phorphiex | 9106395ddc362fe7b169d97eb7266c85e91b9d1c1934e27e2ea06ac8fa947e2d

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16/10/2024, 00:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk.exe
Size

2.1MB
MD5

ca22db896e169195523be246ee685e4d
SHA1

c7f399c2314dbd81da4a6ce5ec7875181bad7e5f
SHA256

9106395ddc362fe7b169d97eb7266c85e91b9d1c1934e27e2ea06ac8fa947e2d
SHA512

180b91fd83c496dd4f63a1b60e07daea50fa84b5ca56ff1b4848c45603870fa70ba6d32458a24a3d03a1120ee0e72013a703a941ea2723b8270f76cf3b4323ce
SSDEEP

24576:TxSXu0frXd2agL9T+YEt5RFgbBbx97z7fIoggWD:TxSe0zXUagBTpEHRqbBvz7Rg

Score

10^/10

phorphiex xmrig discovery evasion execution loader miner persistence spyware stealer trojan worm

Malware Config

Extracted

Family

phorphiex

http://185.215.113.66/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

rsXCXBf9SagxV8JfC12d8Bybk84oPdMNN9

AULzfBuUAPfCGAXoG5Vq14aP9s6fx3AH4Z

LTK4xdKPAgFHPLan8kriAD7eY4heyy73mB

MP8GEm8QpYgQYaMo8oM5NQhRBgDGiLZW5Q

4BB7ckkaPTyADc8trtuwDoZxywaR4eNL5cDJ3KBjq9GraN4mUFztf7mLS7WgT7Bh7uPqpjvA4ypVwXKCJ1vvLWWAFvSmDoD

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

1BzmrjmKPKSR2hH5BeJySfiVA676E8DYaK

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3ESHude8zUHksQg1h6hHmzY79BS36L91Yn

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1msyt0djx4ecspfxg5en0ye465kg3kmv9utzml2

bc1ppypcmu3684n648gyj62gjp2rw0xy7w3vwfamatlg29ajp4z52desafa0sr

bc1qc9edl4hzl9jyt8twdad3zjeh2df2znq96tdezd

Attributes

mutex
mmn7nnm8na
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	sysppvrdnvs.exe

Phorphiex payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000700000001921d-9.dat	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 1704 created 1184	1704	3068231244.exe	21
PID 1704 created 1184	1704	3068231244.exe	21
PID 3032 created 1184	3032	winupsecvmgr.exe	21
PID 3032 created 1184	3032	winupsecvmgr.exe	21
PID 3032 created 1184	3032	winupsecvmgr.exe	21

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 5 IoCs

miner

resource	yara_rule
behavioral1/memory/3032-535-0x000000013F140000-0x000000013F6D7000-memory.dmp	xmrig
behavioral1/memory/1564-542-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1564-977-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1564-979-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig
behavioral1/memory/1564-981-0x0000000140000000-0x00000001407EF000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
756	powershell.exe
1488	powershell.exe
916	powershell.exe

Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 10 IoCs

pid	Process
2560	B4BF.exe
1904	2822715102.exe
2552	sysppvrdnvs.exe
1436	1943030937.exe
2224	320722217.exe
1504	3370013850.exe
316	3665910459.exe
2952	67285126.exe
1704	3068231244.exe
3032	winupsecvmgr.exe

Loads dropped DLL 9 IoCs

pid	Process
2560	B4BF.exe
2560	B4BF.exe
2552	sysppvrdnvs.exe
2552	sysppvrdnvs.exe
2552	sysppvrdnvs.exe
1504	3370013850.exe
2552	sysppvrdnvs.exe
2952	67285126.exe
2576	taskeng.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysppvrdnvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysppvrdnvs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysppvrdnvs.exe"	2822715102.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3032 set thread context of 1532	3032	winupsecvmgr.exe	72
PID 3032 set thread context of 1564	3032	winupsecvmgr.exe	73

