lumma | deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe

Analysis

max time kernel
148s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/01/2025, 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe
Size

8.4MB
MD5

ca48226df272a89b2d2622eb0ea90e2a
SHA1

55a245e4d74b6085fbb500474195e01bea262f68
SHA256

deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe
SHA512

e2130d93b671834dfe3b306fc1603af2fff84163991fb4490b17113585528b56b2f310cd37974aaf650567d6275f17e248286561e0b1e5047eb9060e7edfee73
SSDEEP

196608:lHg2bkWJWRVifVqP1kyyM5r9a06OgR7JzvygVgCKaUoK6kgSvxQv:lHg7WQ19kFyg06R1y4gCKI52xQv

Score

10^/10

lumma discovery stealer

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Executes dropped EXE 4 IoCs

pid	Process
2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
2808	KMSpico.exe
2560	KMSpico.tmp
2504	core.exe

Loads dropped DLL 14 IoCs

pid	Process
2816	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe
2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
2808	KMSpico.exe
2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
2560	KMSpico.tmp
2560	KMSpico.tmp
2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe
1872	WerFault.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1872	2504	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMSpico.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KMSpico.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	core.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp

Modifies system certificate store 2 TTPs 6 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	core.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	core.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	core.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	core.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	core.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	core.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
2504	core.exe
2504	core.exe
2504	core.exe
2504	core.exe
2504	core.exe
2504	core.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2140	2816	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe	30
PID 2816 wrote to memory of 2140	2816	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe	30
PID 2816 wrote to memory of 2140	2816	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe	30
PID 2816 wrote to memory of 2140	2816	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe	30
PID 2816 wrote to memory of 2140	2816	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe	30
PID 2816 wrote to memory of 2140	2816	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe	30
PID 2816 wrote to memory of 2140	2816	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe	30
PID 2140 wrote to memory of 2808	2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	31
PID 2140 wrote to memory of 2808	2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	31
PID 2140 wrote to memory of 2808	2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	31
PID 2140 wrote to memory of 2808	2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	31
PID 2140 wrote to memory of 2808	2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	31
PID 2140 wrote to memory of 2808	2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	31
PID 2140 wrote to memory of 2808	2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	31
PID 2808 wrote to memory of 2560	2808	KMSpico.exe	32
PID 2808 wrote to memory of 2560	2808	KMSpico.exe	32
PID 2808 wrote to memory of 2560	2808	KMSpico.exe	32
PID 2808 wrote to memory of 2560	2808	KMSpico.exe	32
PID 2808 wrote to memory of 2560	2808	KMSpico.exe	32
PID 2808 wrote to memory of 2560	2808	KMSpico.exe	32
PID 2808 wrote to memory of 2560	2808	KMSpico.exe	32
PID 2140 wrote to memory of 2504	2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	33
PID 2140 wrote to memory of 2504	2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	33
PID 2140 wrote to memory of 2504	2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	33
PID 2140 wrote to memory of 2504	2140	deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp	33
PID 2504 wrote to memory of 1872	2504	core.exe	34
PID 2504 wrote to memory of 1872	2504	core.exe	34
PID 2504 wrote to memory of 1872	2504	core.exe	34
PID 2504 wrote to memory of 1872	2504	core.exe	34

C:\Users\Admin\AppData\Local\Temp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe
"C:\Users\Admin\AppData\Local\Temp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\is-F9VTM.tmp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-F9VTM.tmp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp" /SL5="$5014E,7821354,844800,C:\Users\Admin\AppData\Local\Temp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Users\Admin\AppData\Roaming\MyApp\data\KMSpico.exe
    "C:\Users\Admin\AppData\Roaming\MyApp\data\KMSpico.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Users\Admin\AppData\Local\Temp\is-JD2K0.tmp\KMSpico.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JD2K0.tmp\KMSpico.tmp" /SL5="$5018C,2952592,69120,C:\Users\Admin\AppData\Roaming\MyApp\data\KMSpico.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2560
- - C:\Users\Admin\AppData\Roaming\MyApp\core.exe
    "C:\Users\Admin\AppData\Roaming\MyApp\core.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 708
      4⤵
      Loads dropped DLL
      Program crash
      PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\444685f5

