lumma | b20a53ffbf2785cb8d8e2ff5880fd450188547a7474447c018305897fe2a29c8

Analysis

max time kernel
137s
max time network
55s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 10:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe
Size

211KB
MD5

0505e8af25b9fa72e1608eaf54a07d18
SHA1

ec57f317404bd4675e60a59fb0b836bdff9be52d
SHA256

b20a53ffbf2785cb8d8e2ff5880fd450188547a7474447c018305897fe2a29c8
SHA512

130c01746f10834c9cfec32d4e387550635cbc94d841615dddb5bb6ea5c622179a97532df0b74c287e69f564b7e1591ed0df5613b8e5ce7a084adf2b003d2c02
SSDEEP

3072:LY+vlv/baAjglQX4YWYpRq/vk1waTlFX106xo46CaZiQm6zh6uJhoK4:U+vlv/hbCYAOTjy6x/6Cam6zcuJho

Score

10^/10

lumma evasion stealer

Malware Config

Signatures

Detect Lumma Stealer payload V4 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\file.exe	family_lumma_v4

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma

Modifies security service 2 TTPs 22 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	regedit.exe

Executes dropped EXE 10 IoCs

Processes:

file.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exe

pid process

4664 file.exe
2924 file.exe
3796 file.exe
428 file.exe
2968 file.exe
3384 file.exe
3268 file.exe
3656 file.exe
3084 file.exe
4324 file.exe

pid	process
4664	file.exe
2924	file.exe
3796	file.exe
428	file.exe
2968	file.exe
3384	file.exe
3268	file.exe
3656	file.exe
3084	file.exe
4324	file.exe

Drops file in System32 directory 22 IoCs

Processes:

file.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exefile.exe0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exefile.exe

description	ioc	process
File created	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File created	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe
File opened for modification	C:\Windows\SysWOW64\file.exe	file.exe

Runs .reg file with regedit 11 IoCs

Processes:

regedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exeregedit.exe

pid	process
5116	regedit.exe
2012	regedit.exe
1752	regedit.exe
2948	regedit.exe
3692	regedit.exe
4392	regedit.exe
4596	regedit.exe
2352	regedit.exe
2900	regedit.exe
2904	regedit.exe
4532	regedit.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.execmd.exefile.execmd.exefile.execmd.exefile.execmd.exefile.execmd.exefile.execmd.exefile.execmd.exefile.exe

description	pid	process	target process
PID 216 wrote to memory of 440	216	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	cmd.exe
PID 216 wrote to memory of 440	216	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	cmd.exe
PID 216 wrote to memory of 440	216	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	cmd.exe
PID 440 wrote to memory of 1752	440	cmd.exe	regedit.exe
PID 440 wrote to memory of 1752	440	cmd.exe	regedit.exe
PID 440 wrote to memory of 1752	440	cmd.exe	regedit.exe
PID 216 wrote to memory of 4664	216	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	file.exe
PID 216 wrote to memory of 4664	216	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	file.exe
PID 216 wrote to memory of 4664	216	0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe	file.exe
PID 4664 wrote to memory of 1904	4664	file.exe	cmd.exe
PID 4664 wrote to memory of 1904	4664	file.exe	cmd.exe
PID 4664 wrote to memory of 1904	4664	file.exe	cmd.exe
PID 1904 wrote to memory of 2900	1904	cmd.exe	regedit.exe
PID 1904 wrote to memory of 2900	1904	cmd.exe	regedit.exe
PID 1904 wrote to memory of 2900	1904	cmd.exe	regedit.exe
PID 4664 wrote to memory of 2924	4664	file.exe	file.exe
PID 4664 wrote to memory of 2924	4664	file.exe	file.exe
PID 4664 wrote to memory of 2924	4664	file.exe	file.exe
PID 2924 wrote to memory of 4572	2924	file.exe	cmd.exe
PID 2924 wrote to memory of 4572	2924	file.exe	cmd.exe
PID 2924 wrote to memory of 4572	2924	file.exe	cmd.exe
PID 4572 wrote to memory of 2904	4572	cmd.exe	regedit.exe
PID 4572 wrote to memory of 2904	4572	cmd.exe	regedit.exe
PID 4572 wrote to memory of 2904	4572	cmd.exe	regedit.exe
PID 2924 wrote to memory of 3796	2924	file.exe	file.exe
PID 2924 wrote to memory of 3796	2924	file.exe	file.exe
PID 2924 wrote to memory of 3796	2924	file.exe	file.exe
PID 3796 wrote to memory of 1976	3796	file.exe	cmd.exe
PID 3796 wrote to memory of 1976	3796	file.exe	cmd.exe
PID 3796 wrote to memory of 1976	3796	file.exe	cmd.exe
PID 1976 wrote to memory of 4532	1976	cmd.exe	regedit.exe
PID 1976 wrote to memory of 4532	1976	cmd.exe	regedit.exe
PID 1976 wrote to memory of 4532	1976	cmd.exe	regedit.exe
PID 3796 wrote to memory of 428	3796	file.exe	file.exe
PID 3796 wrote to memory of 428	3796	file.exe	file.exe
PID 3796 wrote to memory of 428	3796	file.exe	file.exe
PID 428 wrote to memory of 4512	428	file.exe	cmd.exe
PID 428 wrote to memory of 4512	428	file.exe	cmd.exe
PID 428 wrote to memory of 4512	428	file.exe	cmd.exe
PID 4512 wrote to memory of 2948	4512	cmd.exe	regedit.exe
PID 4512 wrote to memory of 2948	4512	cmd.exe	regedit.exe
PID 4512 wrote to memory of 2948	4512	cmd.exe	regedit.exe
PID 428 wrote to memory of 2968	428	file.exe	file.exe
PID 428 wrote to memory of 2968	428	file.exe	file.exe
PID 428 wrote to memory of 2968	428	file.exe	file.exe
PID 2968 wrote to memory of 4828	2968	file.exe	cmd.exe
PID 2968 wrote to memory of 4828	2968	file.exe	cmd.exe
PID 2968 wrote to memory of 4828	2968	file.exe	cmd.exe
PID 4828 wrote to memory of 3692	4828	cmd.exe	regedit.exe
PID 4828 wrote to memory of 3692	4828	cmd.exe	regedit.exe
PID 4828 wrote to memory of 3692	4828	cmd.exe	regedit.exe
PID 2968 wrote to memory of 3384	2968	file.exe	file.exe
PID 2968 wrote to memory of 3384	2968	file.exe	file.exe
PID 2968 wrote to memory of 3384	2968	file.exe	file.exe
PID 3384 wrote to memory of 3888	3384	file.exe	cmd.exe
PID 3384 wrote to memory of 3888	3384	file.exe	cmd.exe
PID 3384 wrote to memory of 3888	3384	file.exe	cmd.exe
PID 3888 wrote to memory of 4392	3888	cmd.exe	regedit.exe
PID 3888 wrote to memory of 4392	3888	cmd.exe	regedit.exe
PID 3888 wrote to memory of 4392	3888	cmd.exe	regedit.exe
PID 3384 wrote to memory of 3268	3384	file.exe	file.exe
PID 3384 wrote to memory of 3268	3384	file.exe	file.exe
PID 3384 wrote to memory of 3268	3384	file.exe	file.exe
PID 3268 wrote to memory of 4504	3268	file.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:440

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
3⤵
- Modifies security service
- Runs .reg file with regedit
PID:1752

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 1052 "C:\Users\Admin\AppData\Local\Temp\0505e8af25b9fa72e1608eaf54a07d18_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
4⤵
- Modifies security service
- Runs .reg file with regedit
PID:2900

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 1172 "C:\Windows\SysWOW64\file.exe"
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:4572

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
5⤵
- Modifies security service
- Runs .reg file with regedit
PID:2904

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 1140 "C:\Windows\SysWOW64\file.exe"
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
5⤵
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
6⤵
- Modifies security service
- Runs .reg file with regedit
PID:4532

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 1148 "C:\Windows\SysWOW64\file.exe"
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
6⤵
- Suspicious use of WriteProcessMemory
PID:4512

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
7⤵
- Modifies security service
- Runs .reg file with regedit
PID:2948

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 1144 "C:\Windows\SysWOW64\file.exe"
6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
7⤵
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
8⤵
- Modifies security service
- Runs .reg file with regedit
PID:3692

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 1152 "C:\Windows\SysWOW64\file.exe"
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
8⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
9⤵
- Modifies security service
- Runs .reg file with regedit
PID:4392

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 1160 "C:\Windows\SysWOW64\file.exe"
8⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
9⤵
PID:4504

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
10⤵
- Modifies security service
- Runs .reg file with regedit
PID:4596

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 1164 "C:\Windows\SysWOW64\file.exe"
9⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
10⤵
PID:3132

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
11⤵
- Modifies security service
- Runs .reg file with regedit
PID:5116

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 1156 "C:\Windows\SysWOW64\file.exe"
10⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3084

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
11⤵
PID:1780

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
12⤵
- Modifies security service
- Runs .reg file with regedit
PID:2012

C:\Windows\SysWOW64\file.exe
C:\Windows\system32\file.exe 1176 "C:\Windows\SysWOW64\file.exe"
11⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
12⤵
PID:2648

C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
13⤵
- Modifies security service
- Runs .reg file with regedit
PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
576B

MD5
8a0897226da780b90c11da0756b361f1

SHA1
67f813e8733ad75a2147c59cca102a60274daeab

SHA256
115ff7b8bbe33e1325a2b03fb279281b79b2b9c4c0d6147c049c99da39867bee

SHA512
55e0e0791fb8e76fb67511ef2bfe1bdb934c857a5a555f9c72dd063250c18b17c57ff9f220c0d3cdd219828d87f5c08bfe5e198476c9d38119c4cfb099b99642

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
3KB

MD5
9e5db93bd3302c217b15561d8f1e299d

SHA1
95a5579b336d16213909beda75589fd0a2091f30

SHA256
f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e

SHA512
b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
701B

MD5
e427a32326a6a806e7b7b4fdbbe0ed4c

SHA1
b10626953332aeb7c524f2a29f47ca8b0bee38b1

SHA256
b5cfd1100679c495202229aede417b8a385405cb9d467d2d89b936fc99245839

SHA512
6bd679341bec6b224962f3d0d229cff2d400e568e10b7764eb4e0903c66819a8fa99927249ab9b4c447b2d09ea0d98eb9823fb2c5f7462112036049795a5d8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
703B

MD5
e2564fc59a86ea85b7485ab7288c68c4

SHA1
bc1544d9a03d1adafe399067ac32bf8d1cedbdb0

SHA256
68e8d8ef14bfbe96ebad3fb391fd4c1e57068a7f950dd31840884f6d58b078a8

SHA512
e09c6741d99ec41763e939aa39adb4e0f8508d37556c52251eec268849e85960da42ace7e9b82f1927de5bcf29ebec205189b113d2bb123025f3e6615b28ff0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
300B

MD5
9e1df6d58e6c905e4628df434384b3c9

SHA1
e67dd641da70aa9654ed24b19ed06a3eb8c0db43

SHA256
25bb4f644e47b4b64b0052ec7edfd4c27f370d07ef884078fea685f30b9c1bb0

SHA512
93c9f24dc530e08c85776955c200be468d099d8f1d2efe5e20cbb3a1d803fe23e0ba9b589df2498832082a283d79f6f1053a26d15f49e31a0da395ecc7225ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
61ec72543aaac5c7b336d2b22f919c07

SHA1
5bddb1f73b24c2113e9bf8268640f75fb0f3bd8d

SHA256
088881ff28ef1240847decd884be366614865bf9660f862dbffa64d504467aea

SHA512
e8ed6c1813218a542e0449f6bcda47b9464f2445a5d4b20e20b657d5328eb9fd5ddf859e61794a0b3d32057590ac029064c078d5743fe1a316ca8fdf254f7f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.reg

Filesize
2KB

MD5
294976e85ad11a45853f99c1b208723f

SHA1
8d83101d69420b5af97ec517165d849d3ab498fc

SHA256
04fe02d621f3d9853840b27476da4a191fc91592a77632f9cf85d4ef0370acff

SHA512
e8193036e0e411afe75c1e23f9ce1a7f32d1297706cdd0d99c20375dd7a2bdfb23cc550015852f36816668f0d085042afe74fcfff294f90854ea70f3b929a9d6

Download Submit
C:\Windows\SysWOW64\file.exe

Filesize
211KB

MD5
0505e8af25b9fa72e1608eaf54a07d18

SHA1
ec57f317404bd4675e60a59fb0b836bdff9be52d

SHA256
b20a53ffbf2785cb8d8e2ff5880fd450188547a7474447c018305897fe2a29c8

SHA512
130c01746f10834c9cfec32d4e387550635cbc94d841615dddb5bb6ea5c622179a97532df0b74c287e69f564b7e1591ed0df5613b8e5ce7a084adf2b003d2c02

Download Submit
\??\c:\a.bat

Filesize
5KB

MD5
0019a0451cc6b9659762c3e274bc04fb

SHA1
5259e256cc0908f2846e532161b989f1295f479b

SHA256
ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876

SHA512
314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904

Download Submit