lumma | 12604e1184d3c656d4c8307cd73e79b808d37a09d08710bccb6f7e9da872e77b

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2025, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8feef4a4753bf33560a69d2020deb6f7.exe
Size

133KB
MD5

8feef4a4753bf33560a69d2020deb6f7
SHA1

8cfed3ec74c914f97c4de4ae60ff3e0cde3a85e1
SHA256

12604e1184d3c656d4c8307cd73e79b808d37a09d08710bccb6f7e9da872e77b
SHA512

c48d98b134b4052f7bba7110c3ca4e32471a02f63198bf85e791dda93252a942507df2c86472a824a50fbce3c3767496207e6d0c05e90c1fe704c6c6e38eb77b
SSDEEP

3072:/23Z9FK2ku2HuAQTTl7MuRXv+ClEtVoHpHVGqozKuQgxbEEHK:Gku2HuAQTTRMoXvDHVBKO

Score

10^/10

lumma discovery execution spyware stealer

Malware Config

Extracted

Family

lumma

https://farmandfamilylife.shop/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 3048 created 3400	3048	8feef4a4753bf33560a69d2020deb6f7.exe	56

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-22591836-1183090055-1220658180-1000\Control Panel\International\Geo\Nation	GU8VJMQU59TONDKNZ0LRQ0CA.tmp

Executes dropped EXE 4 IoCs

pid	Process
2636	GU8VJMQU59TONDKNZ0LRQ0CA.exe
5108	GU8VJMQU59TONDKNZ0LRQ0CA.tmp
1736	GU8VJMQU59TONDKNZ0LRQ0CA.exe
1764	GU8VJMQU59TONDKNZ0LRQ0CA.tmp

Loads dropped DLL 7 IoCs

pid	Process
5108	GU8VJMQU59TONDKNZ0LRQ0CA.tmp
5108	GU8VJMQU59TONDKNZ0LRQ0CA.tmp
1764	GU8VJMQU59TONDKNZ0LRQ0CA.tmp
1764	GU8VJMQU59TONDKNZ0LRQ0CA.tmp
1824	regsvr32.exe
2400	regsvr32.exe
2524	regsvr32.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
3044	powershell.exe
3488	powershell.exe
3532	powershell.exe
1772	powershell.exe
5108	powershell.exe
2004	powershell.exe
4648	PowerShell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3048 set thread context of 4560	3048	8feef4a4753bf33560a69d2020deb6f7.exe	93

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1792	1824	WerFault.exe	101
4876	2400	WerFault.exe	126

