poullight | 076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a

Analysis

max time kernel
151s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
02-05-2022 02:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
Size

618KB
MD5

55325b6ce1861b7982b9a3e38be7e8c1
SHA1

f936c13014e3346c0fa88aca690e0f29276cc991
SHA256

076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a
SHA512

34d4c2a0498f2c430ff2e9049d2634b1fb49e4155b54749ba31c8dac16e7f1a87947485192d0f77ba5eae7c679040c1e047e8ea875b35b9c0142082844425593

Score

10^/10

poullight remcos host persistence rat spyware stealer suricata trojan

Malware Config

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

Artemlok134-50915.portmap.io:50915

Attributes

audio_folder
audio
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
5
copy_file
WindowsDefender.exe
copy_folder
WindowsDefender
delete_file
true
hide_file
true
hide_keylog_file
false
install_flag
true
install_path
%SystemDrive%
keylog_crypt
false
keylog_file
ban.dat
keylog_flag
false
keylog_folder
LolWtf
keylog_path
%AppData%
mouse_option
false
mutex
remcos_igwinxzuvw
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screens
screenshot_path
%AppData%
screenshot_time
1
startup_value
qTorrent
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

WindowsDefender.exeFktqqeiihqnki.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\WindowsDefender\\WindowsDefender.exe\""	WindowsDefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\WindowsDefender\\WindowsDefender.exe\""	Fktqqeiihqnki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe, \"C:\\WindowsDefender\\WindowsDefender.exe\""	Fktqqeiihqnki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\WindowsDefender\\WindowsDefender.exe\""	WindowsDefender.exe

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata: ET MALWARE Matrix Max Stealer Exfiltration Observed
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata: ET MALWARE Trojan Generic - POST To gate.php with no accept headers
suricata
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata: ET MALWARE Trojan Generic - POST To gate.php with no referer
suricata
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata: ET MALWARE Win32/X-Files Stealer Activity
suricata

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Fktqqeiihqnki.exeWindowsDefender.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	Fktqqeiihqnki.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	WindowsDefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	WindowsDefender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Fktqqeiihqnki.exe

Downloads MZ/PE file

Executes dropped EXE 11 IoCs

Processes:

Fwtsrp.exeFktqqeiihqnki.exeGuthxnefzrkt.exeCjvoamroksm.exeKgkdloedtfs.exeJzmpvemkft.exeIxount.exeWindowsDefender.exesvchost.exeServer.exeServer.exe

pid	process
2228	Fwtsrp.exe
3056	Fktqqeiihqnki.exe
4920	Guthxnefzrkt.exe
1696	Cjvoamroksm.exe
4436	Kgkdloedtfs.exe
4308	Jzmpvemkft.exe
216	Ixount.exe
2968	WindowsDefender.exe
2208	svchost.exe
4796	Server.exe
1264	Server.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exeFktqqeiihqnki.exeFwtsrp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Fktqqeiihqnki.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Fwtsrp.exe

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uTorrent.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uTorrent.exe	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WindowsDefender.exeFktqqeiihqnki.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run\	WindowsDefender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	WindowsDefender.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	Fktqqeiihqnki.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	Fktqqeiihqnki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	WindowsDefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	WindowsDefender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Update = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\" .."	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run\	Fktqqeiihqnki.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qTorrent = "\"C:\\WindowsDefender\\WindowsDefender.exe\""	Fktqqeiihqnki.exe

Modifies WinLogon 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Fktqqeiihqnki.exeWindowsDefender.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	Fktqqeiihqnki.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	WindowsDefender.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

WindowsDefender.exe

description pid process target process

PID 2968 set thread context of 4680 2968 WindowsDefender.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1472 4308 WerFault.exe Jzmpvemkft.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3604 schtasks.exe

description	pid	process	target process
PID 2968 set thread context of 4680	2968	WindowsDefender.exe	iexplore.exe

pid	pid_target	process	target process
1472	4308	WerFault.exe	Jzmpvemkft.exe

pid	process
3604	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

Cjvoamroksm.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Cjvoamroksm.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Cjvoamroksm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Cjvoamroksm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Cjvoamroksm.exe = "11001"	Cjvoamroksm.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Internet Explorer\IESettingSync	Cjvoamroksm.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

752 PING.EXE

pid	process
752	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Guthxnefzrkt.exeCjvoamroksm.exe

pid	process
4920	Guthxnefzrkt.exe
4920	Guthxnefzrkt.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

