lumma | b115b3a04f746a1a4b7a0b9e10c8b66d96b835f1b3c900852671a41e977d6271

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe
Size

95KB
MD5

fb80fd969cdba54de7aa33d969d181e8
SHA1

6770bee0cd1aecd022307ea6b6f4c708efe410fb
SHA256

b115b3a04f746a1a4b7a0b9e10c8b66d96b835f1b3c900852671a41e977d6271
SHA512

ff0efe77e739f4b896c04917ba8b5e67c824dc73caecdc22d5c0abc189e15741837a2cf28b565bfb686b272179daf9d393cb83770a96412c42b2670f37bb59be
SSDEEP

1536:/BjlOyJwqVSW/uMKHAiU7kkqbM8vlxhdvf9DbQrMrOS6fKZ4J27Js7z5:tvwlZdU7kkSvbrf9DUrMrt6t2Nw

Score

10^/10

lumma evasion stealer upx

Malware Config

Signatures

Detect Lumma Stealer payload V4 13 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4500-227-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/5068-228-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/4464-341-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/4112-455-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/4948-569-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/3968-682-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/1384-686-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/1384-796-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/3928-909-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/3132-912-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/3132-1023-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/3656-1136-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4
behavioral2/memory/2736-1249-0x0000000000400000-0x000000000046C000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

Processes:

service.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exe

pid	process
5068	service.exe
4464	service.exe
4112	service.exe
4948	service.exe
3968	service.exe
1384	service.exe
3928	service.exe
3132	service.exe
3656	service.exe
2736	service.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4500-0-0x0000000000400000-0x000000000046C000-memory.dmp	upx
C:\Windows\SysWOW64\service.exe	upx
behavioral2/memory/4500-227-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/5068-228-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4464-341-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4112-343-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4112-455-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4948-459-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/4948-569-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3968-682-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1384-686-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/1384-796-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3928-909-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3132-912-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3132-1023-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/3656-1136-0x0000000000400000-0x000000000046C000-memory.dmp	upx
behavioral2/memory/2736-1249-0x0000000000400000-0x000000000046C000-memory.dmp	upx

Drops file in System32 directory 22 IoCs

Processes:

service.exeservice.exeservice.exeservice.exeservice.exeservice.exeservice.exefb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exeservice.exeservice.exeservice.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe

Runs .reg file with regedit 11 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
4940	regedit.exe
2812	regedit.exe
2252	regedit.exe
1080	regedit.exe
3808	regedit.exe
2460	regedit.exe
4644	regedit.exe
804	regedit.exe
2468	regedit.exe
2996	regedit.exe
916	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.execmd.exeservice.execmd.exeservice.execmd.exeservice.execmd.exeservice.execmd.exeservice.execmd.exeservice.execmd.exeservice.exe