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sysppvrdnvs.exe	2822715102.exe
File opened for modification	C:\Windows\sysppvrdnvs.exe	2822715102.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1948	sc.exe
1800	sc.exe
1932	sc.exe
1072	sc.exe
2440	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2822715102.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3370013850.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B4BF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysppvrdnvs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	67285126.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b9600000000020000000000106600000001000020000000146e4ff7e9b211b77923783d4510fff335697633a77b375edf1997f7fd4f8d47000000000e80000000020000200000008432571e7b4e71ddb8d53696f987b4217650944c5aa329ef272cabad338ce59120000000a32a91a4381b05d4c32927655eca4e070113c501044c52727ad941a40705aba0400000004193d4109ecb6a40177643eebb4b41755ce548049c1cada72d76a3a4c680d4bebd7c211b5fb0d30638b985ab700bf740bd6e3f81d898cf1b8cc4c2afd83ed087	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09d141c661fdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e78a69453f00554b9c7935775bae7b960000000002000000000010660000000100002000000064b12a0597248e4cdbc7db830f73a5ed6f1988269e082015bcae1ab7d5d17a93000000000e800000000200002000000028b6fe8120b9d17daac1f5dc64a3d53f2552a98888d6d21f3280f7733ad2bbb190000000c538a5ab287cb6013a6a487b6f4550ccdae0f74a82b19df9bbda8edd35a792391e02f7138c8f88cbf1caeb9498530a6d3e63100e3832fea7c365cdc4ecc3d7470e3d0eacd526400292adce3f6c40d9623027e22afe7c04ae84329d8006d56245ab7e38d7d81642c730e1411fcd229b23d54cdf2d0d2c8e16ee1097aaf44abc6d6f92f561dc72ac440168a02a796394e44000000081fe176969a6483260965fe9754b32771e3e378c72b0827f308a480ea40e587f13bef638de006a9aa6c539831a27c3cc4f2bcf8a81a00a8cacba9afb5e443934	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435201865"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{080A7521-8B59-11EF-95F7-72BC2935A1B8} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
560	schtasks.exe
2572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
756	powershell.exe
1436	1943030937.exe
1704	3068231244.exe
1704	3068231244.exe
1488	powershell.exe
1704	3068231244.exe
1704	3068231244.exe
3032	winupsecvmgr.exe
3032	winupsecvmgr.exe
916	powershell.exe
3032	winupsecvmgr.exe
3032	winupsecvmgr.exe
3032	winupsecvmgr.exe
3032	winupsecvmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	1436	1943030937.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe
Token: SeLockMemoryPrivilege	1564	dwm.exe
Token: SeLockMemoryPrivilege	1564	dwm.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
2824	iexplore.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe
1564	dwm.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2824	iexplore.exe
2824	iexplore.exe
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE
2816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2560	1664	2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk.exe	31
PID 1664 wrote to memory of 2560	1664	2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk.exe	31
PID 1664 wrote to memory of 2560	1664	2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk.exe	31
PID 1664 wrote to memory of 2560	1664	2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk.exe	31
PID 1664 wrote to memory of 2824	1664	2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk.exe	33
PID 1664 wrote to memory of 2824	1664	2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk.exe	33
PID 1664 wrote to memory of 2824	1664	2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk.exe	33
PID 2824 wrote to memory of 2816	2824	iexplore.exe	34
PID 2824 wrote to memory of 2816	2824	iexplore.exe	34
PID 2824 wrote to memory of 2816	2824	iexplore.exe	34
PID 2824 wrote to memory of 2816	2824	iexplore.exe	34
PID 2560 wrote to memory of 1904	2560	B4BF.exe	35
PID 2560 wrote to memory of 1904	2560	B4BF.exe	35
PID 2560 wrote to memory of 1904	2560	B4BF.exe	35
PID 2560 wrote to memory of 1904	2560	B4BF.exe	35
PID 1904 wrote to memory of 2552	1904	2822715102.exe	36
PID 1904 wrote to memory of 2552	1904	2822715102.exe	36
PID 1904 wrote to memory of 2552	1904	2822715102.exe	36
PID 1904 wrote to memory of 2552	1904	2822715102.exe	36
PID 2552 wrote to memory of 860	2552	sysppvrdnvs.exe	37
PID 2552 wrote to memory of 860	2552	sysppvrdnvs.exe	37
PID 2552 wrote to memory of 860	2552	sysppvrdnvs.exe	37
PID 2552 wrote to memory of 860	2552	sysppvrdnvs.exe	37
PID 2552 wrote to memory of 1612	2552	sysppvrdnvs.exe	39
PID 2552 wrote to memory of 1612	2552	sysppvrdnvs.exe	39
PID 2552 wrote to memory of 1612	2552	sysppvrdnvs.exe	39
PID 2552 wrote to memory of 1612	2552	sysppvrdnvs.exe	39
PID 860 wrote to memory of 756	860	cmd.exe	41
PID 860 wrote to memory of 756	860	cmd.exe	41
PID 860 wrote to memory of 756	860	cmd.exe	41
PID 860 wrote to memory of 756	860	cmd.exe	41
PID 1612 wrote to memory of 1948	1612	cmd.exe	42
PID 1612 wrote to memory of 1948	1612	cmd.exe	42
PID 1612 wrote to memory of 1948	1612	cmd.exe	42
PID 1612 wrote to memory of 1948	1612	cmd.exe	42
PID 1612 wrote to memory of 1800	1612	cmd.exe	43
PID 1612 wrote to memory of 1800	1612	cmd.exe	43
PID 1612 wrote to memory of 1800	1612	cmd.exe	43
PID 1612 wrote to memory of 1800	1612	cmd.exe	43
PID 1612 wrote to memory of 1932	1612	cmd.exe	44
PID 1612 wrote to memory of 1932	1612	cmd.exe	44
PID 1612 wrote to memory of 1932	1612	cmd.exe	44
PID 1612 wrote to memory of 1932	1612	cmd.exe	44
PID 1612 wrote to memory of 1072	1612	cmd.exe	45
PID 1612 wrote to memory of 1072	1612	cmd.exe	45
PID 1612 wrote to memory of 1072	1612	cmd.exe	45
PID 1612 wrote to memory of 1072	1612	cmd.exe	45
PID 1612 wrote to memory of 2440	1612	cmd.exe	46
PID 1612 wrote to memory of 2440	1612	cmd.exe	46
PID 1612 wrote to memory of 2440	1612	cmd.exe	46
PID 1612 wrote to memory of 2440	1612	cmd.exe	46
PID 2552 wrote to memory of 1436	2552	sysppvrdnvs.exe	48
PID 2552 wrote to memory of 1436	2552	sysppvrdnvs.exe	48
PID 2552 wrote to memory of 1436	2552	sysppvrdnvs.exe	48
PID 2552 wrote to memory of 1436	2552	sysppvrdnvs.exe	48
PID 1436 wrote to memory of 320	1436	1943030937.exe	49
PID 1436 wrote to memory of 320	1436	1943030937.exe	49
PID 1436 wrote to memory of 320	1436	1943030937.exe	49
PID 1436 wrote to memory of 868	1436	1943030937.exe	51
PID 1436 wrote to memory of 868	1436	1943030937.exe	51
PID 1436 wrote to memory of 868	1436	1943030937.exe	51
PID 320 wrote to memory of 1468	320	cmd.exe	53
PID 320 wrote to memory of 1468	320	cmd.exe	53
PID 320 wrote to memory of 1468	320	cmd.exe	53