Fwtsrp.exesvchost.exe

pid process

2228 Fwtsrp.exe
2208 svchost.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

Jzmpvemkft.exeGuthxnefzrkt.exeCjvoamroksm.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	4308	Jzmpvemkft.exe
Token: SeDebugPrivilege	4920	Guthxnefzrkt.exe
Token: SeDebugPrivilege	1696	Cjvoamroksm.exe
Token: SeDebugPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe
Token: 33	2208	svchost.exe
Token: SeIncBasePriorityPrivilege	2208	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Cjvoamroksm.exe

pid process

1696 Cjvoamroksm.exe
1696 Cjvoamroksm.exe

pid	process
1696	Cjvoamroksm.exe
1696	Cjvoamroksm.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exeFktqqeiihqnki.execmd.exeWindowsDefender.exeFwtsrp.exesvchost.exe

description	pid	process	target process
PID 5068 wrote to memory of 2228	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fwtsrp.exe
PID 5068 wrote to memory of 2228	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fwtsrp.exe
PID 5068 wrote to memory of 2228	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fwtsrp.exe
PID 5068 wrote to memory of 3056	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fktqqeiihqnki.exe
PID 5068 wrote to memory of 3056	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fktqqeiihqnki.exe
PID 5068 wrote to memory of 3056	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Fktqqeiihqnki.exe
PID 5068 wrote to memory of 4920	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Guthxnefzrkt.exe
PID 5068 wrote to memory of 4920	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Guthxnefzrkt.exe
PID 5068 wrote to memory of 1696	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Cjvoamroksm.exe
PID 5068 wrote to memory of 1696	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Cjvoamroksm.exe
PID 5068 wrote to memory of 1696	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Cjvoamroksm.exe
PID 5068 wrote to memory of 4436	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Kgkdloedtfs.exe
PID 5068 wrote to memory of 4436	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Kgkdloedtfs.exe
PID 5068 wrote to memory of 4436	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Kgkdloedtfs.exe
PID 5068 wrote to memory of 4308	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Jzmpvemkft.exe
PID 5068 wrote to memory of 4308	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Jzmpvemkft.exe
PID 5068 wrote to memory of 216	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Ixount.exe
PID 5068 wrote to memory of 216	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Ixount.exe
PID 5068 wrote to memory of 216	5068	076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe	Ixount.exe
PID 3056 wrote to memory of 492	3056	Fktqqeiihqnki.exe	cmd.exe
PID 3056 wrote to memory of 492	3056	Fktqqeiihqnki.exe	cmd.exe
PID 3056 wrote to memory of 492	3056	Fktqqeiihqnki.exe	cmd.exe
PID 492 wrote to memory of 752	492	cmd.exe	PING.EXE
PID 492 wrote to memory of 752	492	cmd.exe	PING.EXE
PID 492 wrote to memory of 752	492	cmd.exe	PING.EXE
PID 492 wrote to memory of 2968	492	cmd.exe	WindowsDefender.exe
PID 492 wrote to memory of 2968	492	cmd.exe	WindowsDefender.exe
PID 492 wrote to memory of 2968	492	cmd.exe	WindowsDefender.exe
PID 2968 wrote to memory of 4680	2968	WindowsDefender.exe	iexplore.exe
PID 2968 wrote to memory of 4680	2968	WindowsDefender.exe	iexplore.exe
PID 2968 wrote to memory of 4680	2968	WindowsDefender.exe	iexplore.exe
PID 2968 wrote to memory of 4680	2968	WindowsDefender.exe	iexplore.exe
PID 2968 wrote to memory of 4680	2968	WindowsDefender.exe	iexplore.exe
PID 2968 wrote to memory of 4680	2968	WindowsDefender.exe	iexplore.exe
PID 2968 wrote to memory of 4680	2968	WindowsDefender.exe	iexplore.exe
PID 2968 wrote to memory of 4680	2968	WindowsDefender.exe	iexplore.exe
PID 2968 wrote to memory of 4680	2968	WindowsDefender.exe	iexplore.exe
PID 2968 wrote to memory of 4680	2968	WindowsDefender.exe	iexplore.exe
PID 2228 wrote to memory of 2208	2228	Fwtsrp.exe	svchost.exe
PID 2228 wrote to memory of 2208	2228	Fwtsrp.exe	svchost.exe
PID 2228 wrote to memory of 2208	2228	Fwtsrp.exe	svchost.exe
PID 2208 wrote to memory of 3604	2208	svchost.exe	schtasks.exe
PID 2208 wrote to memory of 3604	2208	svchost.exe	schtasks.exe
PID 2208 wrote to memory of 3604	2208	svchost.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe
"C:\Users\Admin\AppData\Local\Temp\076943b4bde772d9f6c5239dae006557e6ea21a6c72307a98475a422b75b618a.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5068

