855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec

Analysis

max time kernel
153s
max time network
189s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02/12/2022, 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe
Size

1.3MB
MD5

ddb3411a2e32e5aebe171ce949d03dfa
SHA1

05599be048740ef7d1aad85446632b74a21d07cb
SHA256

855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec
SHA512

4dd335fd27e5ed5abdc2a55b5b23a2b92e2e64859ce5835159bba85229b9cf657b9ca840968f9d7ee25c0ea3d706f4aebf495dbb3be971f0d9a764234a1ef964
SSDEEP

24576:2+cojLYcSWBWKTaRRNf8u/VUncbiAr1ZbGOYv/MEgkElRavzYjo8Vuj8J8l:71LYJWUHRNfF/VfZbGOYMEgkEl/j2

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
1976	ccsvchst1.exe
868	ccsvchst.exe
680	combine.exe
1780	cmss.exe
992	msmsgs.exe
952	comres.exe
1332	RDS.exe
1712	msmsgs.exe
932	msmsgs.exe

Modifies Windows Firewall 1 TTPs 9 IoCs

evasion

Modify Existing Service

T1031

pid	Process
1344	netsh.exe
1676	netsh.exe
1672	netsh.exe
1944	netsh.exe
1536	netsh.exe
1544	netsh.exe
1124	netsh.exe
1480	netsh.exe
108	netsh.exe