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8feef4a4753bf33560a69d2020deb6f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GU8VJMQU59TONDKNZ0LRQ0CA.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8feef4a4753bf33560a69d2020deb6f7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GU8VJMQU59TONDKNZ0LRQ0CA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GU8VJMQU59TONDKNZ0LRQ0CA.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GU8VJMQU59TONDKNZ0LRQ0CA.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3048	8feef4a4753bf33560a69d2020deb6f7.exe
3048	8feef4a4753bf33560a69d2020deb6f7.exe
3048	8feef4a4753bf33560a69d2020deb6f7.exe
4560	8feef4a4753bf33560a69d2020deb6f7.exe
4560	8feef4a4753bf33560a69d2020deb6f7.exe
4560	8feef4a4753bf33560a69d2020deb6f7.exe
4560	8feef4a4753bf33560a69d2020deb6f7.exe
1764	GU8VJMQU59TONDKNZ0LRQ0CA.tmp
1764	GU8VJMQU59TONDKNZ0LRQ0CA.tmp
1824	regsvr32.exe
1824	regsvr32.exe
3044	powershell.exe
3044	powershell.exe
4648	PowerShell.exe
4648	PowerShell.exe
1824	regsvr32.exe
1824	regsvr32.exe
3488	powershell.exe
3488	powershell.exe
2400	regsvr32.exe
2400	regsvr32.exe
3532	powershell.exe
3532	powershell.exe
2400	regsvr32.exe
2400	regsvr32.exe
1772	powershell.exe
1772	powershell.exe
2524	regsvr32.exe
2524	regsvr32.exe
5108	powershell.exe
5108	powershell.exe
2524	regsvr32.exe
2524	regsvr32.exe
2004	powershell.exe
2004	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	8feef4a4753bf33560a69d2020deb6f7.exe
Token: SeDebugPrivilege	3048	8feef4a4753bf33560a69d2020deb6f7.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeIncreaseQuotaPrivilege	3044	powershell.exe
Token: SeSecurityPrivilege	3044	powershell.exe
Token: SeTakeOwnershipPrivilege	3044	powershell.exe
Token: SeLoadDriverPrivilege	3044	powershell.exe
Token: SeSystemProfilePrivilege	3044	powershell.exe
Token: SeSystemtimePrivilege	3044	powershell.exe
Token: SeProfSingleProcessPrivilege	3044	powershell.exe
Token: SeIncBasePriorityPrivilege	3044	powershell.exe
Token: SeCreatePagefilePrivilege	3044	powershell.exe
Token: SeBackupPrivilege	3044	powershell.exe
Token: SeRestorePrivilege	3044	powershell.exe
Token: SeShutdownPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeSystemEnvironmentPrivilege	3044	powershell.exe
Token: SeRemoteShutdownPrivilege	3044	powershell.exe
Token: SeUndockPrivilege	3044	powershell.exe
Token: SeManageVolumePrivilege	3044	powershell.exe
Token: 33	3044	powershell.exe
Token: 34	3044	powershell.exe
Token: 35	3044	powershell.exe
Token: 36	3044	powershell.exe
Token: SeDebugPrivilege	4648	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4648	PowerShell.exe
Token: SeSecurityPrivilege	4648	PowerShell.exe
Token: SeTakeOwnershipPrivilege	4648	PowerShell.exe
Token: SeLoadDriverPrivilege	4648	PowerShell.exe
Token: SeSystemProfilePrivilege	4648	PowerShell.exe
Token: SeSystemtimePrivilege	4648	PowerShell.exe
Token: SeProfSingleProcessPrivilege	4648	PowerShell.exe
Token: SeIncBasePriorityPrivilege	4648	PowerShell.exe
Token: SeCreatePagefilePrivilege	4648	PowerShell.exe
Token: SeBackupPrivilege	4648	PowerShell.exe
Token: SeRestorePrivilege	4648	PowerShell.exe
Token: SeShutdownPrivilege	4648	PowerShell.exe
Token: SeDebugPrivilege	4648	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	4648	PowerShell.exe
Token: SeRemoteShutdownPrivilege	4648	PowerShell.exe
Token: SeUndockPrivilege	4648	PowerShell.exe
Token: SeManageVolumePrivilege	4648	PowerShell.exe
Token: 33	4648	PowerShell.exe
Token: 34	4648	PowerShell.exe
Token: 35	4648	PowerShell.exe
Token: 36	4648	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	4648	PowerShell.exe
Token: SeSecurityPrivilege	4648	PowerShell.exe
Token: SeTakeOwnershipPrivilege	4648	PowerShell.exe
Token: SeLoadDriverPrivilege	4648	PowerShell.exe
Token: SeSystemProfilePrivilege	4648	PowerShell.exe
Token: SeSystemtimePrivilege	4648	PowerShell.exe
Token: SeProfSingleProcessPrivilege	4648	PowerShell.exe
Token: SeIncBasePriorityPrivilege	4648	PowerShell.exe
Token: SeCreatePagefilePrivilege	4648	PowerShell.exe
Token: SeBackupPrivilege	4648	PowerShell.exe
Token: SeRestorePrivilege	4648	PowerShell.exe
Token: SeShutdownPrivilege	4648	PowerShell.exe
Token: SeDebugPrivilege	4648	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	4648	PowerShell.exe
Token: SeRemoteShutdownPrivilege	4648	PowerShell.exe
Token: SeUndockPrivilege	4648	PowerShell.exe
Token: SeManageVolumePrivilege	4648	PowerShell.exe
Token: 33	4648	PowerShell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1764	GU8VJMQU59TONDKNZ0LRQ0CA.tmp

