lumma | b20a53ffbf2785cb8d8e2ff5880fd450188547a7474447c018305897fe2a29c8

Analysis

max time kernel
137s
max time network
122s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe
Size

211KB
MD5

0505e8af25b9fa72e1608eaf54a07d18
SHA1

ec57f317404bd4675e60a59fb0b836bdff9be52d
SHA256

b20a53ffbf2785cb8d8e2ff5880fd450188547a7474447c018305897fe2a29c8
SHA512

130c01746f10834c9cfec32d4e387550635cbc94d841615dddb5bb6ea5c622179a97532df0b74c287e69f564b7e1591ed0df5613b8e5ce7a084adf2b003d2c02
SSDEEP

3072:LY+vlv/baAjglQX4YWYpRq/vk1waTlFX106xo46CaZiQm6zh6uJhoK4:U+vlv/hbCYAOTjy6x/6Cam6zcuJho

Score

10^/10

lumma evasion stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 1 IoCs

Processes:

resource	yara_rule
\Windows\SysWOW64\file.exe	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies security service 2 TTPs 20 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

Processes:

file.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exe

pid process

2708 file.exe
1040 file.exe
2196 file.exe
2656 file.exe
2244 file.exe
2828 file.exe
2436 file.exe
1632 file.exe
2172 file.exe
1956 file.exe

pid	process
2708	file.exe
1040	file.exe
2196	file.exe
2656	file.exe
2244	file.exe
2828	file.exe
2436	file.exe
1632	file.exe
2172	file.exe
1956	file.exe

Loads dropped DLL 20 IoCs

Processes:

0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exe

pid	process
2888	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe
2888	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe
2708	file.exe
2708	file.exe
1040	file.exe
1040	file.exe
2196	file.exe
2196	file.exe
2656	file.exe
2656	file.exe
2244	file.exe
2244	file.exe
2828	file.exe
2828	file.exe
2436	file.exe
2436	file.exe
1632	file.exe
1632	file.exe
2172	file.exe
2172	file.exe

Drops file in System32 directory 22 IoCs

Processes:

file.exefile.exefile.exefile.exefile.exefile.exefile.exe0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exefile.exefile.exefile.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe

Runs .reg file with regedit 10 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
1620	regedit.exe
2664	regedit.exe
1976	regedit.exe
1700	regedit.exe
1968	regedit.exe
2840	regedit.exe
2752	regedit.exe
2596	regedit.exe
1684	regedit.exe
1284	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.execmd.exefile.exefile.execmd.exefile.execmd.exefile.execmd.exefile.execmd.exe

