lumma | 0d1f8012e230a264ca5001a6273912c9e143a06fa045022a35bfe258fca9b77f

Analysis

max time kernel
90s
max time network
98s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
08-01-2025 00:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Temp-Spoofer-main.zip
Size

1.4MB
MD5

1e413e83af456d76749d0996bd9c69a7
SHA1

4a914947bfd3384ef7209dd68f27b80625d25faa
SHA256

0d1f8012e230a264ca5001a6273912c9e143a06fa045022a35bfe258fca9b77f
SHA512

a0f9b6e4a044d2b52b78db772395d8a86b15f29ddc75a302c5e34472d9f7bbdfff155a407fb2c4e3bdaa6422181706ac9ea1ce4a559f7c7a09df44bb5bb90127
SSDEEP

24576:BbUGpuVhxFetCJgDvdGZ8+rrEStGxqXfl+yR9epE2I0gxiO521UcgazBGqZP:BbvuPx4tCJgDvEZ8grIxOfQjB22LvZP

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://sordid-snaked.cyou/api

https://awake-weaves.cyou/api

https://wrathful-jammy.cyou/api

https://debonairnukk.xyz/api

https://diffuculttan.xyz/api

https://effecterectz.xyz/api

https://deafeninggeh.biz/api

https://immureprech.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 52 IoCs

pid	Process
2224	TempSpoofer.exe
752	TempSpoofer.exe
1868	TempSpoofer.exe
2416	TempSpoofer.exe
5084	TempSpoofer.exe
2264	TempSpoofer.exe
1228	TempSpoofer.exe
1200	TempSpoofer.exe
3028	TempSpoofer.exe
436	TempSpoofer.exe
4508	TempSpoofer.exe
1104	TempSpoofer.exe
4904	TempSpoofer.exe
4540	TempSpoofer.exe
4080	TempSpoofer.exe
2968	TempSpoofer.exe
1288	TempSpoofer.exe
1168	TempSpoofer.exe
2772	TempSpoofer.exe
1420	TempSpoofer.exe
4812	TempSpoofer.exe
4616	TempSpoofer.exe
252	TempSpoofer.exe
4940	TempSpoofer.exe
2592	TempSpoofer.exe
4092	TempSpoofer.exe
4528	TempSpoofer.exe
4676	TempSpoofer.exe
5044	TempSpoofer.exe
2836	TempSpoofer.exe
3452	TempSpoofer.exe
1312	TempSpoofer.exe
1824	TempSpoofer.exe
3728	TempSpoofer.exe
4016	TempSpoofer.exe
2400	TempSpoofer.exe
4800	TempSpoofer.exe
4820	TempSpoofer.exe
4524	TempSpoofer.exe
3768	TempSpoofer.exe
2740	TempSpoofer.exe
4784	TempSpoofer.exe
720	TempSpoofer.exe
2332	TempSpoofer.exe
252	TempSpoofer.exe
2228	TempSpoofer.exe
708	TempSpoofer.exe
660	TempSpoofer.exe
1456	TempSpoofer.exe
1364	TempSpoofer.exe
392	TempSpoofer.exe
1092	TempSpoofer.exe

Suspicious use of SetThreadContext 22 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 752	2224	TempSpoofer.exe	81
PID 1868 set thread context of 2416	1868	TempSpoofer.exe	84
PID 5084 set thread context of 2264	5084	TempSpoofer.exe	87
PID 1228 set thread context of 3028	1228	TempSpoofer.exe	91
PID 436 set thread context of 4508	436	TempSpoofer.exe	94
PID 1104 set thread context of 4904	1104	TempSpoofer.exe	97
PID 4540 set thread context of 2968	4540	TempSpoofer.exe	101
PID 1288 set thread context of 1168	1288	TempSpoofer.exe	104
PID 2772 set thread context of 4812	2772	TempSpoofer.exe	108
PID 4616 set thread context of 252	4616	TempSpoofer.exe	111
PID 4940 set thread context of 4092	4940	TempSpoofer.exe	115
PID 4528 set thread context of 4676	4528	TempSpoofer.exe	118
PID 5044 set thread context of 2836	5044	TempSpoofer.exe	123
PID 3452 set thread context of 1312	3452	TempSpoofer.exe	126
PID 1824 set thread context of 3728	1824	TempSpoofer.exe	130
PID 2400 set thread context of 4524	2400	TempSpoofer.exe	136
PID 3768 set thread context of 2740	3768	TempSpoofer.exe	139
PID 4784 set thread context of 720	4784	TempSpoofer.exe	142
PID 2332 set thread context of 252	2332	TempSpoofer.exe	145
PID 2228 set thread context of 708	2228	TempSpoofer.exe	151
PID 660 set thread context of 1456	660	TempSpoofer.exe	155
PID 1364 set thread context of 1092	1364	TempSpoofer.exe	159