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1184
- C:\Users\Admin\AppData\Local\Temp\2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-10-16_ca22db896e169195523be246ee685e4d_cobalt-strike_hijackloader_ryuk.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\B4BF.exe
    "C:\Users\Admin\AppData\Local\Temp\B4BF.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Users\Admin\AppData\Local\Temp\2822715102.exe
      C:\Users\Admin\AppData\Local\Temp\2822715102.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Windows\sysppvrdnvs.exe
        
        C:\Windows\sysppvrdnvs.exe
        5⤵
        Modifies security service
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS /wait
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1948
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS /wait
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2440
      - C:\Users\Admin\AppData\Local\Temp\1943030937.exe
        
        C:\Users\Admin\AppData\Local\Temp\1943030937.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        8⤵
        
        PID:1468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:868
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        8⤵
        
        PID:944
      - C:\Users\Admin\AppData\Local\Temp\320722217.exe
        
        C:\Users\Admin\AppData\Local\Temp\320722217.exe
        6⤵
        Executes dropped EXE
        
        PID:2224
      - C:\Users\Admin\AppData\Local\Temp\3370013850.exe
        
        C:\Users\Admin\AppData\Local\Temp\3370013850.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3665910459.exe
        
        C:\Users\Admin\AppData\Local\Temp\3665910459.exe
        7⤵
        Executes dropped EXE
        
        PID:316
      - C:\Users\Admin\AppData\Local\Temp\67285126.exe
        
        C:\Users\Admin\AppData\Local\Temp\67285126.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\3068231244.exe
        
        C:\Users\Admin\AppData\Local\Temp\3068231244.exe
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1704
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://chrome.360.cn/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1488
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:560
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:916
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /tn "Microsoft Windows Security" /tr "'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2572
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:1532
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1564