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 4560	3048	8feef4a4753bf33560a69d2020deb6f7.exe	93
PID 3048 wrote to memory of 4560	3048	8feef4a4753bf33560a69d2020deb6f7.exe	93
PID 3048 wrote to memory of 4560	3048	8feef4a4753bf33560a69d2020deb6f7.exe	93
PID 3048 wrote to memory of 4560	3048	8feef4a4753bf33560a69d2020deb6f7.exe	93
PID 3048 wrote to memory of 4560	3048	8feef4a4753bf33560a69d2020deb6f7.exe	93
PID 3048 wrote to memory of 4560	3048	8feef4a4753bf33560a69d2020deb6f7.exe	93
PID 3048 wrote to memory of 4560	3048	8feef4a4753bf33560a69d2020deb6f7.exe	93
PID 3048 wrote to memory of 4560	3048	8feef4a4753bf33560a69d2020deb6f7.exe	93
PID 3048 wrote to memory of 4560	3048	8feef4a4753bf33560a69d2020deb6f7.exe	93
PID 4560 wrote to memory of 2636	4560	8feef4a4753bf33560a69d2020deb6f7.exe	97
PID 4560 wrote to memory of 2636	4560	8feef4a4753bf33560a69d2020deb6f7.exe	97
PID 4560 wrote to memory of 2636	4560	8feef4a4753bf33560a69d2020deb6f7.exe	97
PID 2636 wrote to memory of 5108	2636	GU8VJMQU59TONDKNZ0LRQ0CA.exe	98
PID 2636 wrote to memory of 5108	2636	GU8VJMQU59TONDKNZ0LRQ0CA.exe	98
PID 2636 wrote to memory of 5108	2636	GU8VJMQU59TONDKNZ0LRQ0CA.exe	98
PID 5108 wrote to memory of 1736	5108	GU8VJMQU59TONDKNZ0LRQ0CA.tmp	99
PID 5108 wrote to memory of 1736	5108	GU8VJMQU59TONDKNZ0LRQ0CA.tmp	99
PID 5108 wrote to memory of 1736	5108	GU8VJMQU59TONDKNZ0LRQ0CA.tmp	99
PID 1736 wrote to memory of 1764	1736	GU8VJMQU59TONDKNZ0LRQ0CA.exe	100
PID 1736 wrote to memory of 1764	1736	GU8VJMQU59TONDKNZ0LRQ0CA.exe	100
PID 1736 wrote to memory of 1764	1736	GU8VJMQU59TONDKNZ0LRQ0CA.exe	100
PID 1764 wrote to memory of 1824	1764	GU8VJMQU59TONDKNZ0LRQ0CA.tmp	101
PID 1764 wrote to memory of 1824	1764	GU8VJMQU59TONDKNZ0LRQ0CA.tmp	101
PID 1764 wrote to memory of 1824	1764	GU8VJMQU59TONDKNZ0LRQ0CA.tmp	101
PID 1824 wrote to memory of 3044	1824	regsvr32.exe	102
PID 1824 wrote to memory of 3044	1824	regsvr32.exe	102
PID 1824 wrote to memory of 3044	1824	regsvr32.exe	102
PID 1824 wrote to memory of 4648	1824	regsvr32.exe	105
PID 1824 wrote to memory of 4648	1824	regsvr32.exe	105
PID 1824 wrote to memory of 4648	1824	regsvr32.exe	105
PID 1824 wrote to memory of 3488	1824	regsvr32.exe	107
PID 1824 wrote to memory of 3488	1824	regsvr32.exe	107
PID 1824 wrote to memory of 3488	1824	regsvr32.exe	107
PID 3152 wrote to memory of 2400	3152	regsvr32.EXE	126
PID 3152 wrote to memory of 2400	3152	regsvr32.EXE	126
PID 3152 wrote to memory of 2400	3152	regsvr32.EXE	126
PID 2400 wrote to memory of 3532	2400	regsvr32.exe	127
PID 2400 wrote to memory of 3532	2400	regsvr32.exe	127
PID 2400 wrote to memory of 3532	2400	regsvr32.exe	127
PID 2400 wrote to memory of 1772	2400	regsvr32.exe	129
PID 2400 wrote to memory of 1772	2400	regsvr32.exe	129
PID 2400 wrote to memory of 1772	2400	regsvr32.exe	129
PID 1432 wrote to memory of 2524	1432	regsvr32.EXE	134
PID 1432 wrote to memory of 2524	1432	regsvr32.EXE	134
PID 1432 wrote to memory of 2524	1432	regsvr32.EXE	134
PID 2524 wrote to memory of 5108	2524	regsvr32.exe	135
PID 2524 wrote to memory of 5108	2524	regsvr32.exe	135
PID 2524 wrote to memory of 5108	2524	regsvr32.exe	135
PID 2524 wrote to memory of 2004	2524	regsvr32.exe	137
PID 2524 wrote to memory of 2004	2524	regsvr32.exe	137
PID 2524 wrote to memory of 2004	2524	regsvr32.exe	137

