lumma | b84757f61afe1e60e646e29163c32db9c4ca4317f52b2e0382f3f0a740677c57

Analysis

max time kernel
156s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
07-01-2025 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setupv2.5.1.zip
Size

11.3MB
MD5

fb713cd74363ef0b0286eb324366a9a3
SHA1

ea60b2584670603dc2f636ce63f6d89067058bb1
SHA256

b84757f61afe1e60e646e29163c32db9c4ca4317f52b2e0382f3f0a740677c57
SHA512

61df7b381911976e338ab28a840e726a81c78fb5a90442dbe2fa1f0246d1baab6e1347f6d25219eff6c8f210b151063e063b35df40d956ac1bee43dca300402c
SSDEEP

196608:6VeNNPpzsmrE2ThOuylSnmy4Q7ThGYscCn5YV7MBe6qA816z0g1l0IlFAass0pMM:6wHzsmlyknmO7TqcC5YVgY4zB0IlFUCM

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://cloudewahsj.shop/api

https://rabidcowse.shop/api

https://noisycuttej.shop/api

https://tirepublicerj.shop/api

https://framekgirus.shop/api

https://wholersorie.shop/api

https://abruptyopsn.shop/api

https://nearycrepso.shop/api

https://fancywaxxers.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x001900000002abb1-39.dat	net_reactor
behavioral1/memory/4836-41-0x0000000000120000-0x0000000000182000-memory.dmp	net_reactor

Executes dropped EXE 33 IoCs

pid	Process
4836	Setup.exe
2792	Setup.exe
1580	Setup.exe
236	Setup.exe
3256	Setup.exe
896	Setup.exe
3560	Setup.exe
1668	Setup.exe
4176	Setup.exe
2744	Setup.exe
1404	Setup.exe
1576	Setup.exe
3008	Setup.exe
3672	Setup.exe
4520	Setup.exe
2220	Setup.exe
4688	Setup.exe
1516	Setup.exe
3364	Setup.exe
4600	Setup.exe
1048	Setup.exe
3684	Setup.exe
3220	Setup.exe
1580	Setup.exe
572	Setup.exe
1856	Setup.exe
1012	Setup.exe
4820	Setup.exe
3708	Setup.exe
756	Setup.exe
4812	Setup.exe
2232	Setup.exe
4900	Setup.exe

Suspicious use of SetThreadContext 16 IoCs

description	pid	Process	procid_target
PID 4836 set thread context of 2792	4836	Setup.exe	86
PID 4836 set thread context of 236	4836	Setup.exe	88
PID 3256 set thread context of 896	3256	Setup.exe	94
PID 3256 set thread context of 3560	3256	Setup.exe	95
PID 1668 set thread context of 4176	1668	Setup.exe	100
PID 1668 set thread context of 1404	1668	Setup.exe	102
PID 1576 set thread context of 3008	1576	Setup.exe	107
PID 1576 set thread context of 3672	1576	Setup.exe	108
PID 4520 set thread context of 2220	4520	Setup.exe	113
PID 4520 set thread context of 4688	4520	Setup.exe	114
PID 1516 set thread context of 3364	1516	Setup.exe	119
PID 1516 set thread context of 4600	1516	Setup.exe	120
PID 1048 set thread context of 3684	1048	Setup.exe	125
PID 1048 set thread context of 1856	1048	Setup.exe	129
PID 1012 set thread context of 3708	1012	Setup.exe	136
PID 1012 set thread context of 4900	1012	Setup.exe	140

Program crash 8 IoCs

pid	pid_target	Process	procid_target
3440	4836	WerFault.exe	82
1188	3256	WerFault.exe	92
4088	1668	WerFault.exe	98
3576	1576	WerFault.exe	105
3528	4520	WerFault.exe	111
3732	1516	WerFault.exe	117
2200	1048	WerFault.exe	123
2684	1012	WerFault.exe	133