description	pid	process	target process
PID 4500 wrote to memory of 4264	4500	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	cmd.exe
PID 4500 wrote to memory of 4264	4500	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	cmd.exe
PID 4500 wrote to memory of 4264	4500	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	cmd.exe
PID 4264 wrote to memory of 4644	4264	cmd.exe	regedit.exe
PID 4264 wrote to memory of 4644	4264	cmd.exe	regedit.exe
PID 4264 wrote to memory of 4644	4264	cmd.exe	regedit.exe
PID 4500 wrote to memory of 5068	4500	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	service.exe
PID 4500 wrote to memory of 5068	4500	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	service.exe
PID 4500 wrote to memory of 5068	4500	fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe	service.exe
PID 5068 wrote to memory of 1692	5068	service.exe	cmd.exe
PID 5068 wrote to memory of 1692	5068	service.exe	cmd.exe
PID 5068 wrote to memory of 1692	5068	service.exe	cmd.exe
PID 1692 wrote to memory of 804	1692	cmd.exe	regedit.exe
PID 1692 wrote to memory of 804	1692	cmd.exe	regedit.exe
PID 1692 wrote to memory of 804	1692	cmd.exe	regedit.exe
PID 5068 wrote to memory of 4464	5068	service.exe	service.exe
PID 5068 wrote to memory of 4464	5068	service.exe	service.exe
PID 5068 wrote to memory of 4464	5068	service.exe	service.exe
PID 4464 wrote to memory of 3260	4464	service.exe	cmd.exe
PID 4464 wrote to memory of 3260	4464	service.exe	cmd.exe
PID 4464 wrote to memory of 3260	4464	service.exe	cmd.exe
PID 3260 wrote to memory of 4940	3260	cmd.exe	regedit.exe
PID 3260 wrote to memory of 4940	3260	cmd.exe	regedit.exe
PID 3260 wrote to memory of 4940	3260	cmd.exe	regedit.exe
PID 4464 wrote to memory of 4112	4464	service.exe	service.exe
PID 4464 wrote to memory of 4112	4464	service.exe	service.exe
PID 4464 wrote to memory of 4112	4464	service.exe	service.exe
PID 4112 wrote to memory of 3936	4112	service.exe	cmd.exe
PID 4112 wrote to memory of 3936	4112	service.exe	cmd.exe
PID 4112 wrote to memory of 3936	4112	service.exe	cmd.exe
PID 3936 wrote to memory of 2468	3936	cmd.exe	regedit.exe
PID 3936 wrote to memory of 2468	3936	cmd.exe	regedit.exe
PID 3936 wrote to memory of 2468	3936	cmd.exe	regedit.exe
PID 4112 wrote to memory of 4948	4112	service.exe	service.exe
PID 4112 wrote to memory of 4948	4112	service.exe	service.exe
PID 4112 wrote to memory of 4948	4112	service.exe	service.exe
PID 4948 wrote to memory of 1052	4948	service.exe	cmd.exe
PID 4948 wrote to memory of 1052	4948	service.exe	cmd.exe
PID 4948 wrote to memory of 1052	4948	service.exe	cmd.exe
PID 1052 wrote to memory of 2996	1052	cmd.exe	regedit.exe
PID 1052 wrote to memory of 2996	1052	cmd.exe	regedit.exe
PID 1052 wrote to memory of 2996	1052	cmd.exe	regedit.exe
PID 4948 wrote to memory of 3968	4948	service.exe	service.exe
PID 4948 wrote to memory of 3968	4948	service.exe	service.exe
PID 4948 wrote to memory of 3968	4948	service.exe	service.exe
PID 3968 wrote to memory of 3824	3968	service.exe	cmd.exe
PID 3968 wrote to memory of 3824	3968	service.exe	cmd.exe
PID 3968 wrote to memory of 3824	3968	service.exe	cmd.exe
PID 3824 wrote to memory of 916	3824	cmd.exe	regedit.exe
PID 3824 wrote to memory of 916	3824	cmd.exe	regedit.exe
PID 3824 wrote to memory of 916	3824	cmd.exe	regedit.exe
PID 3968 wrote to memory of 1384	3968	service.exe	service.exe
PID 3968 wrote to memory of 1384	3968	service.exe	service.exe
PID 3968 wrote to memory of 1384	3968	service.exe	service.exe
PID 1384 wrote to memory of 4444	1384	service.exe	cmd.exe
PID 1384 wrote to memory of 4444	1384	service.exe	cmd.exe
PID 1384 wrote to memory of 4444	1384	service.exe	cmd.exe
PID 4444 wrote to memory of 2812	4444	cmd.exe	regedit.exe
PID 4444 wrote to memory of 2812	4444	cmd.exe	regedit.exe
PID 4444 wrote to memory of 2812	4444	cmd.exe	regedit.exe
PID 1384 wrote to memory of 3928	1384	service.exe	service.exe
PID 1384 wrote to memory of 3928	1384	service.exe	service.exe
PID 1384 wrote to memory of 3928	1384	service.exe	service.exe
PID 3928 wrote to memory of 4204	3928	service.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c c:\a.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\regedit.exe
    REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
    3⤵
    - Modifies security service
    - Runs .reg file with regedit
    PID:4644
- C:\Windows\SysWOW64\service.exe
  C:\Windows\system32\service.exe 1052 "C:\Users\Admin\AppData\Local\Temp\fb80fd969cdba54de7aa33d969d181e8_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c c:\a.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\SysWOW64\regedit.exe
      REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
      4⤵
      Modifies security service
      Runs .reg file with regedit
      PID:804
- - C:\Windows\SysWOW64\service.exe
    C:\Windows\system32\service.exe 1168 "C:\Windows\SysWOW64\service.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:4464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c c:\a.bat
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3260
    - - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        5⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:4940
  - - C:\Windows\SysWOW64\service.exe
      C:\Windows\system32\service.exe 1140 "C:\Windows\SysWOW64\service.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3936
      - C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        6⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2468
    - - C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1148 "C:\Windows\SysWOW64\service.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        7⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2996
      - C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1152 "C:\Windows\SysWOW64\service.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3824
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        8⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:916
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1156 "C:\Windows\SysWOW64\service.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4444
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        9⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2812
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1160 "C:\Windows\SysWOW64\service.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        9⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        10⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:3808
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1144 "C:\Windows\SysWOW64\service.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        10⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        11⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2252
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1164 "C:\Windows\SysWOW64\service.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        11⤵
        
        PID:1248
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        12⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:1080
        
        C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\service.exe 1176 "C:\Windows\SysWOW64\service.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c c:\a.bat
        12⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\regedit.exe
        
        REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
        13⤵
        Modifies security service
        Runs .reg file with regedit
        
        PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
384B

MD5
c93c561465db53bf9a99759de9d25f07

SHA1
5386934828e2c2589bfe394ac1f03ffbfba93bfa

SHA256
32eae568e5a03070b122719c66798a0574658b85dc61bcf3c48eae29f4d77851

SHA512
bb0163e1a26f6b7cfd4ce214ae33a56e446fa74efca7682352ab52aa4b4d5b5b92a141e3e2a12b76f33827b1cd423f3d862cc973079d5da291832ce6a9fb9b18