Loads dropped DLL 54 IoCs

pid	Process
1716	855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe
1976	ccsvchst1.exe
1976	ccsvchst1.exe
1976	ccsvchst1.exe
1976	ccsvchst1.exe
868	ccsvchst.exe
868	ccsvchst.exe
868	ccsvchst.exe
868	ccsvchst.exe
868	ccsvchst.exe
680	combine.exe
680	combine.exe
680	combine.exe
680	combine.exe
680	combine.exe
680	combine.exe
680	combine.exe
680	combine.exe
868	ccsvchst.exe
868	ccsvchst.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
992	msmsgs.exe
992	msmsgs.exe
992	msmsgs.exe
992	msmsgs.exe
1780	cmss.exe
1780	cmss.exe
952	comres.exe
952	comres.exe
952	comres.exe
952	comres.exe
1780	cmss.exe
1780	cmss.exe
1332	RDS.exe
1332	RDS.exe
1332	RDS.exe
1332	RDS.exe
1780	cmss.exe
1780	cmss.exe
1712	msmsgs.exe
1712	msmsgs.exe
1712	msmsgs.exe
1712	msmsgs.exe
1780	cmss.exe
1780	cmss.exe
932	msmsgs.exe
932	msmsgs.exe
932	msmsgs.exe
932	msmsgs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\IntellRaidConfigurer = "C:\\PROGRA~2\\WinApps\\cmss.exe"	ccsvchst.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ieobject.dll	ccsvchst1.exe
File opened for modification	C:\Windows\SysWOW64\ieobject.dll	ccsvchst1.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	msmsgs.exe
File opened for modification	C:\Program Files\Accessories\Common\Chat_log.txt	msmsgs.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	msmsgs.exe
File created	C:\PROGRA~2\WinApps\comres.exe	ccsvchst.exe
File created	C:\PROGRA~2\WinApps\msmsgs.exe	ccsvchst.exe
File created	C:\PROGRA~2\WinApps\RDS.exe	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common	ccsvchst.exe
File created	C:\PROGRA~2\WinApps\cmss.exe	ccsvchst.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe
File opened for modification	C:\PROGRA~2\WinApps\comres.exe	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common\05 Dec 22 13_23_29 Admin .rca	cmss.exe
File opened for modification	C:\Program Files\Accessories\Common\PC_Active_Time.txt	cmss.exe
File opened for modification	C:\Program Files\Accessories\Common\Chat_log.txt	msmsgs.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\refsdm.dll	ccsvchst.exe
File created	C:\Windows\ntfsv.dll	ccsvchst.exe
File opened for modification	C:\Windows\ntfsv.dll	ccsvchst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\MSWINSCK.OCX"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\MSWINSCK.OCX"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP5)"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\MSWINSCK.OCX"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\ = "{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}"	msmsgs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\MSWINSCK.OCX, 1"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msmsgs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe
1780	cmss.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1976	ccsvchst1.exe
868	ccsvchst.exe
1780	cmss.exe
992	msmsgs.exe
952	comres.exe
1332	RDS.exe
992	msmsgs.exe
1712	msmsgs.exe
1712	msmsgs.exe
932	msmsgs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1976	1716	855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe	28
PID 1716 wrote to memory of 1976	1716	855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe	28
PID 1716 wrote to memory of 1976	1716	855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe	28
PID 1716 wrote to memory of 1976	1716	855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe	28
PID 1716 wrote to memory of 1976	1716	855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe	28
PID 1716 wrote to memory of 1976	1716	855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe	28
PID 1716 wrote to memory of 1976	1716	855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe	28
PID 1976 wrote to memory of 868	1976	ccsvchst1.exe	29
PID 1976 wrote to memory of 868	1976	ccsvchst1.exe	29
PID 1976 wrote to memory of 868	1976	ccsvchst1.exe	29
PID 1976 wrote to memory of 868	1976	ccsvchst1.exe	29
PID 1976 wrote to memory of 868	1976	ccsvchst1.exe	29
PID 1976 wrote to memory of 868	1976	ccsvchst1.exe	29
PID 1976 wrote to memory of 868	1976	ccsvchst1.exe	29
PID 868 wrote to memory of 680	868	ccsvchst.exe	30
PID 868 wrote to memory of 680	868	ccsvchst.exe	30
PID 868 wrote to memory of 680	868	ccsvchst.exe	30
PID 868 wrote to memory of 680	868	ccsvchst.exe	30
PID 868 wrote to memory of 680	868	ccsvchst.exe	30
PID 868 wrote to memory of 680	868	ccsvchst.exe	30
PID 868 wrote to memory of 680	868	ccsvchst.exe	30
PID 868 wrote to memory of 1788	868	ccsvchst.exe	31
PID 868 wrote to memory of 1788	868	ccsvchst.exe	31
PID 868 wrote to memory of 1788	868	ccsvchst.exe	31
PID 868 wrote to memory of 1788	868	ccsvchst.exe	31
PID 868 wrote to memory of 1788	868	ccsvchst.exe	31
PID 868 wrote to memory of 1788	868	ccsvchst.exe	31
PID 868 wrote to memory of 1788	868	ccsvchst.exe	31
PID 868 wrote to memory of 1124	868	ccsvchst.exe	33
PID 868 wrote to memory of 1124	868	ccsvchst.exe	33
PID 868 wrote to memory of 1124	868	ccsvchst.exe	33
PID 868 wrote to memory of 1124	868	ccsvchst.exe	33
PID 868 wrote to memory of 1124	868	ccsvchst.exe	33
PID 868 wrote to memory of 1124	868	ccsvchst.exe	33
PID 868 wrote to memory of 1124	868	ccsvchst.exe	33
PID 868 wrote to memory of 1344	868	ccsvchst.exe	34
PID 868 wrote to memory of 1344	868	ccsvchst.exe	34
PID 868 wrote to memory of 1344	868	ccsvchst.exe	34
PID 868 wrote to memory of 1344	868	ccsvchst.exe	34
PID 868 wrote to memory of 1344	868	ccsvchst.exe	34
PID 868 wrote to memory of 1344	868	ccsvchst.exe	34
PID 868 wrote to memory of 1344	868	ccsvchst.exe	34
PID 868 wrote to memory of 1676	868	ccsvchst.exe	36
PID 868 wrote to memory of 1676	868	ccsvchst.exe	36
PID 868 wrote to memory of 1676	868	ccsvchst.exe	36
PID 868 wrote to memory of 1676	868	ccsvchst.exe	36
PID 868 wrote to memory of 1676	868	ccsvchst.exe	36
PID 868 wrote to memory of 1676	868	ccsvchst.exe	36
PID 868 wrote to memory of 1676	868	ccsvchst.exe	36
PID 868 wrote to memory of 1672	868	ccsvchst.exe	39
PID 868 wrote to memory of 1672	868	ccsvchst.exe	39
PID 868 wrote to memory of 1672	868	ccsvchst.exe	39
PID 868 wrote to memory of 1672	868	ccsvchst.exe	39
PID 868 wrote to memory of 1672	868	ccsvchst.exe	39
PID 868 wrote to memory of 1672	868	ccsvchst.exe	39
PID 868 wrote to memory of 1672	868	ccsvchst.exe	39
PID 868 wrote to memory of 1944	868	ccsvchst.exe	44
PID 868 wrote to memory of 1944	868	ccsvchst.exe	44
PID 868 wrote to memory of 1944	868	ccsvchst.exe	44
PID 868 wrote to memory of 1944	868	ccsvchst.exe	44
PID 868 wrote to memory of 1944	868	ccsvchst.exe	44
PID 868 wrote to memory of 1944	868	ccsvchst.exe	44
PID 868 wrote to memory of 1944	868	ccsvchst.exe	44
PID 868 wrote to memory of 1480	868	ccsvchst.exe	42

