poullight | 7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a

General

Target

7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe
Size

1.7MB
MD5

912bf8fffa55f914faf6e91d91ea2906
SHA1

7339f849ad085281d3c9cb02880b3d20095818e4
SHA256

7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a
SHA512

1f869fb1230f0b1ed201e1fb923143418dc840372d1e298645042efd814acc3b19b21ec431438b5e51ccb7647cff6617f335bd77cbfbd66479ba518123d1d27c

Score

10^/10

poullight evasion stealer trojan upx

Malware Config

Signatures

Poullight
Poullight is an information stealer first seen in March 2020.
trojan stealer poullight

Poullight Stealer Payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe	family_poullight
C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe	family_poullight
behavioral2/memory/4140-140-0x00000260FEEE0000-0x00000260FEEFE000-memory.dmp	family_poullight

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe
Executes dropped EXE 2 IoCs

Processes:

build (1).exeezesp-18-03.exe

pid process

4140 build (1).exe
4580 ezesp-18-03.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe

pid	process
4140	build (1).exe
4580	ezesp-18-03.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe	upx
C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe	upx
behavioral2/memory/4580-146-0x0000000000470000-0x000000000047D000-memory.dmp	upx

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Wine	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
behavioral2/memory/4992-132-0x0000000001000000-0x0000000001469000-memory.dmp	autoit_exe
behavioral2/memory/4992-133-0x0000000001000000-0x0000000001469000-memory.dmp	autoit_exe
behavioral2/memory/4992-141-0x0000000001000000-0x0000000001469000-memory.dmp	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe

pid process

4992 7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4036 4140 WerFault.exe build (1).exe

pid	pid_target	process	target process
4036	4140	WerFault.exe	build (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exebuild (1).exeezesp-18-03.exe

pid	process
4992	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe
4992	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe
4140	build (1).exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe
4580	ezesp-18-03.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

5016 msedge.exe
5016 msedge.exe
5016 msedge.exe
5016 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

build (1).exe

description pid process

Token: SeDebugPrivilege 4140 build (1).exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

msedge.exe

pid process

5016 msedge.exe
5016 msedge.exe
5016 msedge.exe

pid	process
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe

description	pid	process
Token: SeDebugPrivilege	4140	build (1).exe

pid	process
5016	msedge.exe
5016	msedge.exe
5016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exeezesp-18-03.exemsedge.exe

description	pid	process	target process
PID 4992 wrote to memory of 4140	4992	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe	build (1).exe
PID 4992 wrote to memory of 4140	4992	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe	build (1).exe
PID 4992 wrote to memory of 4580	4992	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe	ezesp-18-03.exe
PID 4992 wrote to memory of 4580	4992	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe	ezesp-18-03.exe
PID 4992 wrote to memory of 4580	4992	7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe	ezesp-18-03.exe
PID 4580 wrote to memory of 4296	4580	ezesp-18-03.exe	cmd.exe
PID 4580 wrote to memory of 4296	4580	ezesp-18-03.exe	cmd.exe
PID 4580 wrote to memory of 4296	4580	ezesp-18-03.exe	cmd.exe
PID 4580 wrote to memory of 5016	4580	ezesp-18-03.exe	msedge.exe
PID 4580 wrote to memory of 5016	4580	ezesp-18-03.exe	msedge.exe
PID 5016 wrote to memory of 4352	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4352	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 4888	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1088	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1088	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1868	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1868	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1868	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1868	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1868	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1868	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1868	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1868	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1868	5016	msedge.exe	msedge.exe
PID 5016 wrote to memory of 1868	5016	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe
"C:\Users\Admin\AppData\Local\Temp\7eb413dad7c8b001bbeae51a20513d2da210d5a6a2aaba16a4fdf428e24dff0a.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4992

C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
"C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4140 -s 1536
3⤵
- Program crash
PID:4036

C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe
"C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Color 2
3⤵
PID:4296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ezhack.ru/ezesp/hh.php
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe6c4e46f8,0x7ffe6c4e4708,0x7ffe6c4e4718
4⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,2011945620131672842,5238486315861839566,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
4⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,2011945620131672842,5238486315861839566,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
4⤵
PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,2011945620131672842,5238486315861839566,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
4⤵
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2011945620131672842,5238486315861839566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3900 /prefetch:1
4⤵
PID:1028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2011945620131672842,5238486315861839566,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
4⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2011945620131672842,5238486315861839566,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
4⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,2011945620131672842,5238486315861839566,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
4⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,2011945620131672842,5238486315861839566,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3348 /prefetch:8
4⤵
PID:2772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,2011945620131672842,5238486315861839566,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3240 /prefetch:8
4⤵
PID:2228