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2324	2740	WerFault.exe	139

System Location Discovery: System Language Discovery 1 TTPs 38 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TempSpoofer.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
768	7zFM.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeRestorePrivilege	768	7zFM.exe
Token: 35	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe
Token: SeSecurityPrivilege	768	7zFM.exe

Suspicious use of FindShellTrayWindow 18 IoCs

pid	Process
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe
768	7zFM.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 2224	768	7zFM.exe	77
PID 768 wrote to memory of 2224	768	7zFM.exe	77
PID 768 wrote to memory of 2224	768	7zFM.exe	77
PID 2224 wrote to memory of 752	2224	TempSpoofer.exe	81
PID 2224 wrote to memory of 752	2224	TempSpoofer.exe	81
PID 2224 wrote to memory of 752	2224	TempSpoofer.exe	81
PID 2224 wrote to memory of 752	2224	TempSpoofer.exe	81
PID 2224 wrote to memory of 752	2224	TempSpoofer.exe	81
PID 2224 wrote to memory of 752	2224	TempSpoofer.exe	81
PID 2224 wrote to memory of 752	2224	TempSpoofer.exe	81
PID 2224 wrote to memory of 752	2224	TempSpoofer.exe	81
PID 2224 wrote to memory of 752	2224	TempSpoofer.exe	81
PID 2224 wrote to memory of 752	2224	TempSpoofer.exe	81
PID 768 wrote to memory of 1868	768	7zFM.exe	82
PID 768 wrote to memory of 1868	768	7zFM.exe	82
PID 768 wrote to memory of 1868	768	7zFM.exe	82
PID 1868 wrote to memory of 2416	1868	TempSpoofer.exe	84
PID 1868 wrote to memory of 2416	1868	TempSpoofer.exe	84
PID 1868 wrote to memory of 2416	1868	TempSpoofer.exe	84
PID 1868 wrote to memory of 2416	1868	TempSpoofer.exe	84
PID 1868 wrote to memory of 2416	1868	TempSpoofer.exe	84
PID 1868 wrote to memory of 2416	1868	TempSpoofer.exe	84
PID 1868 wrote to memory of 2416	1868	TempSpoofer.exe	84
PID 1868 wrote to memory of 2416	1868	TempSpoofer.exe	84
PID 1868 wrote to memory of 2416	1868	TempSpoofer.exe	84
PID 1868 wrote to memory of 2416	1868	TempSpoofer.exe	84
PID 768 wrote to memory of 5084	768	7zFM.exe	85
PID 768 wrote to memory of 5084	768	7zFM.exe	85
PID 768 wrote to memory of 5084	768	7zFM.exe	85
PID 5084 wrote to memory of 2264	5084	TempSpoofer.exe	87
PID 5084 wrote to memory of 2264	5084	TempSpoofer.exe	87
PID 5084 wrote to memory of 2264	5084	TempSpoofer.exe	87
PID 5084 wrote to memory of 2264	5084	TempSpoofer.exe	87
PID 5084 wrote to memory of 2264	5084	TempSpoofer.exe	87
PID 5084 wrote to memory of 2264	5084	TempSpoofer.exe	87
PID 5084 wrote to memory of 2264	5084	TempSpoofer.exe	87
PID 5084 wrote to memory of 2264	5084	TempSpoofer.exe	87
PID 5084 wrote to memory of 2264	5084	TempSpoofer.exe	87
PID 5084 wrote to memory of 2264	5084	TempSpoofer.exe	87
PID 768 wrote to memory of 1228	768	7zFM.exe	88
PID 768 wrote to memory of 1228	768	7zFM.exe	88
PID 768 wrote to memory of 1228	768	7zFM.exe	88
PID 1228 wrote to memory of 1200	1228	TempSpoofer.exe	90
PID 1228 wrote to memory of 1200	1228	TempSpoofer.exe	90
PID 1228 wrote to memory of 1200	1228	TempSpoofer.exe	90
PID 1228 wrote to memory of 3028	1228	TempSpoofer.exe	91
PID 1228 wrote to memory of 3028	1228	TempSpoofer.exe	91
PID 1228 wrote to memory of 3028	1228	TempSpoofer.exe	91
PID 1228 wrote to memory of 3028	1228	TempSpoofer.exe	91
PID 1228 wrote to memory of 3028	1228	TempSpoofer.exe	91
PID 1228 wrote to memory of 3028	1228	TempSpoofer.exe	91
PID 1228 wrote to memory of 3028	1228	TempSpoofer.exe	91
PID 1228 wrote to memory of 3028	1228	TempSpoofer.exe	91
PID 1228 wrote to memory of 3028	1228	TempSpoofer.exe	91
PID 1228 wrote to memory of 3028	1228	TempSpoofer.exe	91
PID 768 wrote to memory of 436	768	7zFM.exe	92
PID 768 wrote to memory of 436	768	7zFM.exe	92
PID 768 wrote to memory of 436	768	7zFM.exe	92
PID 436 wrote to memory of 4508	436	TempSpoofer.exe	94
PID 436 wrote to memory of 4508	436	TempSpoofer.exe	94
PID 436 wrote to memory of 4508	436	TempSpoofer.exe	94
PID 436 wrote to memory of 4508	436	TempSpoofer.exe	94
PID 436 wrote to memory of 4508	436	TempSpoofer.exe	94
PID 436 wrote to memory of 4508	436	TempSpoofer.exe	94