description	pid	process	target process
PID 2888 wrote to memory of 2408	2888	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	cmd.exe
PID 2888 wrote to memory of 2408	2888	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	cmd.exe
PID 2888 wrote to memory of 2408	2888	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	cmd.exe
PID 2888 wrote to memory of 2408	2888	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	cmd.exe
PID 2408 wrote to memory of 2840	2408	cmd.exe	regedit.exe
PID 2408 wrote to memory of 2840	2408	cmd.exe	regedit.exe
PID 2408 wrote to memory of 2840	2408	cmd.exe	regedit.exe
PID 2408 wrote to memory of 2840	2408	cmd.exe	regedit.exe
PID 2888 wrote to memory of 2708	2888	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	file.exe
PID 2888 wrote to memory of 2708	2888	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	file.exe
PID 2888 wrote to memory of 2708	2888	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	file.exe
PID 2888 wrote to memory of 2708	2888	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	file.exe
PID 2708 wrote to memory of 2372	2708	file.exe	cmd.exe
PID 2708 wrote to memory of 2372	2708	file.exe	cmd.exe
PID 2708 wrote to memory of 2372	2708	file.exe	cmd.exe
PID 2708 wrote to memory of 2372	2708	file.exe	cmd.exe
PID 2708 wrote to memory of 1040	2708	file.exe	file.exe
PID 2708 wrote to memory of 1040	2708	file.exe	file.exe
PID 2708 wrote to memory of 1040	2708	file.exe	file.exe
PID 2708 wrote to memory of 1040	2708	file.exe	file.exe
PID 1040 wrote to memory of 1316	1040	file.exe	cmd.exe
PID 1040 wrote to memory of 1316	1040	file.exe	cmd.exe
PID 1040 wrote to memory of 1316	1040	file.exe	cmd.exe
PID 1040 wrote to memory of 1316	1040	file.exe	cmd.exe
PID 1316 wrote to memory of 1620	1316	cmd.exe	regedit.exe
PID 1316 wrote to memory of 1620	1316	cmd.exe	regedit.exe
PID 1316 wrote to memory of 1620	1316	cmd.exe	regedit.exe
PID 1316 wrote to memory of 1620	1316	cmd.exe	regedit.exe
PID 1040 wrote to memory of 2196	1040	file.exe	file.exe
PID 1040 wrote to memory of 2196	1040	file.exe	file.exe
PID 1040 wrote to memory of 2196	1040	file.exe	file.exe
PID 1040 wrote to memory of 2196	1040	file.exe	file.exe
PID 2196 wrote to memory of 1308	2196	file.exe	cmd.exe
PID 2196 wrote to memory of 1308	2196	file.exe	cmd.exe
PID 2196 wrote to memory of 1308	2196	file.exe	cmd.exe
PID 2196 wrote to memory of 1308	2196	file.exe	cmd.exe
PID 1308 wrote to memory of 2664	1308	cmd.exe	regedit.exe
PID 1308 wrote to memory of 2664	1308	cmd.exe	regedit.exe
PID 1308 wrote to memory of 2664	1308	cmd.exe	regedit.exe
PID 1308 wrote to memory of 2664	1308	cmd.exe	regedit.exe
PID 2196 wrote to memory of 2656	2196	file.exe	file.exe
PID 2196 wrote to memory of 2656	2196	file.exe	file.exe
PID 2196 wrote to memory of 2656	2196	file.exe	file.exe
PID 2196 wrote to memory of 2656	2196	file.exe	file.exe
PID 2656 wrote to memory of 2820	2656	file.exe	cmd.exe
PID 2656 wrote to memory of 2820	2656	file.exe	cmd.exe
PID 2656 wrote to memory of 2820	2656	file.exe	cmd.exe
PID 2656 wrote to memory of 2820	2656	file.exe	cmd.exe
PID 2820 wrote to memory of 2752	2820	cmd.exe	regedit.exe
PID 2820 wrote to memory of 2752	2820	cmd.exe	regedit.exe
PID 2820 wrote to memory of 2752	2820	cmd.exe	regedit.exe
PID 2820 wrote to memory of 2752	2820	cmd.exe	regedit.exe
PID 2656 wrote to memory of 2244	2656	file.exe	file.exe
PID 2656 wrote to memory of 2244	2656	file.exe	file.exe
PID 2656 wrote to memory of 2244	2656	file.exe	file.exe
PID 2656 wrote to memory of 2244	2656	file.exe	file.exe
PID 2244 wrote to memory of 2508	2244	file.exe	cmd.exe
PID 2244 wrote to memory of 2508	2244	file.exe	cmd.exe
PID 2244 wrote to memory of 2508	2244	file.exe	cmd.exe
PID 2244 wrote to memory of 2508	2244	file.exe	cmd.exe
PID 2508 wrote to memory of 1976	2508	cmd.exe	regedit.exe
PID 2508 wrote to memory of 1976	2508	cmd.exe	regedit.exe
PID 2508 wrote to memory of 1976	2508	cmd.exe	regedit.exe
PID 2508 wrote to memory of 1976	2508	cmd.exe	regedit.exe

C:\Users\Admin\AppData\Local\Temp\0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
3⤵
- Modifies security service
- Runs .reg file with regedit
PID:2840

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 492 "C:\Users\Admin\AppData\Local\Temp\0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
3⤵
PID:2372

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 540 "C:\Windows\SysWOW64\file.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1040

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:1316

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
5⤵
- Modifies security service
- Runs .reg file with regedit
PID:1620

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 544 "C:\Windows\SysWOW64\file.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
6⤵
- Modifies security service
- Runs .reg file with regedit
PID:2664

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 536 "C:\Windows\SysWOW64\file.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2656

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
6⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
7⤵
- Modifies security service
- Runs .reg file with regedit
PID:2752

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 548 "C:\Windows\SysWOW64\file.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
7⤵
- Suspicious use of WriteProcessMemory
PID:2508

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
8⤵
- Modifies security service
- Runs .reg file with regedit
PID:1976

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 552 "C:\Windows\SysWOW64\file.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2828

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
8⤵
PID:1744

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
9⤵
- Modifies security service
- Runs .reg file with regedit
PID:2596

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 556 "C:\Windows\SysWOW64\file.exe"
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2436

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
9⤵
PID:2880

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
10⤵
- Modifies security service
- Runs .reg file with regedit
PID:1684

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 560 "C:\Windows\SysWOW64\file.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1632

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
10⤵
PID:632

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
11⤵
- Modifies security service
- Runs .reg file with regedit
PID:1700