C:\Windows\system32\taskeng.exe
taskeng.exe {63CCBB18-E3E9-4FB5-8659-5B88EE9FA0D2} S-1-5-21-2039016743-699959520-214465309-1000:PIDEURYY\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
PID:2576
- C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
  "C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:3032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
391c7a1128054bbe61b1b47ebae4ae05

SHA1
8d40a41542740188be2118678b1875f111b69936

SHA256
399559b3f5c54e013509ae9c89e79716e9cbd54bdecefebf342247caf61c5f50

SHA512
2159d5362e3964f264f07b2187c27eeaed3287fddef65270c8d1c42e4222fda4a73155872c3c3e20619402eae1fc052da7d182f1f0b031e62fa98c958beadf4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b4c366b01b5a8f97d23c2af556a388e

SHA1
d074770216ed5929ecb38d5c65253896308b6919

SHA256
293274af32192dbd47471afba7803d509adc0e21749e3e8132d37502fe483947

SHA512
f9ed7564832be190d26db66782c7cdb365e939ae9b7f48383d02fb61d108d3f5eedab6dad09c505359c603cdc5efdd9dfa66809978581aea71bd37aa28222df0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a51689b6a4079ac817b27c74fdba6483

SHA1
c72935a9a90d8dc6937e0584e42ffce5ce412eb7

SHA256
4e63cc263bffbdc50952e80a3f90ae2cce17a7cc837384ad5b6d9d61d1d6521d

SHA512
203eb037d03317f4a830dcdaf1a9dc70846bfb73032b474d4ef5cc0a39c75a7b1507321c10bb5d5fad0a15e7ad16eb34679d526872550e56a612bda9dd258c3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
763e6c07138ab0ecd146465000391756

SHA1
e4a0abda1274745a08c843457596cc6985d703d0

SHA256
3526da9c1b33b79d9f2f499b7b5f87e915616ce57982b90011bb59f32f9f38de

SHA512
694edbcc1f40d5577312aad8f58d659cb63990e1f0fe989c4c27d4539a710374de786576ea9dd34c6ebd51bd01c3b42e1bcff1f38b77b31b6f582ca370f88f09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da1f4c22a84f4bf5e561689e685fea02

SHA1
895cd634cbe4a7f807831520cb258813b28de341

SHA256
a92f70343275bb0871d67f12cefa284cbf4506b2fe0ccba81cf11794e6a4dcfd

SHA512
24c5ddb4021ffaaf025fd1b30ed03ab16d28e416bf989d2e3bf88d004af18598ec9b9dd0b5f7bab962eaac56ac61def017c2cc31245507c8319489f8bc30c58f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
379fc7b4836eca63b3f094aaa730f0e2

SHA1
3aa5b1b20d8b593651c37667e024e52f4b23cf96

SHA256
add16262342749581a5ceb77b25669480961bf77890c73d89fa1a96934194f0e

SHA512
df6b5071a8143499bfa63df9909a2f8aecd0ca70ba22fcf425e89c720cbd4530438186d8a2e0ae86bf951a2308bded3efdc2a6d0646a29fa641b527ae4f2d901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccfde2b7071a964ea343ad7495889d5c

SHA1
c2a861a9acc0583d695e60a48fa548162f6df9c3

SHA256
249199e3d0189a301451748a44c96238f3161743301eafef2fc0a6b375bd2b5c

SHA512
22748750e8401de46e500563f0f33c65c29f82dabe0e38460b2c391a4416fc07eca950c0baac304f6bcaf29d683a3d814a96802ebe0bed662b31ae41e09a3141

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
756503fa69c3d037b5c286908ce1571c

SHA1
6ad7de06d8cdf7eb42e91b5792f1ebfeb005de13

SHA256
fbab2a1162e92e9cb49308d5b37f4614540d7769e9d259fca786b7296872ffa5

SHA512
6f23f5eb727bac18f9e829d4a89f5eb64dbcd727a562074265e86def749da61ae6006cc6b6a79d754f4277bb2e80d5946560bd7d7445fd1dac78779fc4f05dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb5a2d5afd932dacadd62cc704ceb3d2

SHA1
dcab8e8cc92530ab662838cd1974f832f3dd4ca0

SHA256
c91a2be2528d866491d05bbe327a51c69299506afe722b788e68962f586ab2cc

SHA512
4b60b2fbfc18b3954355a00ed77e2825c6621236c78a4bb0a3da30edbb415e52218fb32e4bc4160f8246fac44bed62c17f9cf3cde512010192a539954f3e6826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0757e1aed20c1efc7095d7be2cb64311