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 4140 -ip 4140
1⤵
PID:1696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

5

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
Filesize
93KB

MD5
06ee4201dd3a67cc0aeffc537becf178

SHA1
a8bc53e5d09c14434a2daf76196d890e745159f3

SHA256
5c74103d23555cf06f33a76ff28dfb75bcf9125eb87495d34ccd968e8a9e0f1d

SHA512
9c8ced2db82accf8bb6dbd72b1cfb06eb815281e92f90000f10ccd84fbe637e1af6ae5ef016fc760825ae7c1def3a04dc9b47a235aa2a66580c3a05d59611713

Download Submit
C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\build (1).exe
Filesize
93KB

MD5
06ee4201dd3a67cc0aeffc537becf178

SHA1
a8bc53e5d09c14434a2daf76196d890e745159f3

SHA256
5c74103d23555cf06f33a76ff28dfb75bcf9125eb87495d34ccd968e8a9e0f1d

SHA512
9c8ced2db82accf8bb6dbd72b1cfb06eb815281e92f90000f10ccd84fbe637e1af6ae5ef016fc760825ae7c1def3a04dc9b47a235aa2a66580c3a05d59611713

Download Submit
C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe
Filesize
11KB

MD5
71dfbe5c5dfcf6bff76bbaec9e414290

SHA1
9f6feda83bb6c1844e13e2465314158929b9e84d

SHA256
fa15195943f163f4fb42f162c2896525c675f075d7053d079e47d2402e0d2eed

SHA512
b5d96ee90cf0eea57a93ab686b8f791213f2020b911a00e6b69e3549a969f4305a374a1051fddc929f2ba4bbdb1bfa669c53a5b305b01e7e7c3b5f4ec3745b34

Download Submit
C:\Users\Admin\AppData\Roaming\GMsbdXV5TyL\ezesp-18-03.exe
Filesize
11KB

MD5
71dfbe5c5dfcf6bff76bbaec9e414290

SHA1
9f6feda83bb6c1844e13e2465314158929b9e84d

SHA256
fa15195943f163f4fb42f162c2896525c675f075d7053d079e47d2402e0d2eed

SHA512
b5d96ee90cf0eea57a93ab686b8f791213f2020b911a00e6b69e3549a969f4305a374a1051fddc929f2ba4bbdb1bfa669c53a5b305b01e7e7c3b5f4ec3745b34

Download Submit
\??\pipe\LOCAL\crashpad_5016_LRRCYBVMROYPAYNY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1028-157-0x0000000000000000-mapping.dmp

Download
memory/1088-153-0x0000000000000000-mapping.dmp

Download
memory/1868-155-0x0000000000000000-mapping.dmp

Download
memory/2212-160-0x0000000000000000-mapping.dmp

Download
memory/2228-168-0x0000000000000000-mapping.dmp

Download
memory/2772-166-0x0000000000000000-mapping.dmp

Download
memory/4140-144-0x00007FFE719F0000-0x00007FFE724B1000-memory.dmp

Filesize
10.8MB

Download
memory/4140-135-0x0000000000000000-mapping.dmp

Download
memory/4140-140-0x00000260FEEE0000-0x00000260FEEFE000-memory.dmp

Filesize
120KB

Download
memory/4140-150-0x00000260FF200000-0x00000260FF20A000-memory.dmp

Filesize
40KB

Download
memory/4140-147-0x00007FFE719F0000-0x00007FFE724B1000-memory.dmp

Filesize
10.8MB

Download
memory/4296-145-0x0000000000000000-mapping.dmp

Download
memory/4320-162-0x0000000000000000-mapping.dmp

Download
memory/4352-149-0x0000000000000000-mapping.dmp

Download
memory/4580-138-0x0000000000000000-mapping.dmp

Download
memory/4580-146-0x0000000000470000-0x000000000047D000-memory.dmp

Filesize
52KB

Download
memory/4888-152-0x0000000000000000-mapping.dmp

Download
memory/4928-164-0x0000000000000000-mapping.dmp

Download
memory/4992-141-0x0000000001000000-0x0000000001469000-memory.dmp

Filesize
4.4MB

Download
memory/4992-142-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download
memory/4992-134-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download
memory/4992-133-0x0000000001000000-0x0000000001469000-memory.dmp

Filesize
4.4MB

Download
memory/4992-130-0x0000000001000000-0x0000000001469000-memory.dmp

Filesize
4.4MB

Download
memory/4992-132-0x0000000001000000-0x0000000001469000-memory.dmp

Filesize
4.4MB

Download
memory/4992-131-0x0000000076F60000-0x0000000077103000-memory.dmp

Filesize
1.6MB

Download
memory/5016-148-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads