lumma | 8c9f417cc07060056a707d847258a7a6a98e0ef6a16cb1243222c235d79c86bf

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe
Size

227KB
MD5

ff9c2ce33fce1585aa1ff20145555761
SHA1

0a69962fd393fb450a81b557af000bcc9d8b1e25
SHA256

8c9f417cc07060056a707d847258a7a6a98e0ef6a16cb1243222c235d79c86bf
SHA512

7572f57ee2ed16996df52c8c70d7e01cfdac1cca15e86334a7f78d370fc6fb5ac3efca4e082e82a5073fcbd4acf116d0e619a3a3d090129e5eeee328ddd0338a
SSDEEP

6144:qoEdkmu85Dq+3qM3W7tfQN5/inEaMadDKNa1aILk71:gkmDN6M3atfQunka1KNaTgJ

Score

10^/10

lumma evasion stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 16 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2180-296-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/3580-318-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/3580-439-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/3300-590-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/4112-597-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/60-737-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/60-871-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/924-877-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/924-1012-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/4748-1018-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/4748-1147-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/4460-1152-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/2156-1285-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/2156-1411-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/3860-1414-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4
behavioral2/memory/1652-1545-0x0000000000400000-0x000000000048A000-memory.dmp	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

Processes:

cPaner.comcPaner.comcPaner.comcPaner.comcPaner.comcPaner.comcPaner.comcPaner.comcPaner.comcPaner.com

pid process

3580 cPaner.com
3300 cPaner.com
4112 cPaner.com
60 cPaner.com
924 cPaner.com
4748 cPaner.com
4460 cPaner.com
2156 cPaner.com
3860 cPaner.com
1652 cPaner.com

pid	process
3580	cPaner.com
3300	cPaner.com
4112	cPaner.com
60	cPaner.com
924	cPaner.com
4748	cPaner.com
4460	cPaner.com
2156	cPaner.com
3860	cPaner.com
1652	cPaner.com

Drops file in System32 directory 32 IoCs

Processes:

ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.execPaner.comcPaner.comcPaner.comcPaner.comcPaner.comcPaner.comcPaner.comcPaner.comcPaner.comcPaner.com

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\cPaner.com	ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File created	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File created	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	cPaner.com
File created	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	cPaner.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	cPaner.com
File created	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File created	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	cPaner.com
File opened for modification	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File created	C:\Windows\SysWOW64\cPaner.com	ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File created	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File created	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	cPaner.com
File created	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File created	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	cPaner.com
File opened for modification	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	cPaner.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	cPaner.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	cPaner.com
File opened for modification	C:\Windows\SysWOW64\cPaner.com	cPaner.com
File opened for modification	C:\Windows\SysWOW64\aspr_keys.ini	cPaner.com
File opened for modification	C:\Windows\SysWOW64\cPaner.com	cPaner.com

Runs .reg file with regedit 11 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
4488	regedit.exe
2456	regedit.exe
4516	regedit.exe
4532	regedit.exe
4784	regedit.exe
4092	regedit.exe
1064	regedit.exe
5108	regedit.exe
3828	regedit.exe
2944	regedit.exe
488	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.execmd.execPaner.comcmd.execPaner.comcmd.execPaner.comcmd.execPaner.comcmd.execPaner.comcmd.execPaner.comcmd.execPaner.com

description	pid	process	target process
PID 2180 wrote to memory of 1432	2180	ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 1432	2180	ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe	cmd.exe
PID 2180 wrote to memory of 1432	2180	ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe	cmd.exe
PID 1432 wrote to memory of 4488	1432	cmd.exe	regedit.exe
PID 1432 wrote to memory of 4488	1432	cmd.exe	regedit.exe
PID 1432 wrote to memory of 4488	1432	cmd.exe	regedit.exe
PID 2180 wrote to memory of 3580	2180	ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe	cPaner.com
PID 2180 wrote to memory of 3580	2180	ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe	cPaner.com
PID 2180 wrote to memory of 3580	2180	ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe	cPaner.com
PID 3580 wrote to memory of 3152	3580	cPaner.com	cmd.exe
PID 3580 wrote to memory of 3152	3580	cPaner.com	cmd.exe
PID 3580 wrote to memory of 3152	3580	cPaner.com	cmd.exe
PID 3152 wrote to memory of 5108	3152	cmd.exe	regedit.exe
PID 3152 wrote to memory of 5108	3152	cmd.exe	regedit.exe
PID 3152 wrote to memory of 5108	3152	cmd.exe	regedit.exe
PID 3580 wrote to memory of 3300	3580	cPaner.com	cPaner.com
PID 3580 wrote to memory of 3300	3580	cPaner.com	cPaner.com
PID 3580 wrote to memory of 3300	3580	cPaner.com	cPaner.com
PID 3300 wrote to memory of 3052	3300	cPaner.com	cmd.exe
PID 3300 wrote to memory of 3052	3300	cPaner.com	cmd.exe
PID 3300 wrote to memory of 3052	3300	cPaner.com	cmd.exe
PID 3052 wrote to memory of 2456	3052	cmd.exe	regedit.exe
PID 3052 wrote to memory of 2456	3052	cmd.exe	regedit.exe
PID 3052 wrote to memory of 2456	3052	cmd.exe	regedit.exe
PID 3300 wrote to memory of 4112	3300	cPaner.com	cPaner.com
PID 3300 wrote to memory of 4112	3300	cPaner.com	cPaner.com
PID 3300 wrote to memory of 4112	3300	cPaner.com	cPaner.com
PID 4112 wrote to memory of 1064	4112	cPaner.com	cmd.exe
PID 4112 wrote to memory of 1064	4112	cPaner.com	cmd.exe
PID 4112 wrote to memory of 1064	4112	cPaner.com	cmd.exe
PID 1064 wrote to memory of 3828	1064	cmd.exe	regedit.exe
PID 1064 wrote to memory of 3828	1064	cmd.exe	regedit.exe
PID 1064 wrote to memory of 3828	1064	cmd.exe	regedit.exe
PID 4112 wrote to memory of 60	4112	cPaner.com	cPaner.com
PID 4112 wrote to memory of 60	4112	cPaner.com	cPaner.com
PID 4112 wrote to memory of 60	4112	cPaner.com	cPaner.com
PID 60 wrote to memory of 4204	60	cPaner.com	cmd.exe
PID 60 wrote to memory of 4204	60	cPaner.com	cmd.exe
PID 60 wrote to memory of 4204	60	cPaner.com	cmd.exe
PID 4204 wrote to memory of 4516	4204	cmd.exe	regedit.exe
PID 4204 wrote to memory of 4516	4204	cmd.exe	regedit.exe
PID 4204 wrote to memory of 4516	4204	cmd.exe	regedit.exe
PID 60 wrote to memory of 924	60	cPaner.com	cPaner.com
PID 60 wrote to memory of 924	60	cPaner.com	cPaner.com
PID 60 wrote to memory of 924	60	cPaner.com	cPaner.com
PID 924 wrote to memory of 2896	924	cPaner.com	cmd.exe
PID 924 wrote to memory of 2896	924	cPaner.com	cmd.exe
PID 924 wrote to memory of 2896	924	cPaner.com	cmd.exe
PID 2896 wrote to memory of 4532	2896	cmd.exe	regedit.exe
PID 2896 wrote to memory of 4532	2896	cmd.exe	regedit.exe
PID 2896 wrote to memory of 4532	2896	cmd.exe	regedit.exe
PID 924 wrote to memory of 4748	924	cPaner.com	cPaner.com
PID 924 wrote to memory of 4748	924	cPaner.com	cPaner.com
PID 924 wrote to memory of 4748	924	cPaner.com	cPaner.com
PID 4748 wrote to memory of 3052	4748	cPaner.com	cmd.exe
PID 4748 wrote to memory of 3052	4748	cPaner.com	cmd.exe
PID 4748 wrote to memory of 3052	4748	cPaner.com	cmd.exe
PID 3052 wrote to memory of 4784	3052	cmd.exe	regedit.exe
PID 3052 wrote to memory of 4784	3052	cmd.exe	regedit.exe
PID 3052 wrote to memory of 4784	3052	cmd.exe	regedit.exe
PID 4748 wrote to memory of 4460	4748	cPaner.com	cPaner.com
PID 4748 wrote to memory of 4460	4748	cPaner.com	cPaner.com
PID 4748 wrote to memory of 4460	4748	cPaner.com	cPaner.com
PID 4460 wrote to memory of 4244	4460	cPaner.com	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\acx.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
3⤵
- Modifies security service
- Runs .reg file with regedit
PID:4488

C:\Windows\SysWOW64\cPaner.com
C:\Windows\system32\cPaner.com 1048 "C:\Users\Admin\AppData\Local\Temp\ff9c2ce33fce1585aa1ff20145555761_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\acx.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
4⤵
- Modifies security service
- Runs .reg file with regedit
PID:5108