C:\Users\Admin\AppData\Local\Temp\855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe
"C:\Users\Admin\AppData\Local\Temp\855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe
  "C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe
    C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe
      C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo y| CACLS C:\PROGRA~2\WinApps /G Everyone:f
      4⤵
      PID:1788
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS C:\PROGRA~2\WinApps /G Everyone:f
        5⤵
        
        PID:1332
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\PROGRA~2\WinApps\comres.exe" "comres.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1124
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="comres.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\comres.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1344
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="comres.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\comres.exe" enable=yes profile=public
      4⤵
      Modifies Windows Firewall
      PID:1676
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\PROGRA~2\WinApps\cmss.exe" "cmss.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1672
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="cmss.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\cmss.exe" enable=yes profile=public
      4⤵
      Modifies Windows Firewall
      PID:1480
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="cmss.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\cmss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:1944
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="RDS.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\RDS.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      PID:108
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\PROGRA~2\WinApps\RDS.exe" "RDS.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      PID:1536
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="RDS.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\RDS.exe" enable=yes profile=public
      4⤵
      Modifies Windows Firewall
      PID:1544
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo y| CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
      4⤵
      PID:1276
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
        5⤵
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:1984
  - - C:\PROGRA~2\WinApps\cmss.exe
      C:\PROGRA~2\WinApps\cmss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1780
    - - C:\Program Files (x86)\WinApps\msmsgs.exe
        
        "C:\Program Files (x86)\WinApps\msmsgs.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:992
    - - C:\Program Files (x86)\WinApps\comres.exe
        
        "C:\Program Files (x86)\WinApps\comres.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:952
    - - C:\Program Files (x86)\WinApps\RDS.exe
        
        "C:\Program Files (x86)\WinApps\RDS.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1332
    - - C:\PROGRA~2\WinApps\msmsgs.exe
        
        C:\PROGRA~2\WinApps\msmsgs.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1712
    - - C:\PROGRA~2\WinApps\msmsgs.exe
        
        C:\PROGRA~2\WinApps\msmsgs.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:932

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Compress0\MSWINSCK.OCX

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\RDS.exe

Filesize
180KB

MD5
7f864e74ffb1fc642c9b46af6ec72409

SHA1
46c8f62146292efe6a138b1073c32f3fce426490

SHA256
12f78e88db35a4e05aa445bd2d884ed4d7f5ab7ef87e73b07f027944f191defb

SHA512
7f555d369659e2bf3c367684f07ff5119e6b38c846f05a99c667fa9749eb5deb96bc1a5fca6f5274695e49a95503068209c506abbd2543d35a1ecb934f634b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ass.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe

Filesize
120KB

MD5
4d0df8bc0bf7e8465b37908b9c06e0bd

SHA1
380d8cd584f9df6fddc85bf016767ca1b9a11b82

SHA256
831b5bbd6e27aed50b7b50534130a21fb0262b074968b1e6959c0843a7dbd698

SHA512
c390dfc2ea459ec03b87df7c64f16c9b9c1c269baee96a369ba2c532e8804029c3151ba3c7ae20073b4591af5892d33b18cdd7f4887a4a4c82fb39387c45ee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe

Filesize
120KB

MD5
4d0df8bc0bf7e8465b37908b9c06e0bd

SHA1
380d8cd584f9df6fddc85bf016767ca1b9a11b82

SHA256
831b5bbd6e27aed50b7b50534130a21fb0262b074968b1e6959c0843a7dbd698

SHA512
c390dfc2ea459ec03b87df7c64f16c9b9c1c269baee96a369ba2c532e8804029c3151ba3c7ae20073b4591af5892d33b18cdd7f4887a4a4c82fb39387c45ee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe

Filesize
44KB

MD5
df3437a455a8271c47a93964e5479f0b

SHA1
053c1ef12239d10fb2a66a7a73dbdec63d031ec4

SHA256
e8ad3b07bd48e56908cc9d7a96a425d358110b1087871a358cb77b0ab5c0841f

SHA512
a225717fdc13178aee8494d7a7a3dad3444c8a5f991a9f7af602724b9fccbf7f5b43fa81b53d36bedb2942b12fa7ae6757ef6b243622e04a449e57f61cecdab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe

Filesize
44KB

MD5
df3437a455a8271c47a93964e5479f0b

SHA1
053c1ef12239d10fb2a66a7a73dbdec63d031ec4

SHA256
e8ad3b07bd48e56908cc9d7a96a425d358110b1087871a358cb77b0ab5c0841f

SHA512
a225717fdc13178aee8494d7a7a3dad3444c8a5f991a9f7af602724b9fccbf7f5b43fa81b53d36bedb2942b12fa7ae6757ef6b243622e04a449e57f61cecdab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe

Filesize
1000KB

MD5
d9d05f12c5dbb54e2f3451cfa66c00f2

SHA1
ce1d03a6b2579a8ec62fd2fb7f21f04c2806b47b

SHA256
3d91a7277026743286d159a034dde1eded6790ce5855f6ce5b2a52ed674b0e16

SHA512
7270997ef5374c791af3a3e71b85b11d1c925479df131e65f7405bafb7f1714ce60f77451fd58095055b3ee7e60f7b93913b8f2e54095c7242179083fc80bff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe

Filesize
1000KB

MD5
d9d05f12c5dbb54e2f3451cfa66c00f2

SHA1
ce1d03a6b2579a8ec62fd2fb7f21f04c2806b47b

SHA256
3d91a7277026743286d159a034dde1eded6790ce5855f6ce5b2a52ed674b0e16

SHA512
7270997ef5374c791af3a3e71b85b11d1c925479df131e65f7405bafb7f1714ce60f77451fd58095055b3ee7e60f7b93913b8f2e54095c7242179083fc80bff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\comres.exe

Filesize
196KB

MD5
979d869f691367229511803ce8fca97d

SHA1
0674b145a3962a1b81d28ef00d3ff67a3f6236fa

SHA256
6271e553e424d6901868f9d9437fa8afd72b8d21ea8c6f0f70737eeb04cb670a

SHA512
8c24a77582ce5fe9fc0c9c57e8c540e768f75895069c83fea5f091c49045c9cb5e2a96bb2c5a17d86a079fcbbd119a0bd2d4177544a58dbe2ddab82b54b0c5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\delkl.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\dunin.dll

Filesize
1B

MD5
8f14e45fceea167a5a36dedd4bea2543

SHA1
902ba3cda1883801594b6e1b452790cc53948fda

SHA256
7902699be42c8a8e46fbbb4501726517e86b22c56a189f7625a6da49081b2451

SHA512
f05210c5b4263f0ec4c3995bdab458d81d3953f354a9109520f159db1e8800bcd45b97c56dce90a1fc27ab03e0b8a9af8673747023c406299374116d6f966981

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emdc.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emfz.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emfzb.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emine.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\eminu.dll

Filesize
2B

MD5
34173cb38f07f89ddbebc2ac9128303f

SHA1
22d200f8670dbdb3e253a90eee5098477c95c23d

SHA256
624b60c58c9d8bfb6ff1886c2fd605d2adeb6ea4da576068201b6c6958ce93f4

SHA512
1ccbff33e55627a50beca8cf5c89f77c3165dcb3218171308423f250f0bb0be9700bbfdd92d35dfa2e579110266a40194d707b50e7d27b6f09b81fbbf80231a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emon.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emoo.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\inmsg.dll

