top title background image
flash

KMSpico.exe

Status: finished
Submission Time: 2025-03-29 15:18:19 +01:00
Malicious
Phishing
Trojan
Spyware
Evader
LummaC Stealer

Comments

Tags

  • exe
  • LummaStealer

Details

  • Analysis ID:
    1651760
  • API (Web) ID:
    1651760
  • Analysis Started:
    2025-03-29 15:18:20 +01:00
  • Analysis Finished:
    2025-03-29 15:44:11 +01:00
  • MD5:
    01b51dc27ee7f476b9561fb3fcd18f98
  • SHA1:
    dca45f68682744f9351b9aa7f52b0d2e3ef86291
  • SHA256:
    c1a95951ffd4819c33fb91ee4d7e189e8b9607fa75ae607f72b55d5b0172a7ce
  • Technologies:

Joe Sandbox

Engine Download Report Detection Info
malicious
Score: 62
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
malicious
Score: 64
System: Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run Condition: Run with higher sleep bypass

Third Party Analysis Engines

malicious
Score: 13/70
malicious
Score: 29/38
malicious

IPs

IP Country Detection
104.21.84.93
United States
8.8.8.8
United States
104.22.69.199
United States

Domains

Name IP Detection
metalrom.digital
104.21.84.93
64.89.4.0.in-addr.arpa
0.0.0.0
pastebin.com
104.22.69.199

URLs

Name Detection
metalrom.digital/opgasz
https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
http://crl.micro
Click to see the 68 hidden entries
https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
http://www.remobjects.com/psU
http://nsis.sf.net/NSIS_Error
https://www.ecosia.org/newtab/v20
https://metalrom.digital/opgasz
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
https://metalrom.digital/
https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
http://nsis.sf.net/NSIS_ErrorError
https://metalrom.digital/opgasz$
http://ocsp.rootca1.amazontrust.com0:
https://ac.ecosia.org?q=
http://crl.rootca1.amazontrust.com/rootca1.crl0
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
https://metalrom.digital/Y
http://www.remobjects.com/ps
http://www.devcomponents.com/dotnetbar/order.html
http://forums.myd
https://gemini.google.com/app?q=
https://metalrom.digital/F
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
advennture.top/GKsiio
https://pastebin.com/
https://metalrom.digital/opgaszE
http://ocsp.thawte.com0
http://forums.mydigitallife.info/forums/51-KMS-tools
https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
ferromny.digital/gwpd
http://www.devcomponents.comAmailto:support
https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
https://metalrom.digital/opgasz=
http://crt.rootca1.amazontrust.com/rootca1.cer0?
oreheatq.live/gsopp
smeltingt.run/giiaus
https://www.google.com/images/branding/product/ico/googleg_alldp.ico
http://www.devcomponents.com
https://metalrom.digital/aB
http://www.devcomponents.comKSystem.Windows.Forms.ContextMenuStrip
https://metalrom.digital:443/opgasz
steelixr.live/aguiz
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
http://crl.thawte.com/ThawteTimestampingCA.crl0
https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
http://schemas.xmlsoap.org/soap/envelope/
https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
https://pastebin.com/raw/yKBaQkD9
https://pastebin.com/raw/yKBaQkD9ae
weldorae.digital/geds
https://duckduckgo.com/ac/?q=
https://duckduckgo.com/chrome_newtabv209h
https://metalrom.digital/sZ
http://www.innosetup.com/
http://fontawesome.iohttp://fontawesome.io/license/Webfont
https://pastebin.com/raw/yKBaQkD9me
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
https://support.mozilla.org/products/firefoxgro.all
https://pastebin.com/raw/yKBaQkD9e
targett.top/dsANGt
https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
https://www.innosetup.com/
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
http://x1.i.lencr.org/0
http://x1.c.lencr.org/0
castmaxw.run/ganzde
https://www.remobjects.com/ps
https://aka.ms/pscore6lB

Dropped files

Name File Type Hashes Detection
C:\Program Files\KMSpico\unins000.exe (copy)
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Windows\system32\Vestris.ResourceLib.dll (copy)
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Windows\System32\is-BGN3T.tmp
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
Click to see the 27 hidden entries
C:\Windows\System32\is-3LNVL.tmp
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Users\user\AppData\Roaming\MyApp\unins000.exe (copy)
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\MyApp\is-VHGVM.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\MyApp\is-5TMDU.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\MyApp\data\is-8D6M6.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\MyApp\data\KMSpico.exe (copy)
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Roaming\MyApp\core.exe (copy)
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\is-J2TUV.tmp\_isetup\_shfoldr.dll
PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
#
C:\Users\user\AppData\Local\Temp\is-J2TUV.tmp\_isetup\_setup64.tmp
PE32+ executable (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\is-I1LEG.tmp\KMSpico.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Users\user\AppData\Local\Temp\is-567AR.tmp\_isetup\_setup64.tmp
PE32+ executable (console) x86-64, for MS Windows
#
C:\Users\user\AppData\Local\Temp\is-0MTT1.tmp\KMSpico.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Program Files\KMSpico\AutoPico.exe (copy)
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files\KMSpico\is-VR1NR.tmp
PE32 executable (GUI) Intel 80386, for MS Windows
#
C:\Program Files\KMSpico\is-S2P36.tmp
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files\KMSpico\is-R28GD.tmp
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files\KMSpico\is-QBQ3O.tmp
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files\KMSpico\is-CC1MD.tmp
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files\KMSpico\is-8D0B1.tmp
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
#
C:\Program Files\KMSpico\is-0JLOG.tmp
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files\KMSpico\driver\tap-windows-9.21.0.exe (copy)
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files\KMSpico\driver\is-RKCNM.tmp
PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
#
C:\Program Files\KMSpico\Vestris.ResourceLib.dll (copy)
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files\KMSpico\UninsHs.exe (copy)
PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
#
C:\Program Files\KMSpico\Service_KMS.exe (copy)
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files\KMSpico\KMSELDI.exe (copy)
PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
#
C:\Program Files\KMSpico\DevComponents.DotNetBar2.dll (copy)
PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
#