115.212:443 ycvduc.xyz tcp
US 144.172.115.212:443 ycvduc.xyz tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Users\Admin\AppData\Local\Temp\Browsers.xls

MD5 c7a5c5af0a4baceab363c56bc22df705
SHA1 6cab90344cc1aed4e89a2cf10c9369b8f1c65247
SHA256 c39fdb5696afc03d20b33ab6fcea6d1daf97e7cdee47f17d0cc2e665f1bde0a0
SHA512 add03f8971f6c760aa95f4b9a5a1173d2abf2a8118576dd62673b5cbba4a7d34996e752dcf5252f15eeedf88d860246c0961c10c7838e51fd8a64783d02f2bd4

C:\Users\Admin\AppData\Local\Temp\Phase.xls

MD5 ec519420fd100373a7450c8daf7952ba
SHA1 cd8db08264eb1f570a401e3f9ec4ca8a0b687b1a
SHA256 4ff2c534d0f12312f600e5f296b02922b5c722ba26a7ed56264450d694bf72fc
SHA512 9075e9e4586d0e687f78534e716981e1cd1a29c056d89cac372dc1e8e286ca99750cc31b671240a5616df9ad401c9106cefcdf7f917158b7086d74aa7271ee68

C:\Users\Admin\AppData\Local\Temp\Rick

MD5 52f053245da34f90d9181baac6d23e12
SHA1 0c42c0879918787e4f8dbbe57b4d3f7938a86d76
SHA256 0cdfd1b79ee6288a175792cbf1727a2c20253e89cbf8b5ce22c82a7cd2ea535a
SHA512 937b86ecdf543597e6304f32730ff4392cae4e8c927b3fae62058e940aa9b9b1418b7b9f5dfc98193814ad10fd942d4ce471a703596cd644b6ceb286241cb445

C:\Users\Admin\AppData\Local\Temp\Cope

MD5 20895547fa3a515d2bbfbd0481e22461
SHA1 8b87cb53cf1d9861e24378034bc2d0d241f8f250
SHA256 22129e2365e88107e08d24c42a9bfc1686cf535c48fc5833221fe9625f213f7b
SHA512 dd5c8d2c2fcbe7b2ec70c0867530f959303f2e7dc73ad7b1605f19ce41164d379a9582dd37a5fb75bb7f2ae8d60df721dd3a63c6ec1445746395d1240da00153

C:\Users\Admin\AppData\Local\Temp\Porsche

MD5 b27e76bc94bfb17550ffad69c60875d3
SHA1 d164ed43ba3cdb396356747809ffd59d5d65a063
SHA256 81b591ffd26a28580a3898883ecd14123f58523c78513100b1154218e8bbe92d
SHA512 139793af16e1db6e3e05017e307b20b55a984a706946b43715f21b11c40b9ddb034610e0fb28ba98778392ce32530c91b58edfada87f22c33dccfa63c5af669c

C:\Users\Admin\AppData\Local\Temp\Together

MD5 896cc5596dbc99b96e537e1ba2669f9a
SHA1 81e503420f174312ce3b8931fb65bcceede1c578
SHA256 b13e4895353432809d061efb5d593dc5d3b612697f69cabb78f99e43c344d53f
SHA512 a80b9c84b7508d1bfbe108a4b93df3ee7881aff80eaaddfcddcdba7b5b73435f3758adc1d7287d1880ad51d85c1227cdb24457da95572e31bd1f7d34785fa062

C:\Users\Admin\AppData\Local\Temp\Hay

MD5 b86aeeb94a759d50dd82253e3b35b189
SHA1 a5e8c674d431eea13d2edb209983692f0be8e4c2
SHA256 10b13f92c9445cf1a5ccf7b33cce66796018a4ffe7a6d9dba6e52a27eafc1013
SHA512 30b6a21443ac2b4de56d7c7db0ac01283d09f3e820ccf5de9cc2add76a2bf1bf6b4a8b8c4feb6e5be332ba0b8f6f4c21050a4658985da41ea091e85836cea965

C:\Users\Admin\AppData\Local\Temp\Suck

MD5 d26e449dbd419e33b1649d281120e95d
SHA1 2536fbcca7a6a50f18dafd52b55c868265ffcb1e
SHA256 1925e81e6f9d510c21859ac048f1f70b6e14f8e993748d0284c2ad86f3a46a6a
SHA512 37675505b66e5dd223e5b7b64310c9df860e331cd5acae1af2dfdffaf57306324360808b6da12e4e620699c58b2609e02fda75ca6b9ef64d2037330eb923f8b8

C:\Users\Admin\AppData\Local\Temp\Saying

MD5 2efb121a4f18c03ecd7793f19c035c81
SHA1 3fb5891056d17deaf8024717800b98caf26bcb18
SHA256 19c38507f88adef9dde548e215b01549a306ec3bb2c75b142fe389eb216cbf8f
SHA512 2967164bf30ce30e4be7517d0f3f87b20c102f27b15c85501806e46caa04f3eb91d77fba76085742500a40d9674508ab942b03c04417a9f8ba94d189f19220e3

C:\Users\Admin\AppData\Local\Temp\Ahead

MD5 45b00ef6c0ff6b7e107ab38501aa9b8d
SHA1 1d7239f1ac9d2fdc68bf42cb4c922ef30f0b9ff3
SHA256 92c778c32620fcfa92294432fb584c0aa3387865d31ad9417c2cf410a984ec77
SHA512 9361d2a5eb2b540edae4bfdd2b807ca055f23edc7fda560c1197fbd7b2c7ebcb8af66c444d343fbcdd7b19e87c5a4b49e2b3ff6b9595f9398793799e087c8660