Filesize
40B

MD5
62158ca606dfd1b74f03b03f43e597c4

SHA1
f91a0aaaa72c124282fd28dbd9326072f789f19f

SHA256
4f45cc3a4c63bbd0e99ede09409dd656575c3bf68da68f1af11c01f1a3015d00

SHA512
389095d037013a09cb02d6d1fcc65d7f37ab86c82aa63600fba375376b0d3cc317b7bd984abcd325154c132823216d1134a303ab90cd96f8e5b7b836d68315f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\inter.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\inuser.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\mail.dll

Filesize
16B

MD5
850ef2569cad0612b4e2180f45428a80

SHA1
4f1133590e98a1be80bcc5604d9a982c52f627cf

SHA256
85fda0b7ca19d9f836076c421de754503f7c1867ab56e58691901ce2d7f7f1e6

SHA512
1638a4f01ac56cc660acc123f68eb4161fbff770e26cdf378371f35d51f6eafb1eda963dcb7ec15b00f9b3c013e458fa9fe18f42fa3b490af5e8480e92126bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\mailkl.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\mailsc.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\msmsgs.exe

Filesize
164KB

MD5
03f8efe9796bb03ec9ed971d56d4397f

SHA1
d8afa680786981186f8f0a81acab16eeea00eee4

SHA256
010a729a55ab6285a8b7daecb4052df92aad0d7366432093e847e3ed8a9fb4d6

SHA512
895c70b359a09bd793cc0a8349135a8ebe9bf174af154cbde57e29d78da09c8ae320a5adf51af410bd176c5183b1e17515d85d46b522a897bebd648a4aa66e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ntfsv.dll

Filesize
176KB

MD5
a0ce0247d48fecaac607edb1e2d87fd8

SHA1
346bf586bdf6ae4181c685fa74adf4524328d469

SHA256
5a0b1c4e5d91fd67a1ad23e5ce869899b79a7282cb6e5533dc5c074eb59306ec

SHA512
38a03530dfafe3030ece87dad7af28baff8e79f87618f1510bcb5b7f994632745dc70f9062ba6bdbcd408062786bbb3c37a53c21423d1f172663d9e57c232986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\port.dll

Filesize
3B

MD5
13f3cf8c531952d72e5847c4183e6910

SHA1
ac3e7b007d7ab0ba379faa8ab62d9da35c5444f4

SHA256
6d05621ab7cb7b4fb796ca2ffbe1a141e0d4319d3deb6a05322b9de85d69b923

SHA512
c2b37e4037631aaa4809e9a0dc82ad5ce7a04fa98a6b6de280d16181dc88de0b3e337a96a7aac19619ac65d68537dbe171b3857a72344a1a9d74bd3923460854

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\refsdm.dll

Filesize
26B

MD5
d44cabf1793adb0d348374be9ed1adf7

SHA1
f3edf7f5d35d10715220f7556f0c03ab1a1a8d34

SHA256
d0a84b18a92aa9182b66f66b3f53bee77ec64f7bc55318befd0f25ec4fd5db12

SHA512
9b4e23ec769e187594dae7857f0e14e38bad99314b6fd48cac7462a636ac9984be1b124ef88e9d9c38e648816f9ce9b091e5eaa6e42e7fad0e7f26c570439e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\resu.dll

Filesize
6B

MD5
c34986dbebf6fc39721449a9b7053a0f

SHA1
d48465af6c32fdb8829d8e8931b6b5bf12307340

SHA256
7860808354d1b5c502b6aaa9d1277af2bc9f7bf2bdde2f5e4337f1a9952294a1

SHA512
d5376c89afab277a912fd00235a3e1b2df1525beb2c96d38ed054ebf891ae2fdc0b28c0271a70913dadc15b05a8b447818ed38c60f27d8cd7ba4fa344eb46924

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rmdesk.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\sccle.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scday.dll

Filesize
2B

MD5
9bf31c7ff062936a96d3c8bd1f8f2ff3

SHA1
f1abd670358e036c31296e66b3b66c382ac00812

SHA256
e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb

SHA512
9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scen.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scint.dll