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3400
- C:\Users\Admin\AppData\Local\Temp\8feef4a4753bf33560a69d2020deb6f7.exe
  "C:\Users\Admin\AppData\Local\Temp\8feef4a4753bf33560a69d2020deb6f7.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- C:\Users\Admin\AppData\Local\Temp\8feef4a4753bf33560a69d2020deb6f7.exe
  "C:\Users\Admin\AppData\Local\Temp\8feef4a4753bf33560a69d2020deb6f7.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Users\Admin\AppData\Local\Temp\GU8VJMQU59TONDKNZ0LRQ0CA.exe
    "C:\Users\Admin\AppData\Local\Temp\GU8VJMQU59TONDKNZ0LRQ0CA.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Users\Admin\AppData\Local\Temp\is-U2TR2.tmp\GU8VJMQU59TONDKNZ0LRQ0CA.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-U2TR2.tmp\GU8VJMQU59TONDKNZ0LRQ0CA.tmp" /SL5="$12002A,5868820,73216,C:\Users\Admin\AppData\Local\Temp\GU8VJMQU59TONDKNZ0LRQ0CA.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\GU8VJMQU59TONDKNZ0LRQ0CA.exe
        
        "C:\Users\Admin\AppData\Local\Temp\GU8VJMQU59TONDKNZ0LRQ0CA.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1736
      - C:\Users\Admin\AppData\Local\Temp\is-K5EOM.tmp\GU8VJMQU59TONDKNZ0LRQ0CA.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-K5EOM.tmp\GU8VJMQU59TONDKNZ0LRQ0CA.tmp" /SL5="$402A4,5868820,73216,C:\Users\Admin\AppData\Local\Temp\GU8VJMQU59TONDKNZ0LRQ0CA.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\8ws2_32_5.ocx"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx' }) { exit 0 } else { exit 1 }"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx' }) { exit 0 } else { exit 1 }"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:3488
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1824 -s 676
        8⤵
        Program crash
        
        PID:1792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1824 -ip 1824
1⤵
PID:3440

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx
1⤵
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3532
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1772
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 708
    3⤵
    - Program crash
    PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2400 -ip 2400
1⤵
PID:4924

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx
1⤵
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5108
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerShell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
f34912ccc8309ef74533cfe48210880d

SHA1
669bf128b6d582163e7641cc0f3f4ba9a16ae035

SHA256
09b2ef09ceb41f78ce553368cbf49531665c88ec7f7965d9c0be9398200d57d0

SHA512
8107a0f7d52f278dcf11584834d5ca745370589b5a4ce28588413bca028a20916b440aee723a737cab90f7d984e7dc6a818d7b55c10935b796e140d000aa3713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
6c388e655ff8c0e89175e7f9f3183ed0

SHA1
47cbb189ed252ee8b60ec63d205d581f8d4f5413

SHA256
6b8951321e7a2c56f0a249ea2aee423f0c9f38f4433590d904fd035e2b6deb22

SHA512
5789c46429af983aba2408c12b50495543ca44f9d09f1c00d16f23e89e1c9fe0a56807ad1cc0349ecdb90912deeec95bde36b17d63a344a7b5b3ed4ae91b7236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
ff84350d614b53d19fc5c5ef8a6aaa16

SHA1
4daf19f821535d3a41617340df0cb7f24ae7ce30

SHA256
8116680783b17d63a208331634a1c2573e1e17992723bde59ca3112a92579e98

SHA512
92667dda08709a2dc7f900fde4eaeb1f30cfc7102e64871403e50323c6eacdee362af05c008392596cc8e681162b9d389f90d3557446c64f1d8d1c159a1bff21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
e7d28dcfebc803e86364fe0e2719781e