C:\Users\Admin\AppData\Local\Temp\Fwtsrp.exe
"C:\Users\Admin\AppData\Local\Temp\Fwtsrp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Executes dropped EXE
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn Server /tr C:\Users\Admin\AppData\Local\Temp/Server.exe
4⤵
- Creates scheduled task(s)
PID:3604

C:\Users\Admin\AppData\Local\Temp\Fktqqeiihqnki.exe
"C:\Users\Admin\AppData\Local\Temp\Fktqqeiihqnki.exe"
2⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of WriteProcessMemory
PID:3056

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\SysWOW64\PING.EXE
PING 127.0.0.1 -n 2
4⤵
- Runs ping.exe
PID:752

C:\WindowsDefender\WindowsDefender.exe
"C:\WindowsDefender\WindowsDefender.exe"
4⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Modifies WinLogon
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2968

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
5⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\Guthxnefzrkt.exe
"C:\Users\Admin\AppData\Local\Temp\Guthxnefzrkt.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Users\Admin\AppData\Local\Temp\Cjvoamroksm.exe
"C:\Users\Admin\AppData\Local\Temp\Cjvoamroksm.exe"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Users\Admin\AppData\Local\Temp\Kgkdloedtfs.exe
"C:\Users\Admin\AppData\Local\Temp\Kgkdloedtfs.exe"
2⤵
- Executes dropped EXE
PID:4436

C:\Users\Admin\AppData\Local\Temp\Jzmpvemkft.exe
"C:\Users\Admin\AppData\Local\Temp\Jzmpvemkft.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4308

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4308 -s 1748
3⤵
- Program crash
PID:1472

C:\Users\Admin\AppData\Local\Temp\Ixount.exe
"C:\Users\Admin\AppData\Local\Temp\Ixount.exe"
2⤵
- Executes dropped EXE
PID:216

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 4308 -ip 4308
1⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
PID:4796

C:\Users\Admin\AppData\Local\Temp\Server.exe
C:\Users\Admin\AppData\Local\Temp/Server.exe
1⤵
- Executes dropped EXE
PID:1264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Winlogon Helper DLL

T1004

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Server.exe.log
Filesize
408B

MD5
42157868488d3ef98c00e3fa12f064be

SHA1
aad391be9ac3f6ce1ced49583690486a5f4186fb

SHA256
b9520170e84597186ba5cc223b9c2773f70d0cda088950bae2182e3b2237995c

SHA512
8f4a4bd63ceefc34158ea23f3a73dcc2848eeacdba8355d1251a96b4e0c18e2f3b0c4939be359f874f81fe4ee63283b8be43a70fe2dbaa2e64784333d10a2471

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cjvoamroksm.exe
Filesize
215KB

MD5
d2dadfffd0d0b568488b545bbd20ffdb

SHA1
3f7857f14e092c16fe0b4f56adf7fc0de9837921

SHA256
c6b014fee2b8660cb29d8e9745551aa91a8a9da998a8fb55f1b7e25647a5f028

SHA512
afe1e42ea3749aa5663df9a84998c71c6eb668cbf1b775e7fb0c8374a1fbd23b31bae58995eba729d84594ededdffb79520c3ed547137468e52c433e7339baa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cjvoamroksm.exe
Filesize
215KB

MD5
d2dadfffd0d0b568488b545bbd20ffdb

SHA1
3f7857f14e092c16fe0b4f56adf7fc0de9837921

SHA256
c6b014fee2b8660cb29d8e9745551aa91a8a9da998a8fb55f1b7e25647a5f028

SHA512
afe1e42ea3749aa5663df9a84998c71c6eb668cbf1b775e7fb0c8374a1fbd23b31bae58995eba729d84594ededdffb79520c3ed547137468e52c433e7339baa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fktqqeiihqnki.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fktqqeiihqnki.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwtsrp.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fwtsrp.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guthxnefzrkt.exe
Filesize
191KB