C:\Windows\SysWOW64\cPaner.com
C:\Windows\system32\cPaner.com 1208 "C:\Windows\SysWOW64\cPaner.com"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3300

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\acx.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
5⤵
- Modifies security service
- Runs .reg file with regedit
PID:2456

C:\Windows\SysWOW64\cPaner.com
C:\Windows\system32\cPaner.com 1180 "C:\Windows\SysWOW64\cPaner.com"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\acx.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:1064

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
6⤵
- Modifies security service
- Runs .reg file with regedit
PID:3828

C:\Windows\SysWOW64\cPaner.com
C:\Windows\system32\cPaner.com 1184 "C:\Windows\SysWOW64\cPaner.com"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:60

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\acx.bat
6⤵
- Suspicious use of WriteProcessMemory
PID:4204

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
7⤵
- Modifies security service
- Runs .reg file with regedit
PID:4516

C:\Windows\SysWOW64\cPaner.com
C:\Windows\system32\cPaner.com 1188 "C:\Windows\SysWOW64\cPaner.com"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\acx.bat
7⤵
- Suspicious use of WriteProcessMemory
PID:2896

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
8⤵
- Modifies security service
- Runs .reg file with regedit
PID:4532

C:\Windows\SysWOW64\cPaner.com
C:\Windows\system32\cPaner.com 1196 "C:\Windows\SysWOW64\cPaner.com"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4748

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\acx.bat
8⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
9⤵
- Modifies security service
- Runs .reg file with regedit
PID:4784

C:\Windows\SysWOW64\cPaner.com
C:\Windows\system32\cPaner.com 1200 "C:\Windows\SysWOW64\cPaner.com"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\acx.bat
9⤵
PID:4244

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
10⤵
- Modifies security service
- Runs .reg file with regedit
PID:2944

C:\Windows\SysWOW64\cPaner.com
C:\Windows\system32\cPaner.com 1204 "C:\Windows\SysWOW64\cPaner.com"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\acx.bat
10⤵
PID:3264

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
11⤵
- Modifies security service
- Runs .reg file with regedit
PID:4092

C:\Windows\SysWOW64\cPaner.com
C:\Windows\system32\cPaner.com 1192 "C:\Windows\SysWOW64\cPaner.com"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3860

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\acx.bat
11⤵
PID:3968

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
12⤵
- Modifies security service
- Runs .reg file with regedit
PID:488

C:\Windows\SysWOW64\cPaner.com
C:\Windows\system32\cPaner.com 1212 "C:\Windows\SysWOW64\cPaner.com"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1652

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\acx.bat
12⤵
PID:2232

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
13⤵
- Modifies security service
- Runs .reg file with regedit
PID:1064

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
1KB

MD5
895301bce84d6fe707b5cfd50f1f9f97

SHA1
50a012f59655621768f624c4571654145663c042

SHA256
b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4

SHA512
a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
2KB

MD5
fa83299c5a0d8714939977af6bdafa92

SHA1
46a4abab9b803a7361ab89d0ca000a367550e23c

SHA256
f3bb35f7fc756da2c2297a100fa29506cb12371edb793061add90ee16318bf03

SHA512
85e46b9f1089054e60c433459eea52bec26330f8b91879df3b48db1533a307443dd82006ac3bb86245bbd207c1d8c75c29949f755cc0dc262ede888a1d531599

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Windows\SysWOW64\cPaner.com
Filesize
227KB

MD5
ff9c2ce33fce1585aa1ff20145555761

SHA1
0a69962fd393fb450a81b557af000bcc9d8b1e25

SHA256
8c9f417cc07060056a707d847258a7a6a98e0ef6a16cb1243222c235d79c86bf

SHA512
7572f57ee2ed16996df52c8c70d7e01cfdac1cca15e86334a7f78d370fc6fb5ac3efca4e082e82a5073fcbd4acf116d0e619a3a3d090129e5eeee328ddd0338a

Download Submit
\??\c:\acx.bat
Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
memory/60-871-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/60-737-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/924-1012-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/924-877-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/1652-1545-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2156-1411-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2156-1285-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2180-149-0x0000000002630000-0x0000000002631000-memory.dmp