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Temp-Spoofer-main.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:768
- C:\Users\Admin\AppData\Local\Temp\7zO003558F7\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO003558F7\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\7zO003558F7\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO003558F7\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:752
- C:\Users\Admin\AppData\Local\Temp\7zO003D9DD7\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO003D9DD7\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Users\Admin\AppData\Local\Temp\7zO003D9DD7\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO003D9DD7\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2416
- C:\Users\Admin\AppData\Local\Temp\7zO003A8828\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO003A8828\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\7zO003A8828\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO003A8828\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2264
- C:\Users\Admin\AppData\Local\Temp\7zO003CDD28\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO003CDD28\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Users\Admin\AppData\Local\Temp\7zO003CDD28\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO003CDD28\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Users\Admin\AppData\Local\Temp\7zO003CDD28\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO003CDD28\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3028
- C:\Users\Admin\AppData\Local\Temp\7zO00335328\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO00335328\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\7zO00335328\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO00335328\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4508
- C:\Users\Admin\AppData\Local\Temp\7zO003C6028\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO003C6028\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1104
- - C:\Users\Admin\AppData\Local\Temp\7zO003C6028\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO003C6028\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4904
- C:\Users\Admin\AppData\Local\Temp\7zO0034D128\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0034D128\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\7zO0034D128\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0034D128\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    PID:4080
- - C:\Users\Admin\AppData\Local\Temp\7zO0034D128\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0034D128\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2968
- C:\Users\Admin\AppData\Local\Temp\7zO003C8628\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO003C8628\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1288
- - C:\Users\Admin\AppData\Local\Temp\7zO003C8628\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO003C8628\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1168
- C:\Users\Admin\AppData\Local\Temp\7zO00346428\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO00346428\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2772
- - C:\Users\Admin\AppData\Local\Temp\7zO00346428\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO00346428\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\7zO00346428\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO00346428\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4812
- C:\Users\Admin\AppData\Local\Temp\7zO003BC528\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO003BC528\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4616
- - C:\Users\Admin\AppData\Local\Temp\7zO003BC528\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO003BC528\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:252
- C:\Users\Admin\AppData\Local\Temp\7zO00349A38\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO00349A38\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4940
- - C:\Users\Admin\AppData\Local\Temp\7zO00349A38\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO00349A38\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    PID:2592
- - C:\Users\Admin\AppData\Local\Temp\7zO00349A38\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO00349A38\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4092
- C:\Users\Admin\AppData\Local\Temp\7zO0035E738\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO0035E738\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4528
- - C:\Users\Admin\AppData\Local\Temp\7zO0035E738\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO0035E738\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4676
- C:\Users\Admin\AppData\Local\Temp\7zO003C7978\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO003C7978\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\7zO003C7978\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO003C7978\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2836
- C:\Users\Admin\AppData\Local\Temp\7zO00359C78\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO00359C78\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\7zO00359C78\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO00359C78\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1312
- C:\Users\Admin\AppData\Local\Temp\7zO003BD278\TempSpoofer.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO003BD278\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1824
- - C:\Users\Admin\AppData\Local\Temp\7zO003BD278\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO003BD278\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    PID:4016
- - C:\Users\Admin\AppData\Local\Temp\7zO003BD278\TempSpoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO003BD278\TempSpoofer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3120