SHA1
22f591ddc0c7ffec7cbf1eec386b938aa68c66fe

SHA256
b2b346ab474112c2003836b301c21b06cc025bf887211517713baeaa53031ee1

SHA512
aa976930482cca73c21a61299a6a87fd90fdb2cc39b7acf65a5744ef7d9f74761570ccb4e4cd2c275d3dceff8fbb42564143bf6779c3153ec6ad17d08d0ce48a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d90fd390d6e168d43f737b6d9b43452

SHA1
d0952c9732d837a3c94af8724b0d4770dc8c49b9

SHA256
75c9367605120dc0496be6dc2e62c25799fd471bf456dccde98ecce25c0ce4a0

SHA512
39927f419ee9a41a7aa846e1e1653f5d34c9e5358c620777f9cbbd48946e2baf5b0a7c216aa437dc59d86a769e56e703dd9b4c7be092a7787a48749b3d7a8c7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c815277fdc107304fa3a25b679a00e84

SHA1
b46a5919ed08f4119e13ae7e7da80ea9ed96ecda

SHA256
bf3137bf6799a88c80cb6be7f9dabb622d71a06572cb9c04c4cd7a41b5a7995d

SHA512
2d8e952c0d0b9c1c12c7e958c8734b0cb80eafe8ad56eb3b7a5a76749475d7bf850f958a0e21c9d6ba1db353f95336d56285c1b12c7cd07c36850b1496016b84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d614408984b1ea2e929c4779087d1e4

SHA1
de5915be0cc9c680a5a9ce103b47465a5425d46e

SHA256
b771fbc13d11eb6b4523122c154cc01d8c25ddce5020a9276ced543908c5f2b9

SHA512
3ddf5f39592a64c0a942d8b8123c880689b0c2c41d633b4e2972ce7d4230d85b843e18ed1660d059880dc67f6796fd7f988d47d5cb52a07768b0baa3fbac871d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
572d2f824cfb33391eb3b9a0a0b6ab89

SHA1
6cedb3da24ed34ceed340d69583efd7e4b0cce7f

SHA256
c7f92d8dac13b37e32a76b9f3a4728ffd6d780f0798ee4adad483ef3402e4b96

SHA512
a69e42266ba3c059c9233e9acba68adbc0cf8f33966b5d75ea16ec0522cba783f74ff4bffdac92f56961fa45404b924298acce33e0e1c65d8685b25fd1de23d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f31df93bdc55126c0a2f981a3d2e334c

SHA1
4cec3e590746aa090bc6062641606c0f954cdc60

SHA256
d2a68ef2922ef538d74405ff2fe1accb33c37bf3abd55d5ae09e820bb3fe1288

SHA512
3a2f9d6429432b0c6711bc7b5207bcd358000fa43acdcaa50cccdd15f9890c2c0348d2f26e0cc27f3201503662ad3b28526e2b7ffe1ef1d39549e4f508511c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
076e4c3c0a5437615dd93e98ee287492

SHA1
b71810da927709ecb063cea9847ef9834d0a19bc

SHA256
b00bbf9f9c1bb9c8e6ba61eb65ee4112f5983155d7a1768327de4eadfaf6c6ee

SHA512
00ec82449c76ede509fd7cc4f35c90771ce1326dacb43e6de3795f06c226f9b59fdd3dee0eebf573eaacbd1c716a03e817ded38f64c65edf5305600d63750e1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bf38762e95c0f988e58671e3e657d2b

SHA1
a16053b0fd97a3d573d589b98e1b99ff2253eb38

SHA256
738b2041b6f8319afb3c61123e71dfcfa51ada8258ccbd650996dcc8d313f777

SHA512
11461c1e6804962f98f3833015d8db17f41cd06a277e879d40996d61c1e0b9e804264ba30af0d7687493fcfafd9326a6e230f7d61aff18c7488c18cc7ebd9052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\1[1]