Filesize
2B

MD5
34173cb38f07f89ddbebc2ac9128303f

SHA1
22d200f8670dbdb3e253a90eee5098477c95c23d

SHA256
624b60c58c9d8bfb6ff1886c2fd605d2adeb6ea4da576068201b6c6958ce93f4

SHA512
1ccbff33e55627a50beca8cf5c89f77c3165dcb3218171308423f250f0bb0be9700bbfdd92d35dfa2e579110266a40194d707b50e7d27b6f09b81fbbf80231a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scint2.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scloc.dll

Filesize
36B

MD5
0af629b1df207fd25f221a50059140a5

SHA1
1bdf9311af713c98ef038fcf89ee678884e8fb3d

SHA256
5d795ca75d4e40986ae410a8063f6a23a3cb1e6b2456bea570e5247ced6d9177

SHA512
7531d36dac630adc84e88cd75cddc3e92e23b89ddbc4994780693772a106878879a9b0a458f96262ad2df01dc5ef0c641a9c1a21dfe75b4e43a14ad37a2244b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\seek.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\seekil.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ssap.dll

Filesize
5B

MD5
cff42d769fc6a027224a1a20c4ab567a

SHA1
c716084845f60944f0ccfd3046e9665113c093b0

SHA256
e7b0c01604266fd889ba808bb54be0932fabdbae6c8347ed940b81c0a6a89e66

SHA512
debad827c84f0748c81247ba49bf7600c02f35892f396f6ce8e07c5ecc5af5ef624bf618c52563cb5a6c83d105a057b5b71892b8fad0e89424e6258ff2a311fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\type.dll

Filesize
7B

MD5
c3eef34d092ed60c3b2791814511903a

SHA1
815f979888d7a7d3cb622eee67d445c0fc94469b

SHA256
6bd1454e4848ba9ec48363db5afdc51f2a67b2e87bf7478b681cda2df245779a

SHA512
519b141185f3b4dcaf0990844aa125a23caa552d347fa69972ecf565b08b82d6b0fad321ebc0bbacca06b36fa603f4d8bd080a5a9b760e4405199b57082190ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\unin.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\update.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\weben.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\winsyst32.exe

Filesize
396KB

MD5
c9c35b256d707aefd361a753627f229c

SHA1
db925a03ad02a17ba23dc656242f8e8c3bd2405f

SHA256
60f0960913b465b877264d0c546cab6bdb342f1dd98c76b873458d49f7f29324

SHA512
6f0aa139691e638290d5b9aadb5b0ea2a2988eed180318636a81ad7ff692ffb29698fac27a5c2628f8b05cec7506a5346e3a2d1b30d3d141933b9fd8bb2eb45e

Download Submit
C:\Windows\SysWOW64\ieobject.DLL

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe

Filesize
120KB

MD5
4d0df8bc0bf7e8465b37908b9c06e0bd

SHA1
380d8cd584f9df6fddc85bf016767ca1b9a11b82

SHA256
831b5bbd6e27aed50b7b50534130a21fb0262b074968b1e6959c0843a7dbd698

SHA512
c390dfc2ea459ec03b87df7c64f16c9b9c1c269baee96a369ba2c532e8804029c3151ba3c7ae20073b4591af5892d33b18cdd7f4887a4a4c82fb39387c45ee7b

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe

Filesize
120KB

MD5
4d0df8bc0bf7e8465b37908b9c06e0bd

SHA1
380d8cd584f9df6fddc85bf016767ca1b9a11b82

SHA256
831b5bbd6e27aed50b7b50534130a21fb0262b074968b1e6959c0843a7dbd698

SHA512
c390dfc2ea459ec03b87df7c64f16c9b9c1c269baee96a369ba2c532e8804029c3151ba3c7ae20073b4591af5892d33b18cdd7f4887a4a4c82fb39387c45ee7b

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe

Filesize
120KB

MD5
4d0df8bc0bf7e8465b37908b9c06e0bd

SHA1
380d8cd584f9df6fddc85bf016767ca1b9a11b82

SHA256
831b5bbd6e27aed50b7b50534130a21fb0262b074968b1e6959c0843a7dbd698

SHA512
c390dfc2ea459ec03b87df7c64f16c9b9c1c269baee96a369ba2c532e8804029c3151ba3c7ae20073b4591af5892d33b18cdd7f4887a4a4c82fb39387c45ee7b