C:\Users\Admin\Desktop\TempSpoofer.exe
"C:\Users\Admin\Desktop\TempSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2400
- C:\Users\Admin\Desktop\TempSpoofer.exe
  "C:\Users\Admin\Desktop\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Users\Admin\Desktop\TempSpoofer.exe
  "C:\Users\Admin\Desktop\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Users\Admin\Desktop\TempSpoofer.exe
  "C:\Users\Admin\Desktop\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4524

C:\Users\Admin\Desktop\TempSpoofer.exe
"C:\Users\Admin\Desktop\TempSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:3768
- C:\Users\Admin\Desktop\TempSpoofer.exe
  "C:\Users\Admin\Desktop\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 1400
    3⤵
    - Program crash
    PID:2324

C:\Users\Admin\Desktop\TempSpoofer.exe
"C:\Users\Admin\Desktop\TempSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4784
- C:\Users\Admin\Desktop\TempSpoofer.exe
  "C:\Users\Admin\Desktop\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:720

C:\Users\Admin\Desktop\TempSpoofer.exe
"C:\Users\Admin\Desktop\TempSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2332
- C:\Users\Admin\Desktop\TempSpoofer.exe
  "C:\Users\Admin\Desktop\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:252

C:\Users\Admin\Desktop\TempSpoofer.exe
"C:\Users\Admin\Desktop\TempSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2228
- C:\Users\Admin\Desktop\TempSpoofer.exe
  "C:\Users\Admin\Desktop\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2740 -ip 2740
1⤵
PID:1596

C:\Users\Admin\Desktop\TempSpoofer.exe
"C:\Users\Admin\Desktop\TempSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:660
- C:\Users\Admin\Desktop\TempSpoofer.exe
  "C:\Users\Admin\Desktop\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1456

C:\Users\Admin\Desktop\TempSpoofer.exe
"C:\Users\Admin\Desktop\TempSpoofer.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1364
- C:\Users\Admin\Desktop\TempSpoofer.exe
  "C:\Users\Admin\Desktop\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  PID:392
- C:\Users\Admin\Desktop\TempSpoofer.exe
  "C:\Users\Admin\Desktop\TempSpoofer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO003558F7\TempSpoofer.exe

Filesize
393KB

MD5
3c4161be295e9e9d019ce68dae82d60a

SHA1
36447fc6418e209dff1bb8a5e576f4d46e3b3296

SHA256
0f6481dabf7871823f259eb95f3b85c37d1de8a7d1884ac77a97d887cf96f75d

SHA512
cfa2d491a5d28beb8eb908d5af61254ac4c4c88e74c53d5d00ae15ef0731df1654304199996545d1074814c0ea8a032957b28d70774f05347616428e667f70e6

Download Submit
memory/752-10-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/752-13-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/752-14-0x0000000000070000-0x00000000000D8000-memory.dmp

Filesize
416KB

Download
memory/1868-24-0x0000000000C2A000-0x0000000000C2B000-memory.dmp

Filesize
4KB

Download
memory/2224-9-0x000000000008A000-0x000000000008B000-memory.dmp

Filesize
4KB

Download
memory/2416-29-0x0000000000C10000-0x0000000000C78000-memory.dmp

Filesize
416KB

Download