SHA1
61d10a2e297fb36b47ba2f76832371eb937ac5d6

SHA256
9e52bd0d2518b76782be9e0b32c30b8d5769bc8599800347955e51d10930137c

SHA512
b20f07928bebd7f0f322b7d6bdc113140871df9273136c6d66c4ec56878890ef7aa951f237f9b32ab1a43cfd413364fff111d9b06421c88775b70dd223853ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
ade2fb31a1ce64268de2187f15d97a08

SHA1
fb27ea75e2d9597cd525b82f45b73b80019b0c8a

SHA256
200c9e5105fff80a320c59fed7f8123ecc7f0e1f5d433b8647734dc49a730779

SHA512
d784bb1e61e34c54a4b441793f62bc1b9df9ee1cfa3ec52f2df931c2114d883e4e8b86fbd195d7cbedd1ef8afbdd5eba1eba257c7afaf4a0bec9318d4c995fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
4e7fa64591c45afbab475d1bf5a0d3b0

SHA1
2850de18732d160ccb6dde487d34d4f806e40dbd

SHA256
08acc681a79bb388c2d1d18900e58101e0d57e20f74617822bfdf60dea8a8d7f

SHA512
20e4e2d6dc2736845915ebae6a017b810d1d97557d28a2255ccfd51577aca28fb74e5ceb6776bf4023f61370a91e6ec8d68ddc7abf03c6a063089b573ca1a1b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\GU8VJMQU59TONDKNZ0LRQ0CA.exe

Filesize
5.8MB

MD5
16b7f1e45c98d237fe351a934f6759b3

SHA1
afe5cddacc2384f7498952f788a72074e9ad903f

SHA256
480696a157ec8af6be222acb12e24a375a1819ed739f703c5eec8a7fe3d2355f

SHA512
a82f862615cc309a58a4ffc329699cf6a2301d71406192d91dd840abd4c294dfe96a369f9019ff90b929474a1731dd7f49600241053987bcccf5bc9fd8c37ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jshzwwob.eak.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F6N7G.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QRUAA.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-U2TR2.tmp\GU8VJMQU59TONDKNZ0LRQ0CA.tmp

Filesize
711KB

MD5
9917f679a0135245a5cc6b1aadcb3a6c

SHA1
7aab67a56fd3e10fd070e29d2998af2162c0a204

SHA256
a0090b3a687e7d0a6d6b6918bcbb798ebecb184cba8d3eb5fe4345ec9aba9243

SHA512
87194d9f3c97b48a297faef76e3a308de6b454d10a5b50adeb22336982ca5bd5ba3a1cacb39cfbaf78a3befbc37967eb89a7c84cfdd53054204647dffd5b35cd

Download Submit
C:\Users\Admin\AppData\Roaming\8ws2_32_5.ocx

Filesize
9.8MB

MD5
95d004a0e4013988f7347d50964c3eaa

SHA1
4cf7a8a7e3065a13291dfe726dbea2b332a56c2d

SHA256
52d7de7fa23d129da0dc1e2a2bef8e0b77fe3978402d256913ad67f098c124c2

SHA512
19a0d26fcb504b6b7bf8f0687c4e195d12551b05b48fc9e66013860ceda95563d27776977821b1c662dc1c96af0f3c284b66c2f5f2e26ce288b7914afcaecfde

Download Submit
memory/1772-1520-0x0000000005BD0000-0x0000000005F24000-memory.dmp

Filesize
3.3MB

Download
memory/1772-1531-0x000000006F850000-0x000000006F89C000-memory.dmp

Filesize
304KB

Download
memory/2004-1565-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/2004-1576-0x000000006F850000-0x000000006F89C000-memory.dmp

Filesize
304KB

Download
memory/2636-1354-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2636-1385-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/3044-1438-0x0000000005FD0000-0x0000000005FEE000-memory.dmp