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe

Filesize
120KB

MD5
4d0df8bc0bf7e8465b37908b9c06e0bd

SHA1
380d8cd584f9df6fddc85bf016767ca1b9a11b82

SHA256
831b5bbd6e27aed50b7b50534130a21fb0262b074968b1e6959c0843a7dbd698

SHA512
c390dfc2ea459ec03b87df7c64f16c9b9c1c269baee96a369ba2c532e8804029c3151ba3c7ae20073b4591af5892d33b18cdd7f4887a4a4c82fb39387c45ee7b

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe

Filesize
44KB

MD5
df3437a455a8271c47a93964e5479f0b

SHA1
053c1ef12239d10fb2a66a7a73dbdec63d031ec4

SHA256
e8ad3b07bd48e56908cc9d7a96a425d358110b1087871a358cb77b0ab5c0841f

SHA512
a225717fdc13178aee8494d7a7a3dad3444c8a5f991a9f7af602724b9fccbf7f5b43fa81b53d36bedb2942b12fa7ae6757ef6b243622e04a449e57f61cecdab7

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe

Filesize
44KB

MD5
df3437a455a8271c47a93964e5479f0b

SHA1
053c1ef12239d10fb2a66a7a73dbdec63d031ec4

SHA256
e8ad3b07bd48e56908cc9d7a96a425d358110b1087871a358cb77b0ab5c0841f

SHA512
a225717fdc13178aee8494d7a7a3dad3444c8a5f991a9f7af602724b9fccbf7f5b43fa81b53d36bedb2942b12fa7ae6757ef6b243622e04a449e57f61cecdab7

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe

Filesize
44KB

MD5
df3437a455a8271c47a93964e5479f0b

SHA1
053c1ef12239d10fb2a66a7a73dbdec63d031ec4

SHA256
e8ad3b07bd48e56908cc9d7a96a425d358110b1087871a358cb77b0ab5c0841f

SHA512
a225717fdc13178aee8494d7a7a3dad3444c8a5f991a9f7af602724b9fccbf7f5b43fa81b53d36bedb2942b12fa7ae6757ef6b243622e04a449e57f61cecdab7

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe

Filesize
44KB

MD5
df3437a455a8271c47a93964e5479f0b

SHA1
053c1ef12239d10fb2a66a7a73dbdec63d031ec4

SHA256
e8ad3b07bd48e56908cc9d7a96a425d358110b1087871a358cb77b0ab5c0841f

SHA512
a225717fdc13178aee8494d7a7a3dad3444c8a5f991a9f7af602724b9fccbf7f5b43fa81b53d36bedb2942b12fa7ae6757ef6b243622e04a449e57f61cecdab7

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\combine.exe

Filesize
1000KB

MD5
d9d05f12c5dbb54e2f3451cfa66c00f2

SHA1
ce1d03a6b2579a8ec62fd2fb7f21f04c2806b47b

SHA256
3d91a7277026743286d159a034dde1eded6790ce5855f6ce5b2a52ed674b0e16

SHA512
7270997ef5374c791af3a3e71b85b11d1c925479df131e65f7405bafb7f1714ce60f77451fd58095055b3ee7e60f7b93913b8f2e54095c7242179083fc80bff3

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\combine.exe

Filesize
1000KB

MD5
d9d05f12c5dbb54e2f3451cfa66c00f2

SHA1
ce1d03a6b2579a8ec62fd2fb7f21f04c2806b47b

SHA256
3d91a7277026743286d159a034dde1eded6790ce5855f6ce5b2a52ed674b0e16

SHA512
7270997ef5374c791af3a3e71b85b11d1c925479df131e65f7405bafb7f1714ce60f77451fd58095055b3ee7e60f7b93913b8f2e54095c7242179083fc80bff3