Filesize
2.0MB

MD5
799c99a1ed471b81064984749bafce23

SHA1
1f60d72e2e8a37d2816dbf2523297fbde4f020f2

SHA256
3658ac12409eef521153e90e83ec835413ae98f7105f516a101eed47399bb13a

SHA512
18345742524b9ef901be2f58410ec3781ed6bf32b7833b0d1dcc8443c938403ce9a6637c41262c43e70680e035100d0d882ae8699739da4635525ef52b915734

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9A35.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
\Users\Admin\AppData\Local\Temp\is-F5UQV.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-F9VTM.tmp\deb84edb1b68cf868beb0e84e40d06cc101ee1cde8ca03e112f710db6ca07bfe.tmp

Filesize
3.4MB

MD5
e4c43138ccb8240276872fd1aec369be

SHA1
cb867b89b8bf19a405a5eee8aa7fe07964f1c16c

SHA256
46be5e3f28a5e4ed63d66b901d927c25944b4da36effea9c97fb05994360edf5

SHA512
f25ad4d0442d6bbd3bdf3320db0869404faba2cab2425bcb265721889b31a67c97ae5b464e09932f49addd4d2575a5e0672c06b9ab9bdecbdd2fe9c766c2ec91

Download Submit
\Users\Admin\AppData\Local\Temp\is-JD2K0.tmp\KMSpico.tmp

Filesize
703KB

MD5
1778c1f66ff205875a6435a33229ab3c

SHA1
5b6189159b16c6f85feed66834af3e06c0277a19

SHA256
95c06acac4fe4598840e5556f9613d43aa1039c52dac64536f59e45a70f79da6

SHA512
8844de1296ce707e3c5c71823f5118f8f2e50287ace3a2ee1ec0b69df0ec48ebcf5b755db669d2cd869d345fb06a9c07b36e98eda8c32a9b26b8fe22bdc105a0

Download Submit
\Users\Admin\AppData\Roaming\MyApp\data\KMSpico.exe

Filesize
3.1MB

MD5
a02164371a50c5ff9fa2870ef6e8cfa3

SHA1
060614723f8375ecaad8b249ff07e3be082d7f25

SHA256
64c731adbe1b96cb5765203b1e215093dcf268d020b299445884a4ae62ed2d3a

SHA512
6c6903f3a3092fd3d63c373189f2c06e12de032ee4fd6b80a15f58eaeb2079f3ae8a8bcdac85a358b1f9070b192b1c8260f9aa127d009b5afce475f966e91326

Download Submit
memory/2140-45-0x0000000000CE0000-0x000000000104B000-memory.dmp

Filesize
3.4MB

Download
memory/2140-8-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2504-100-0x00000000722E0000-0x0000000073342000-memory.dmp

Filesize
16.4MB

Download
memory/2504-99-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2504-47-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2504-101-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2504-54-0x0000000073B70000-0x0000000073CE4000-memory.dmp

Filesize
1.5MB

Download
memory/2504-55-0x0000000076D60000-0x0000000076F09000-memory.dmp

Filesize
1.7MB

Download
memory/2504-56-0x00000000722E0000-0x0000000073342000-memory.dmp

Filesize
16.4MB

Download
memory/2504-106-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2504-89-0x0000000000400000-0x0000000000B92000-memory.dmp

Filesize
7.6MB

Download
memory/2560-109-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-117-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-149-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-145-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-141-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-105-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-137-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-133-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-113-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-98-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-121-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-125-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2560-129-0x0000000000400000-0x00000000004C0000-memory.dmp

Filesize
768KB

Download
memory/2808-23-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2808-97-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2816-0-0x00000000003E0000-0x00000000004BD000-memory.dmp

Filesize
884KB

Download
memory/2816-2-0x00000000003E1000-0x0000000000489000-memory.dmp

Filesize
672KB

Download
memory/2816-46-0x00000000003E0000-0x00000000004BD000-memory.dmp

Filesize
884KB

Download