Filesize
120KB

Download
memory/3044-1427-0x0000000006A40000-0x0000000006A72000-memory.dmp

Filesize
200KB

Download
memory/3044-1426-0x0000000006030000-0x000000000607C000-memory.dmp

Filesize
304KB

Download
memory/3044-1425-0x0000000005A60000-0x0000000005A7E000-memory.dmp

Filesize
120KB

Download
memory/3044-1424-0x0000000005590000-0x00000000058E4000-memory.dmp

Filesize
3.3MB

Download
memory/3044-1428-0x000000006F850000-0x000000006F89C000-memory.dmp

Filesize
304KB

Download
memory/3044-1414-0x0000000004CE0000-0x0000000004D46000-memory.dmp

Filesize
408KB

Download
memory/3044-1412-0x0000000004BD0000-0x0000000004BF2000-memory.dmp

Filesize
136KB

Download
memory/3044-1413-0x0000000004C70000-0x0000000004CD6000-memory.dmp

Filesize
408KB

Download
memory/3044-1411-0x0000000004F60000-0x0000000005588000-memory.dmp

Filesize
6.2MB

Download
memory/3044-1410-0x0000000000CC0000-0x0000000000CF6000-memory.dmp

Filesize
216KB

Download
memory/3044-1439-0x0000000006A80000-0x0000000006B23000-memory.dmp

Filesize
652KB

Download
memory/3044-1440-0x0000000007450000-0x0000000007ACA000-memory.dmp

Filesize
6.5MB

Download
memory/3044-1441-0x0000000006BA0000-0x0000000006BBA000-memory.dmp

Filesize
104KB

Download
memory/3044-1442-0x0000000006E00000-0x0000000006E0A000-memory.dmp

Filesize
40KB

Download
memory/3044-1443-0x0000000007040000-0x00000000070D6000-memory.dmp

Filesize
600KB

Download
memory/3044-1444-0x0000000006FB0000-0x0000000006FC1000-memory.dmp

Filesize
68KB

Download
memory/3048-31-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-33-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-6-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-14-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-1328-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3048-1329-0x0000000005ED0000-0x0000000005F5A000-memory.dmp

Filesize
552KB

Download
memory/3048-1330-0x0000000006090000-0x0000000006116000-memory.dmp

Filesize
536KB

Download
memory/3048-1331-0x0000000006130000-0x000000000617C000-memory.dmp

Filesize
304KB

Download
memory/3048-1332-0x00000000069F0000-0x0000000006A44000-memory.dmp

Filesize
336KB

Download
memory/3048-1333-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3048-1336-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/3048-1340-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3048-1338-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3048-1345-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3048-1-0x0000000000690000-0x00000000006B8000-memory.dmp

Filesize
160KB

Download
memory/3048-1344-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3048-2-0x0000000074810000-0x0000000074FC0000-memory.dmp

Filesize
7.7MB

Download
memory/3048-7-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-9-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-45-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-3-0x0000000005AA0000-0x0000000005BD0000-memory.dmp

Filesize
1.2MB

Download
memory/3048-11-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-15-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-4-0x0000000006190000-0x0000000006734000-memory.dmp

Filesize
5.6MB

Download
memory/3048-17-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-19-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-21-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-23-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-25-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-27-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-0-0x000000007481E000-0x000000007481F000-memory.dmp

Filesize
4KB

Download
memory/3048-29-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-35-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-37-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-39-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-41-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-43-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-47-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-49-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-51-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-53-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-57-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-59-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-61-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-65-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-5-0x0000000005CE0000-0x0000000005D72000-memory.dmp

Filesize
584KB

Download
memory/3048-67-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-13-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-69-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-55-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3048-63-0x0000000005AA0000-0x0000000005BC9000-memory.dmp

Filesize
1.2MB

Download
memory/3488-1481-0x000000006F850000-0x000000006F89C000-memory.dmp

Filesize
304KB

Download
memory/3532-1506-0x0000000005F90000-0x0000000005FDC000-memory.dmp

Filesize
304KB

Download
memory/3532-1507-0x000000006F7C0000-0x000000006F80C000-memory.dmp

Filesize
304KB

Download
memory/3532-1517-0x0000000006E10000-0x0000000006EB3000-memory.dmp

Filesize
652KB

Download
memory/3532-1518-0x0000000007180000-0x0000000007191000-memory.dmp

Filesize
68KB

Download
memory/3532-1504-0x00000000054B0000-0x0000000005804000-memory.dmp

Filesize
3.3MB

Download
memory/4560-1347-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4560-1346-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/4648-1459-0x000000006F850000-0x000000006F89C000-memory.dmp

Filesize
304KB

Download
memory/4648-1448-0x0000000005F40000-0x0000000006294000-memory.dmp

Filesize
3.3MB

Download
memory/5108-1554-0x000000006F850000-0x000000006F89C000-memory.dmp

Filesize
304KB

Download
memory/5108-1362-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/5108-1380-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download