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\combine.exe

Filesize
1000KB

MD5
d9d05f12c5dbb54e2f3451cfa66c00f2

SHA1
ce1d03a6b2579a8ec62fd2fb7f21f04c2806b47b

SHA256
3d91a7277026743286d159a034dde1eded6790ce5855f6ce5b2a52ed674b0e16

SHA512
7270997ef5374c791af3a3e71b85b11d1c925479df131e65f7405bafb7f1714ce60f77451fd58095055b3ee7e60f7b93913b8f2e54095c7242179083fc80bff3

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\combine.exe

Filesize
1000KB

MD5
d9d05f12c5dbb54e2f3451cfa66c00f2

SHA1
ce1d03a6b2579a8ec62fd2fb7f21f04c2806b47b

SHA256
3d91a7277026743286d159a034dde1eded6790ce5855f6ce5b2a52ed674b0e16

SHA512
7270997ef5374c791af3a3e71b85b11d1c925479df131e65f7405bafb7f1714ce60f77451fd58095055b3ee7e60f7b93913b8f2e54095c7242179083fc80bff3

Download Submit
\Users\Admin\AppData\Local\Temp\GLCEA40.tmp

Filesize
157KB

MD5
fbd929bfc7b4a9e4fa4506655bab4c4a

SHA1
b4df84de80729a04ed90dc976a3e730a568f24f8

SHA256
adf8dea5d36b58cf621e2bb0c4549f94e0919308dd7cc1215d942417c45e54a4

SHA512
b310e79848dc2a3c6a4524e0b120e2e3dd73ecb6852c65a9eec368045f7bab0b141210726476dd3cb0c1d9008e1f34149f35c03a0156a9eef7d4a7fbc61ea1b4

Download Submit
\Users\Admin\AppData\Local\Temp\GLF545E.tmp1838418653

Filesize
304KB

MD5
aa1326ab689ac11fa18c1afd11debe31

SHA1
261b6776a22043935197a58438ac402bc7debf42

SHA256
45fa09814acd3549d2d5f5fb6c7bae029aacf2796428524dbb89601072ca9f63

SHA512
81aba1ded93aaa26c14eb538648e88a6c18db3027632421c6af086f28b96e26ce21bb1c3d1d4ac0c0cfa07f6df45016bf6e2d8c19dae22f380195941493a91a7

Download Submit
\Users\Admin\AppData\Local\Temp\GLF545E.tmp1838418653

Filesize
304KB

MD5
aa1326ab689ac11fa18c1afd11debe31

SHA1
261b6776a22043935197a58438ac402bc7debf42

SHA256
45fa09814acd3549d2d5f5fb6c7bae029aacf2796428524dbb89601072ca9f63

SHA512
81aba1ded93aaa26c14eb538648e88a6c18db3027632421c6af086f28b96e26ce21bb1c3d1d4ac0c0cfa07f6df45016bf6e2d8c19dae22f380195941493a91a7

Download Submit
\Users\Admin\AppData\Local\Temp\GLF545E.tmp1838418653

Filesize
304KB

MD5
aa1326ab689ac11fa18c1afd11debe31

SHA1
261b6776a22043935197a58438ac402bc7debf42

SHA256
45fa09814acd3549d2d5f5fb6c7bae029aacf2796428524dbb89601072ca9f63

SHA512
81aba1ded93aaa26c14eb538648e88a6c18db3027632421c6af086f28b96e26ce21bb1c3d1d4ac0c0cfa07f6df45016bf6e2d8c19dae22f380195941493a91a7

Download Submit
\Users\Admin\AppData\Local\Temp\GLKEA61.tmp

Filesize
30KB

MD5
3df61e5730883b2d338addd7acbe4bc4

SHA1
03166e6230231e7e3583cf9c8944f4967aa1bf1b

SHA256
2efe9a54c8eb878711d9b6cd18f276838645aff52fe69d8a864376cb258ec616

SHA512
36e9d705d22dad3d952b4da578a990f2b63ec2f9fbf2734efdaea9ecbd4f07a8d7232792eb5bdd81c553354d51334993cb6103c377f3483a680eac9e41cd2087

Download Submit
\Windows\SysWOW64\ieobject.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
memory/680-109-0x0000000000490000-0x00000000004E4000-memory.dmp

Filesize
336KB

Download
memory/1716-54-0x00000000760C1000-0x00000000760C3000-memory.dmp

Filesize
8KB

Download