MD5
af780d52692a18542d0c1c09018d66b6

SHA1
cb8e3c4a1a93dff4fe26380987a6fe961aa9569f

SHA256
b159ab627b17febc5a0f8af89b4761ceec83a4f0077170baff4f761bae21f223

SHA512
10b675a5c814a3e867e6aa3fac0b09e4448edd92feba1020d304d005aa8a5960a1df71ab424008106c342633d08ee9960a98ee70574272d159cb1a0a534e00e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Guthxnefzrkt.exe
Filesize
191KB

MD5
af780d52692a18542d0c1c09018d66b6

SHA1
cb8e3c4a1a93dff4fe26380987a6fe961aa9569f

SHA256
b159ab627b17febc5a0f8af89b4761ceec83a4f0077170baff4f761bae21f223

SHA512
10b675a5c814a3e867e6aa3fac0b09e4448edd92feba1020d304d005aa8a5960a1df71ab424008106c342633d08ee9960a98ee70574272d159cb1a0a534e00e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ixount.exe
Filesize
55KB

MD5
f10b00d5198070d136773a13b44f0c09

SHA1
7d6cbfd28c597b93f9b02233b2e43e60f8beb458

SHA256
0ecff37f3e85044af87a6499794b921a39c1821e38a4d9c57c8f15c9b852644f

SHA512
9218198a12e36dad75e8b892306b8590318b16f7bf44d91be2c58c3500016fad285ddd2dede3c6707ba27cf5583feea7a5d32d83a5539d5536f7ce9a1593030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ixount.exe
Filesize
55KB

MD5
f10b00d5198070d136773a13b44f0c09

SHA1
7d6cbfd28c597b93f9b02233b2e43e60f8beb458

SHA256
0ecff37f3e85044af87a6499794b921a39c1821e38a4d9c57c8f15c9b852644f

SHA512
9218198a12e36dad75e8b892306b8590318b16f7bf44d91be2c58c3500016fad285ddd2dede3c6707ba27cf5583feea7a5d32d83a5539d5536f7ce9a1593030f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jzmpvemkft.exe
Filesize
55KB

MD5
91c91eb2f1d210e72c9d30fcbeeca152

SHA1
f846979abaa50f9c9a4a4d2b3d960a4912239ea3

SHA256
29077cc2362b17677c8fcef23d17e6b95daad21211e9ba2db8bdc800eb5410cf

SHA512
3b9fcb014208dd0d3dcd88abe1871bf1792e00448181fe1619c7405741f0e5e59b8a9c1b24f81e299a80c157cfe129264cbc8c5e7a138524b0e187f6913291db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jzmpvemkft.exe
Filesize
55KB

MD5
91c91eb2f1d210e72c9d30fcbeeca152

SHA1
f846979abaa50f9c9a4a4d2b3d960a4912239ea3

SHA256
29077cc2362b17677c8fcef23d17e6b95daad21211e9ba2db8bdc800eb5410cf

SHA512
3b9fcb014208dd0d3dcd88abe1871bf1792e00448181fe1619c7405741f0e5e59b8a9c1b24f81e299a80c157cfe129264cbc8c5e7a138524b0e187f6913291db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgkdloedtfs.exe
Filesize
73KB

MD5
16ece5edee983f9c1dac0044c9d3895a

SHA1
c080e9b725a988983d43a1ec569c9c856bc686c8

SHA256
c497d5beab294032f654da11579dba76a22a61dd3600c4d37dcd2fa781712fae

SHA512
86f5696420db0ee854ce0aa9f9e2111e1bf225c0ae728321e4bc75f3ab2de490f626c27ff44ac4abc49cd19412a9c169865f5a9956e61d9258435f361a073026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kgkdloedtfs.exe
Filesize
73KB

MD5
16ece5edee983f9c1dac0044c9d3895a

SHA1
c080e9b725a988983d43a1ec569c9c856bc686c8

SHA256
c497d5beab294032f654da11579dba76a22a61dd3600c4d37dcd2fa781712fae

SHA512
86f5696420db0ee854ce0aa9f9e2111e1bf225c0ae728321e4bc75f3ab2de490f626c27ff44ac4abc49cd19412a9c169865f5a9956e61d9258435f361a073026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Server.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\install.bat
Filesize
148B

MD5
8e7ed4782339b5f44357e62549f7267e

SHA1
f261e2d4c1c5488f8b8dde8d9e3a78633f36beec

SHA256
b808b06d31c91af9996dbec4f8aecfdb6c5150799a30c93290288fdfcd9a2888

SHA512
2d382e2cef1175d0b28f123a5e1a242a0782e3f753928fd04e37355287aeedc849cc6f01c81c7a49962875b00049e5d012310a91a620df1852b88e1595f024a1