C:\Users\Admin\AppData\Local\Temp\Tell

MD5 8ebbdd0335faa715a3738576f0f36f83
SHA1 94117f75ce3f4376ae6726ca91b2cf815592ffc9
SHA256 d60935ad257a55db709ea03f4decc6cb54a8dcabb50e0aa22c8b6ec528e41686
SHA512 21bc1437b26cfc917a8d91db33ccd0272f5cb008ab5e6b235ae7e0e79fcb14855a3b380c2461668c869c270f712df6525e68f23f88c18481ff3629df1f1e70fd

C:\Users\Admin\AppData\Local\Temp\Observer.xls

MD5 44c2060e55b67e3a1e6c1c6d9718732a
SHA1 0517ad7625d36b11a8ce2bb8f10d9ff196d5dc20
SHA256 c71df96688a046f890fa005f28b89b9a806e4519db689f55914aeb3ac04390e5
SHA512 087b07b06a84ea9b93779028aa80423624d8a038d5f8f2e8b57397d2afd2046230d31ede1bf40f1ca778a4af7a8d89d4cddd97fd025fbe0d48dfff3c12465312

C:\Users\Admin\AppData\Local\Temp\V.xls

MD5 dd293664223c227fa5a3502f021449cb
SHA1 5a91a61c061f3e148e65c06e2f9bd5ebea131327
SHA256 4b68746f26924785b0648f91b165808d06b9ce74e6f07f69b2a634728923b784
SHA512 5efff838a94a15def500819bfc7d21e2f77330eb2e3c262bad521f5f1aaa9db9634e37cbc2e6bb03781a20fa463fd431c79fb06a358b9d9c2c8c41bc36b5a8de

C:\Users\Admin\AppData\Local\Temp\Closes.xls

MD5 ca026bf277621b9558c201d296aff9fa
SHA1 50b4aec1db438a0abe70d1e3870b45948f9e9492
SHA256 040c31e1dd4726b2c22f7ceba9a613fa13b31d5a5ec665f0fe7167e2b060a8a0
SHA512 ed018c8e0d4c1fed340cc31c5014e1e9ae6b113922acdfa72bc0bc208925b830e8380a535484e7b2f8ba08d581a66ce9672e03a64c9c161a3cae46645ae9ae0e

C:\Users\Admin\AppData\Local\Temp\Enjoyed.xls

MD5 d429c47f0cc10ad4611eca4e3af6b175
SHA1 87464cd046524092d076cd8493a87e6ef437164e
SHA256 30167494f93fe884630f33d0db988794f24bf7cd1e4677f6b98da99c7fcbe4c5
SHA512 4e2c6ce9a3b1ca703874cfba03c74344fc936773a6333cc6b786db828541b3e46b28fedf84591562ab14150587eaa1542b43c41ff45960e8c584d736e2f9b0f0

C:\Users\Admin\AppData\Local\Temp\Euro.xls

MD5 d469b9ac05657dcc68db99926bcef248
SHA1 0f806e115a21ae525576c38ec249edc2a7c7b7c5
SHA256 a87eca97001728a9f08f7a01e4af5962315a31206757bbd844ee132f1b284b77
SHA512 0a4ddbeddb2931c545f7c9924e42679298457b6f7336196d0608c6ba4337666e74abd7aa480c1e692e0d516cc8738cf9f2d3bb1989dd4d01408bc536c4ffe3d4

C:\Users\Admin\AppData\Local\Temp\Opinion.xls

MD5 2b5fcb3cd72546ec42e467574044d822
SHA1 253ba53ed24d55c422e38f5bd66ff4448de08c93
SHA256 ddfd3dc555d81c08940e0632d7ad5c21891999d4e005361069f8a2beacfd3228
SHA512 79d2ffdb33766b62201ee356d5b4ebcdbad9587a2bcc5e33c3dd258fad5a54aaf509668a324a4789ebb6bad0e4a131eebf8822561f2d3a52a4afb9ce9b549e59

C:\Users\Admin\AppData\Local\Temp\542417\Threaded.com

MD5 62d09f076e6e0240548c2f837536a46a
SHA1 26bdbc63af8abae9a8fb6ec0913a307ef6614cf2
SHA256 1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49
SHA512 32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

C:\Users\Admin\AppData\Local\Temp\542417\h

MD5 1a4ab95c26df7d9baa249513a86822f8
SHA1 f3aeb8d2dd77b02ab0dd974f1f4ad76053023729
SHA256 80574740431658db73706300ac53a4cad9962f8bb5d19264ce2fd922a2638628
SHA512 2339cbb91f6199d5bff6110bd568c1c5a76c4d9b0564cd285622d8047b2f765cdb50073c00f8076284ec2a973418d7984147e803cafe9af1e1e4584a1436db80

memory/5040-703-0x00000000041C0000-0x000000000421E000-memory.dmp

memory/5040-704-0x00000000041C0000-0x000000000421E000-memory.dmp

memory/5040-705-0x00000000041C0000-0x000000000421E000-memory.dmp

memory/5040-706-0x00000000041C0000-0x000000000421E000-memory.dmp

memory/5040-707-0x00000000041C0000-0x000000000421E000-memory.dmp