Filesize
4KB

Download
memory/2180-160-0x00000000031B0000-0x00000000031B1000-memory.dmp

Filesize
4KB

Download
memory/2180-118-0x00000000022D0000-0x00000000022D1000-memory.dmp

Filesize
4KB

Download
memory/2180-34-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2180-120-0x0000000002330000-0x0000000002331000-memory.dmp

Filesize
4KB

Download
memory/2180-121-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2180-122-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/2180-123-0x0000000002490000-0x0000000002491000-memory.dmp

Filesize
4KB

Download
memory/2180-124-0x0000000002480000-0x0000000002481000-memory.dmp

Filesize
4KB

Download
memory/2180-125-0x00000000024B0000-0x00000000024B1000-memory.dmp

Filesize
4KB

Download
memory/2180-128-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2180-126-0x00000000024A0000-0x00000000024A1000-memory.dmp

Filesize
4KB

Download
memory/2180-129-0x00000000024C0000-0x00000000024C1000-memory.dmp

Filesize
4KB

Download
memory/2180-131-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2180-132-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/2180-130-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2180-133-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/2180-134-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/2180-135-0x0000000002530000-0x0000000002531000-memory.dmp

Filesize
4KB

Download
memory/2180-136-0x0000000002560000-0x0000000002561000-memory.dmp

Filesize
4KB

Download
memory/2180-137-0x0000000002550000-0x0000000002551000-memory.dmp

Filesize
4KB

Download
memory/2180-139-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/2180-138-0x0000000002580000-0x0000000002581000-memory.dmp

Filesize
4KB

Download
memory/2180-140-0x00000000025A0000-0x00000000025A1000-memory.dmp

Filesize
4KB

Download
memory/2180-141-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/2180-142-0x00000000025B0000-0x00000000025B1000-memory.dmp

Filesize
4KB

Download
memory/2180-143-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/2180-144-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/2180-145-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/2180-146-0x00000000025F0000-0x00000000025F1000-memory.dmp

Filesize
4KB

Download
memory/2180-100-0x0000000002320000-0x0000000002321000-memory.dmp

Filesize
4KB

Download
memory/2180-148-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/2180-150-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/2180-151-0x0000000002620000-0x0000000002621000-memory.dmp

Filesize
4KB

Download
memory/2180-147-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/2180-157-0x0000000003190000-0x0000000003191000-memory.dmp

Filesize
4KB

Download
memory/2180-159-0x0000000003180000-0x0000000003181000-memory.dmp

Filesize
4KB

Download
memory/2180-119-0x00000000022E0000-0x00000000022E1000-memory.dmp

Filesize
4KB

Download
memory/2180-161-0x00000000031A0000-0x00000000031A1000-memory.dmp

Filesize
4KB

Download
memory/2180-163-0x00000000031D0000-0x00000000031D1000-memory.dmp

Filesize
4KB

Download
memory/2180-164-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/2180-166-0x00000000031F0000-0x00000000031F1000-memory.dmp

Filesize
4KB

Download
memory/2180-168-0x0000000003220000-0x0000000003221000-memory.dmp

Filesize
4KB

Download
memory/2180-194-0x0000000003210000-0x0000000003211000-memory.dmp

Filesize
4KB

Download
memory/2180-278-0x0000000003230000-0x0000000003231000-memory.dmp

Filesize
4KB

Download
memory/2180-195-0x0000000003240000-0x0000000003241000-memory.dmp

Filesize
4KB

Download
memory/2180-167-0x00000000031E0000-0x00000000031E1000-memory.dmp

Filesize
4KB

Download
memory/2180-280-0x0000000003260000-0x0000000003261000-memory.dmp

Filesize
4KB

Download
memory/2180-281-0x0000000003250000-0x0000000003251000-memory.dmp

Filesize
4KB

Download
memory/2180-282-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/2180-283-0x0000000003270000-0x0000000003271000-memory.dmp

Filesize
4KB

Download
memory/2180-284-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/2180-285-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/2180-286-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/2180-287-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/2180-288-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/2180-289-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/2180-296-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2180-0-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/2180-1-0x0000000000940000-0x0000000000984000-memory.dmp

Filesize
272KB

Download
memory/2180-2-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2180-6-0x00000000005F0000-0x00000000005F1000-memory.dmp

Filesize
4KB

Download
memory/2180-9-0x0000000002310000-0x0000000002314000-memory.dmp

Filesize
16KB

Download
memory/2180-7-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2180-5-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/3300-590-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3580-439-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3580-318-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3860-1414-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4112-597-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4460-1152-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4748-1018-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/4748-1147-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download