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
122KB

MD5
d4d44af2f29e3e9284226102b70745e5

SHA1
7ad0b04f40de71af3bf8e6c9244160e7ab96b3e4

SHA256
7874ce508fdda76edbb2dc3d967b28c1834346a6f0b54f7635ac8f4b364c1eff

SHA512
87c1ea2e548adb58c594aa31f7b98dd3abc99ea06ec258b243ef28856b2fa0f08fa59074c0595f9648d573a18577d55de412e0f5eb605976b6ce9c2b8cc7f00f

Download Submit
C:\WindowsDefender\WindowsDefender.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
C:\WindowsDefender\WindowsDefender.exe
Filesize
100KB

MD5
038d789b437e11a44c2f8ca4ca99344e

SHA1
9ee174df14ae4a3c545c6550ea2cdd707c9a9e1e

SHA256
e23cc8a659bb1a423956fc66f7160eabeb258dc45dc5f91c273898809e27857a

SHA512
a4a66833fd462f51b50f99e3c90aa0914d2cc09a126b3ac7bea3415d5c7c426cf68b1ed4bf073e2ff243bed040d0818d8d00f524967a6431b3d3b43c51475754

Download Submit
memory/216-161-0x00000000005A0000-0x00000000005B4000-memory.dmp

Filesize
80KB

Download
memory/216-155-0x0000000000000000-mapping.dmp

Download
memory/492-160-0x0000000000000000-mapping.dmp

Download
memory/752-166-0x0000000000000000-mapping.dmp

Download
memory/1264-185-0x000000006F730000-0x000000006FCE1000-memory.dmp

Filesize
5.7MB

Download
memory/1696-178-0x000000000B700000-0x000000000BEA6000-memory.dmp

Filesize
7.6MB

Download
memory/1696-147-0x0000000000260000-0x000000000029C000-memory.dmp

Filesize
240KB

Download
memory/1696-143-0x0000000000000000-mapping.dmp

Download
memory/2208-174-0x000000006F730000-0x000000006FCE1000-memory.dmp

Filesize
5.7MB

Download
memory/2208-171-0x0000000000000000-mapping.dmp

Download
memory/2228-134-0x0000000000000000-mapping.dmp

Download
memory/2228-163-0x000000006F730000-0x000000006FCE1000-memory.dmp

Filesize
5.7MB

Download
memory/2968-167-0x0000000000000000-mapping.dmp

Download
memory/3056-137-0x0000000000000000-mapping.dmp

Download
memory/3604-179-0x0000000000000000-mapping.dmp

Download
memory/4308-151-0x0000000000000000-mapping.dmp

Download
memory/4308-157-0x00000269E0E70000-0x00000269E0E84000-memory.dmp

Filesize
80KB

Download
memory/4308-162-0x00007FF8B9160000-0x00007FF8B9C21000-memory.dmp

Filesize
10.8MB

Download
memory/4436-148-0x0000000000000000-mapping.dmp

Download
memory/4436-164-0x00000000077C0000-0x0000000007826000-memory.dmp

Filesize
408KB

Download
memory/4436-152-0x0000000000940000-0x0000000000958000-memory.dmp

Filesize
96KB

Download
memory/4796-182-0x000000006F730000-0x000000006FCE1000-memory.dmp

Filesize
5.7MB

Download
memory/4920-170-0x00000242FB600000-0x00000242FB60A000-memory.dmp

Filesize
40KB

Download
memory/4920-176-0x00000242FCAE0000-0x00000242FD008000-memory.dmp

Filesize
5.2MB

Download
memory/4920-177-0x00000242FB670000-0x00000242FB682000-memory.dmp

Filesize
72KB

Download
memory/4920-175-0x00000242FC3E0000-0x00000242FC5A2000-memory.dmp

Filesize
1.8MB

Download
memory/4920-140-0x0000000000000000-mapping.dmp

Download
memory/4920-144-0x00000242F82C0000-0x00000242F82F6000-memory.dmp

Filesize
216KB

Download
memory/4920-156-0x00007FF8B9160000-0x00007FF8B9C21000-memory.dmp

Filesize
10.8MB

Download
memory/5068-133-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/5068-132-0x0000000004F70000-0x0000000005002000-memory.dmp

Filesize
584KB

Download
memory/5068-131-0x0000000004960000-0x0000000004F04000-memory.dmp

Filesize
5.6MB

Download
memory/5068-130-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download