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1KB

MD5
2b307765b7465ef5e4935f0ed7307c01

SHA1
c46a1947f8b2785114891f7905f663d9ae517f1b

SHA256
a3f77536a922968bc49827a6c8553ed6b74eafd52e6c1fcfd62bfa20a83efc85

SHA512
fce4fbf9900f50368cb35ac40e60b54835912921848a45b196c6f68ad66a07549f27237956c751f511d2589cf91980658d4f1b743dd2c9c9506102da3be4bae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
6dd7ad95427e77ae09861afd77104775

SHA1
81c2ffe8c63e71f013a07e5794473b60f50c0716

SHA256
8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2

SHA512
171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
d5e129352c8dd0032b51f34a2bbecad3

SHA1
a50f8887ad4f6a1eb2dd3c5b807c95a923964a6a

SHA256
ebdaad14508e5ba8d9e794963cf35bd51b7a92b949ebf32deef254ab9cdd6267

SHA512
9a3aa2796657c964f3c3ff07c8891533a740c86e8b0bebb449b5a3e07e1248d0f6608e03d9847caf1c8bff70392d15474f2954349869d92658108515df6831c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b79d7c7385eb2936ecd5681762227a9b

SHA1
c2a21fb49bd3cc8be9baac1bf6f6389453ad785d

SHA256
fd1be29f1f4b9fc4a8d9b583c4d2114f17c062998c833b2085960ac02ef82019

SHA512
7ea049afca363ff483f57b9fff1e213006d689eb4406cefe7f1e096c46b41e7908f1e4d69e1411ae56eb1c4e19489c9322176ffdd8ea2f1c37213eb51f03ef5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
b9dc88ed785d13aaeae9626d7a26a6a0

SHA1
ab67e1c5ca09589b93c06ad0edc4b5a18109ec1e

SHA256
9f1cba2944ed1a547847aa72ba5c759c55da7466796389f9a0f4fad69926e6fc

SHA512
df6380a3e5565ff2bc66d7589af7bc3dcfa2598212c95765d070765341bba446a5a5d6206b50d860f6375c437622deb95a066440145a1b7917aee6dcef207b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
1024B

MD5
159bb1d34a927f58fc851798c7c09b58

SHA1
c3a26565004531f3a93e29eabb0f9a196b4c1ba2

SHA256
53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd

SHA512
b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
872656500ddac1ddd91d10aba3a8df96

SHA1
ddf655aea7e8eae37b0a2dd4c8cabaf21cf681fc

SHA256
d6f58d2fbf733d278281af0b9e7732a591cdd752e18a430f76cb7afa806c75f8

SHA512
e7fab32f6f38bde67c8ce7af483216c9965ab62a70aee5c9a9e17aa693c33c67953f817406c1687406977b234d89e62d7feb44757527de5db34e5a61462a0be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
683B

MD5
6fe56f6715b4c328bc5b2b35cb51c7e1

SHA1
8f4c2a2e2704c52fd6f01d9c58e4c7d843d69cc3

SHA256
0686dfa785bc9687be1a2bb42ef6c2e805a03f62b4af6c83bac7031e515189be

SHA512
8a19ba3f6e5678e92a6fd92a84f077e851a53a71a02622d87d5213a79f40540c7bbda17219f9349387e94edc75eb12fd2cb93e3b0abbcf9a85fc7d5e8bf3be0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
784B

MD5
5a466127fedf6dbcd99adc917bd74581

SHA1
a2e60b101c8789b59360d95a64ec07d0723c4d38

SHA256
8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

SHA512
695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
5e073629d751540b3512a229a7c56baf

SHA1
8d384f06bf3fe00d178514990ae39fc54d4e3941

SHA256
2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

SHA512
84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
7fe70731de9e888ca911baeb99ee503d

SHA1
0073da5273512f66dbf570580dc55957535c2478

SHA256
ec8ce13a4cab475695329eddc61ff2eee378e79f0d2f9ca3a9bc7b18bd52b89a

SHA512
4421df7085fd2aac218d5544152d77080b99c1eaa24076975a6b1bb01149a19a1c0d6cc2c042cd507b37af9a220e7ce1f026103cdabfaec5994b1533c2f3eeac

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
95KB

MD5
fb80fd969cdba54de7aa33d969d181e8

SHA1
6770bee0cd1aecd022307ea6b6f4c708efe410fb

SHA256
b115b3a04f746a1a4b7a0b9e10c8b66d96b835f1b3c900852671a41e977d6271

SHA512
ff0efe77e739f4b896c04917ba8b5e67c824dc73caecdc22d5c0abc189e15741837a2cf28b565bfb686b272179daf9d393cb83770a96412c42b2670f37bb59be

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/1384-686-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/1384-796-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/2736-1249-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3132-912-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3132-1023-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3656-1136-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3928-909-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/3968-682-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4112-455-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4112-343-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4464-341-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4500-227-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4500-0-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4948-569-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/4948-459-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download
memory/5068-228-0x0000000000400000-0x000000000046C000-memory.dmp

Filesize
432KB

Download