Filesize
108KB

MD5
1fcb78fb6cf9720e9d9494c42142d885

SHA1
fef9c2e728ab9d56ce9ed28934b3182b6f1d5379

SHA256
84652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02

SHA512
cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4BF.exe

Filesize
9KB

MD5
8d8e6c7952a9dc7c0c73911c4dbc5518

SHA1
9098da03b33b2c822065b49d5220359c275d5e94

SHA256
feb4c3ae4566f0acbb9e0f55417b61fefd89dc50a4e684df780813fb01d61278

SHA512
91a573843c28dd32a9f31a60ba977f9a3d4bb19ffd1b7254333e09bcecef348c1b3220a348ebb2cb08edb57d56cb7737f026519da52199c9dc62c10aea236645

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD03A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD0EB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\GCZVXBSETIRCSICHYJNV.temp

Filesize
7KB

MD5
9c604dff7247d88601f7c251d0555503

SHA1
3b09f8958e8e44343101e575ffae4e9e2d33e978

SHA256
850c2239f3dff146ced8cdd4e36a285cdb89168377f51868e5fde3f0f96f98aa

SHA512
3016f0659356b6b332bbc47705bb85a6d8b9a459c36af3888625358e171fc2879b22692492fed2b375a17c9eb3e33901bd06ef47268e4e0ed3f08282ee8e2060

Download Submit
\Users\Admin\AppData\Local\Temp\1943030937.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
\Users\Admin\AppData\Local\Temp\2822715102.exe

Filesize
83KB

MD5
06560b5e92d704395bc6dae58bc7e794

SHA1
fbd3e4ae28620197d1f02bfc24adaf4ddacd2372

SHA256
9eaaadf3857e4a3e83f4f78d96ab185213b6528c8e470807f9d16035daadf33d

SHA512
b55b49fc1bd526c47d88fcf8a20fcaed900bfb291f2e3e1186ec196a87127ed24df71385ae04fedcc802c362c4ebf38edfc182013febf4496ddeb66ce5195ee3

Download Submit
\Users\Admin\AppData\Local\Temp\3068231244.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
\Users\Admin\AppData\Local\Temp\320722217.exe

Filesize
15KB

MD5
0c37ee292fec32dba0420e6c94224e28

SHA1
012cbdddaddab319a4b3ae2968b42950e929c46b

SHA256
981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1

SHA512
2b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b

Download Submit
\Users\Admin\AppData\Local\Temp\3370013850.exe

Filesize
10KB

MD5
c2ae8d88cbe2d4c8d2b808167d4ab5f1

SHA1
bb2ffc20f0e9cae35b8f3e5f9a330cb247636f68

SHA256
18b7e68ea05160f6ddec3785f39c639a89a7f90db206800d3f043cfe2013e14a

SHA512
9692218d1c9331255960b01488558b73e289b3ba9288357cca0cefbe6bbc662ce3e931839def0f7df0b7ebc96f9274390c946c28cc561ae0fe1c8775e73f674e

Download Submit
\Users\Admin\AppData\Local\Temp\3665910459.exe

Filesize
20KB

MD5
c2159769dc80fa8b846eca574022b938

SHA1
222a44b40124650e57a2002cd640f98ea8cb129d

SHA256
d9cb527841e98bb1a50de5cf1c5433a05f14572a3af3be4c10d3a4708d2419e0

SHA512
7a8b4f0b5c020277b4446e4ff2223de413bd6be4c7dad3179f988cb5d3849435a85acfbda7d41d3ef15d22554cd722a8b657d978426b79dc1495a81ab270e870

Download Submit
\Users\Admin\AppData\Local\Temp\67285126.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
memory/916-529-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/916-530-0x0000000001D50000-0x0000000001D58000-memory.dmp

Filesize
32KB

Download
memory/1436-47-0x000000013FFD0000-0x000000013FFD6000-memory.dmp

Filesize
24KB

Download
memory/1488-517-0x0000000002650000-0x0000000002658000-memory.dmp

Filesize
32KB

Download
memory/1488-516-0x000000001B3E0000-0x000000001B6C2000-memory.dmp

Filesize
2.9MB

Download
memory/1532-541-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1532-976-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1564-542-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1564-536-0x0000000000040000-0x0000000000060000-memory.dmp

Filesize
128KB

Download
memory/1564-977-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1564-979-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1564-981-0x0000000140000000-0x00000001407EF000-memory.dmp

Filesize
7.9MB

Download
memory/1704-520-0x000000013FF90000-0x0000000140527000-memory.dmp

Filesize
5.6MB

Download
memory/3032-535-0x000000013F140000-0x000000013F6D7000-memory.dmp

Filesize
5.6MB

Download