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2772	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2396	taskmgr.exe
2772	vlc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeRestorePrivilege	2052	7zFM.exe
Token: 35	2052	7zFM.exe
Token: SeSecurityPrivilege	2052	7zFM.exe
Token: SeDebugPrivilege	2396	taskmgr.exe
Token: SeSystemProfilePrivilege	2396	taskmgr.exe
Token: SeCreateGlobalPrivilege	2396	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2052	7zFM.exe
2052	7zFM.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe
2396	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2772	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 2792	4836	Setup.exe	86
PID 4836 wrote to memory of 2792	4836	Setup.exe	86
PID 4836 wrote to memory of 2792	4836	Setup.exe	86
PID 4836 wrote to memory of 2792	4836	Setup.exe	86
PID 4836 wrote to memory of 2792	4836	Setup.exe	86
PID 4836 wrote to memory of 2792	4836	Setup.exe	86
PID 4836 wrote to memory of 2792	4836	Setup.exe	86
PID 4836 wrote to memory of 2792	4836	Setup.exe	86
PID 4836 wrote to memory of 2792	4836	Setup.exe	86
PID 4836 wrote to memory of 1580	4836	Setup.exe	87
PID 4836 wrote to memory of 1580	4836	Setup.exe	87
PID 4836 wrote to memory of 1580	4836	Setup.exe	87
PID 4836 wrote to memory of 236	4836	Setup.exe	88
PID 4836 wrote to memory of 236	4836	Setup.exe	88
PID 4836 wrote to memory of 236	4836	Setup.exe	88
PID 4836 wrote to memory of 236	4836	Setup.exe	88
PID 4836 wrote to memory of 236	4836	Setup.exe	88
PID 4836 wrote to memory of 236	4836	Setup.exe	88
PID 4836 wrote to memory of 236	4836	Setup.exe	88
PID 4836 wrote to memory of 236	4836	Setup.exe	88
PID 4836 wrote to memory of 236	4836	Setup.exe	88
PID 3256 wrote to memory of 896	3256	Setup.exe	94
PID 3256 wrote to memory of 896	3256	Setup.exe	94
PID 3256 wrote to memory of 896	3256	Setup.exe	94
PID 3256 wrote to memory of 896	3256	Setup.exe	94
PID 3256 wrote to memory of 896	3256	Setup.exe	94
PID 3256 wrote to memory of 896	3256	Setup.exe	94
PID 3256 wrote to memory of 896	3256	Setup.exe	94
PID 3256 wrote to memory of 896	3256	Setup.exe	94
PID 3256 wrote to memory of 896	3256	Setup.exe	94
PID 3256 wrote to memory of 3560	3256	Setup.exe	95
PID 3256 wrote to memory of 3560	3256	Setup.exe	95
PID 3256 wrote to memory of 3560	3256	Setup.exe	95
PID 3256 wrote to memory of 3560	3256	Setup.exe	95
PID 3256 wrote to memory of 3560	3256	Setup.exe	95
PID 3256 wrote to memory of 3560	3256	Setup.exe	95
PID 3256 wrote to memory of 3560	3256	Setup.exe	95
PID 3256 wrote to memory of 3560	3256	Setup.exe	95
PID 3256 wrote to memory of 3560	3256	Setup.exe	95
PID 1668 wrote to memory of 4176	1668	Setup.exe	100
PID 1668 wrote to memory of 4176	1668	Setup.exe	100
PID 1668 wrote to memory of 4176	1668	Setup.exe	100
PID 1668 wrote to memory of 4176	1668	Setup.exe	100
PID 1668 wrote to memory of 4176	1668	Setup.exe	100
PID 1668 wrote to memory of 4176	1668	Setup.exe	100
PID 1668 wrote to memory of 4176	1668	Setup.exe	100
PID 1668 wrote to memory of 4176	1668	Setup.exe	100
PID 1668 wrote to memory of 4176	1668	Setup.exe	100
PID 1668 wrote to memory of 2744	1668	Setup.exe	101
PID 1668 wrote to memory of 2744	1668	Setup.exe	101
PID 1668 wrote to memory of 2744	1668	Setup.exe	101
PID 1668 wrote to memory of 1404	1668	Setup.exe	102
PID 1668 wrote to memory of 1404	1668	Setup.exe	102
PID 1668 wrote to memory of 1404	1668	Setup.exe	102
PID 1668 wrote to memory of 1404	1668	Setup.exe	102
PID 1668 wrote to memory of 1404	1668	Setup.exe	102
PID 1668 wrote to memory of 1404	1668	Setup.exe	102
PID 1668 wrote to memory of 1404	1668	Setup.exe	102
PID 1668 wrote to memory of 1404	1668	Setup.exe	102
PID 1668 wrote to memory of 1404	1668	Setup.exe	102
PID 1576 wrote to memory of 3008	1576	Setup.exe	107
PID 1576 wrote to memory of 3008	1576	Setup.exe	107
PID 1576 wrote to memory of 3008	1576	Setup.exe	107
PID 1576 wrote to memory of 3008	1576	Setup.exe	107

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Setupv2.5.1.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2052

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2396

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4484

C:\Users\Admin\Desktop\Setup\Setup.exe
"C:\Users\Admin\Desktop\Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:236
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 988
  2⤵
  - Program crash
  PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 4836
1⤵
PID:4516

C:\Users\Admin\Desktop\Setup\Setup.exe
"C:\Users\Admin\Desktop\Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:896
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3560
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3256 -s 984
  2⤵
  - Program crash
  PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3256 -ip 3256
1⤵
PID:2172

C:\Users\Admin\Desktop\Setup\Setup.exe
"C:\Users\Admin\Desktop\Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4176
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 980
  2⤵
  - Program crash
  PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1668 -ip 1668
1⤵
PID:3212

C:\Users\Admin\Desktop\Setup\Setup.exe
"C:\Users\Admin\Desktop\Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3008
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3672
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1576 -s 1004
  2⤵
  - Program crash
  PID:3576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1576 -ip 1576
1⤵
PID:3384

C:\Users\Admin\Desktop\Setup\Setup.exe
"C:\Users\Admin\Desktop\Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4520
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4688
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4520 -s 1004
  2⤵
  - Program crash
  PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4520 -ip 4520
1⤵
PID:1496

C:\Users\Admin\Desktop\Setup\Setup.exe
"C:\Users\Admin\Desktop\Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1516
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3364
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4600
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 992
  2⤵
  - Program crash
  PID:3732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 1516 -ip 1516
1⤵
PID:2268

C:\Users\Admin\Desktop\Setup\Setup.exe
"C:\Users\Admin\Desktop\Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1048
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3684
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:3220
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:1580
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:572
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1856
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1048 -s 1020
  2⤵
  - Program crash
  PID:2200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1048 -ip 1048
1⤵
PID:3620

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\JoinUnlock.mp2v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2772

C:\Users\Admin\Desktop\Setup\Setup.exe
"C:\Users\Admin\Desktop\Setup\Setup.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1012
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3708
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:4812
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  PID:2232
- C:\Users\Admin\Desktop\Setup\Setup.exe
  "C:\Users\Admin\Desktop\Setup\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4900
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 1028
  2⤵
  - Program crash
  PID:2684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1012 -ip 1012
1⤵
PID:792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
84B

MD5
b2dccd2aca78c37df5b8f1199caf72d1

SHA1
e6bdc6ed2193ab910022df11f02f7c787137b353

SHA256
c9b1fc69c1eae0e5ef2c388a454eb71c20977b2051e99c78a278ed090ab86b41

SHA512
15c4ae95dc509ba74d71185e9a8e054f2572ce2ac84a9c2b5cef3f4f2567c0c15bccccc0fd4faadbcddca370b80cb3e5a932b007e1fef530709a6485be66163a

Download Submit
C:\Users\Admin\Desktop\Setup\Setup.exe

Filesize
359KB

MD5
17d02595a638c89749b2d8708e5a4cbf

SHA1
fbd95dff2f70c9ce2d6a4f97e035caf3401359b5

SHA256
3bc2ca18afed111109f54238d9515005e8c7c96397f17fd4759bf75c9bbe9825

SHA512
5ba7e5f113da0c4220ff85769ace56a3d5b61d5fce8cf929b1003bbef9b107de184467d4c7042596c4ccbde8725d44240ba0083b929c78aecc954f07b5393e95

Download Submit
memory/2396-28-0x000001293A520000-0x000001293A521000-memory.dmp

Filesize
4KB

Download
memory/2396-32-0x000001293A520000-0x000001293A521000-memory.dmp

Filesize
4KB

Download
memory/2396-38-0x000001293A520000-0x000001293A521000-memory.dmp

Filesize
4KB

Download
memory/2396-37-0x000001293A520000-0x000001293A521000-memory.dmp

Filesize
4KB

Download
memory/2396-36-0x000001293A520000-0x000001293A521000-memory.dmp

Filesize
4KB

Download
memory/2396-35-0x000001293A520000-0x000001293A521000-memory.dmp

Filesize
4KB

Download
memory/2396-33-0x000001293A520000-0x000001293A521000-memory.dmp

Filesize
4KB

Download
memory/2396-26-0x000001293A520000-0x000001293A521000-memory.dmp

Filesize
4KB

Download
memory/2396-27-0x000001293A520000-0x000001293A521000-memory.dmp

Filesize
4KB

Download
memory/2396-34-0x000001293A520000-0x000001293A521000-memory.dmp

Filesize
4KB

Download
memory/2772-133-0x00007FFA62680000-0x00007FFA62936000-memory.dmp

Filesize
2.7MB

Download
memory/2772-132-0x00007FFA74F50000-0x00007FFA74F84000-memory.dmp

Filesize
208KB

Download
memory/2772-131-0x00007FF6027E0000-0x00007FF6028D8000-memory.dmp

Filesize
992KB

Download
memory/2772-134-0x00000112BFA60000-0x00000112C0B10000-memory.dmp

Filesize
16.7MB

Download
memory/2772-135-0x00007FFA5FDB0000-0x00007FFA5FEBE000-memory.dmp

Filesize
1.1MB

Download
memory/2792-44-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2792-49-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4836-42-0x0000000004FA0000-0x0000000005546000-memory.dmp

Filesize
5.6MB

Download
memory/4836-41-0x0000000000120000-0x0000000000182000-memory.dmp

Filesize
392KB

Download