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 564 "C:\Windows\SysWOW64\file.exe"
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2172

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
11⤵
PID:2228

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
12⤵
- Modifies security service
- Runs .reg file with regedit
PID:1968

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 568 "C:\Windows\SysWOW64\file.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1956

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
12⤵
PID:1872

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
13⤵
- Modifies security service
- Runs .reg file with regedit
PID:1284

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
1KB

MD5
895301bce84d6fe707b5cfd50f1f9f97

SHA1
50a012f59655621768f624c4571654145663c042

SHA256
b2c6435e83784b85e7f4bdd4568bd954029caac9f5795e3111ae75db0f9874d4

SHA512
a75188afa7c01959bcbf7b832d92d0134072eecd3dd58d6179bc626024d4c9593cadc5cf9ab00deb3824853df003a0a73c84b60cefbdcb6944d216534ea7ffc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
3KB

MD5
5e073629d751540b3512a229a7c56baf

SHA1
8d384f06bf3fe00d178514990ae39fc54d4e3941

SHA256
2039732d26af5a0d4db7bda4a781967a0e0e4543dea9838690219e3cb688449e

SHA512
84fc0d818ecd5706904b5918170436820ffc78c894cbe549a4f5b04b5c9832e3d709c98d56c8522b55a98cd9db8ec04aeaa020e9162e8a35503597ca580126fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
784B

MD5
5a466127fedf6dbcd99adc917bd74581

SHA1
a2e60b101c8789b59360d95a64ec07d0723c4d38

SHA256
8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84

SHA512
695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
1KB

MD5
5f6aefafda312b288b7d555c1fc36dc9

SHA1
f25e2fdea9dd714d0fae68af71cace7bb49302ce

SHA256
60f6d3cbf831857bf18e46a43ff403a03e2035d9430a72d768ea9cec1947917a

SHA512
97f0250ba79b008d7632a2f32a7b851d9ca87f116b2854d5343c120511cfd55551a1f3eb3e0959602656b39b3f86003a0f9d04243ceb8b73d28eb9bb9449a6de

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
3KB

MD5
d085cde42c14e8ee2a5e8870d08aee42

SHA1
c8e967f1d301f97dbcf252d7e1677e590126f994

SHA256
a15d5dfd655de1214e0aae2292ead17eef1f1b211d39fac03276bbd6325b0d9f

SHA512
de2cebd45d3cf053df17ae43466db6a8b2d816bf4b9a8deb5b577cfedf765b5dcdc5904145809ad3ca03ccff308f8893ec1faa309dd34afcab7cc1836d698d7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
2KB

MD5
54ca6e3ef1c12b994043e85a8c9895f0

SHA1
5eaccfb482cbe24cf5c3203ffdc926184097427e

SHA256
0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0

SHA512
925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
2KB

MD5
5855edf3afa67e11de78af0389880d18

SHA1
c43fcd36d70a6ffcd41fbb48c1d0c406fd00286f

SHA256
c7798759a159989611cdf47f702c8813ad0f029b52f18af573f383859a8bfaaa

SHA512
5be99a55f86486c04bda0a089571c296d041dae337321578c0f8d19d7bd2e51802aafbc8716753b6191b8e5ced782a5bc7d44bdd4995ab8e6ac1f7cd4b0f91ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
2KB

MD5
6bf876cd9994f0d41be4eca36d22c42a

SHA1
50cda4b940e6ba730ce59000cfc59e6c4d7fdc79

SHA256
ff39ffe6e43e9b293c5be6aa85345e868a27215293e750c00e1e0ba676deeb2a

SHA512
605e2920cd230b6c617a2d4153f23144954cd4bae0f66b857e1b334cd66258fbc5ba049c1ab6ab83c30fd54c87235a115ec7bbfd17d6792a4bbbae4c6700e106

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg
Filesize
2KB

MD5
6dd7ad95427e77ae09861afd77104775

SHA1
81c2ffe8c63e71f013a07e5794473b60f50c0716

SHA256
8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2

SHA512
171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb

Download Submit
C:\a.bat
Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit
\Windows\SysWOW64\file.exe
Filesize
211KB

MD5
0505e8af25b9fa72e1608eaf54a07d18

SHA1
ec57f317404bd4675e60a59fb0b836bdff9be52d

SHA256
b20a53ffbf2785cb8d8e2ff5880fd450188547a7474447c018305897fe2a29c8

SHA512
130c01746f10834c9cfec32d4e387550635cbc94d841615dddb5bb6ea5c622179a97532df0b74c287e69f564b7e1591ed0df5613b8e5ce7a084adf2b003d2c02

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads