855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec

Analysis

max time kernel
219s
max time network
233s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 18:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe
Size

1.3MB
MD5

ddb3411a2e32e5aebe171ce949d03dfa
SHA1

05599be048740ef7d1aad85446632b74a21d07cb
SHA256

855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec
SHA512

4dd335fd27e5ed5abdc2a55b5b23a2b92e2e64859ce5835159bba85229b9cf657b9ca840968f9d7ee25c0ea3d706f4aebf495dbb3be971f0d9a764234a1ef964
SSDEEP

24576:2+cojLYcSWBWKTaRRNf8u/VUncbiAr1ZbGOYv/MEgkElRavzYjo8Vuj8J8l:71LYJWUHRNfF/VfZbGOYMEgkEl/j2

Score

8^/10

evasion persistence

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
3444	ccsvchst1.exe
3280	ccsvchst.exe
2252	combine.exe
4076	cmss.exe
2664	msmsgs.exe
208	comres.exe
5016	RDS.exe
4592	msmsgs.exe
5020	msmsgs.exe

Modifies Windows Firewall 1 TTPs 9 IoCs

evasion

Modify Existing Service

T1031

pid	Process
3544	netsh.exe
1276	netsh.exe
3460	netsh.exe
5104	netsh.exe
4448	netsh.exe
744	netsh.exe
4556	netsh.exe
4756	netsh.exe
3396	netsh.exe

Loads dropped DLL 21 IoCs

pid	Process
3280	ccsvchst.exe
2252	combine.exe
2252	combine.exe
2252	combine.exe
3280	ccsvchst.exe
3280	ccsvchst.exe
2252	combine.exe
2252	combine.exe
2252	combine.exe
2252	combine.exe
2252	combine.exe
2252	combine.exe
4076	cmss.exe
2664	msmsgs.exe
208	comres.exe
208	comres.exe
5016	RDS.exe
5016	RDS.exe
4076	cmss.exe
4592	msmsgs.exe
5020	msmsgs.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IntellRaidConfigurer = "C:\\PROGRA~2\\WinApps\\cmss.exe"	ccsvchst.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ieobject.dll	ccsvchst1.exe
File opened for modification	C:\Windows\SysWOW64\ieobject.dll	ccsvchst1.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	msmsgs.exe
File created	C:\PROGRA~2\WinApps\comres.exe	ccsvchst.exe
File opened for modification	C:\PROGRA~2\WinApps\comres.exe	ccsvchst.exe
File created	C:\PROGRA~2\WinApps\RDS.exe	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	msmsgs.exe
File opened for modification	C:\Program Files\Accessories\Common\Chat_log.txt	msmsgs.exe
File created	C:\PROGRA~2\WinApps\cmss.exe	ccsvchst.exe
File created	C:\PROGRA~2\WinApps\msmsgs.exe	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common\Chat_log.txt	msmsgs.exe
File opened for modification	C:\Program Files\Accessories\Common\PC_Active_Time.txt	cmss.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ntfsv.dll	ccsvchst.exe
File created	C:\Windows\refsdm.dll	ccsvchst.exe
File created	C:\Windows\ntfsv.dll	ccsvchst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP5)"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	ccsvchst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\MSWINSCK.OCX"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\MSWINSCK.OCX"	ccsvchst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\MSWINSCK.OCX"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\MSWINSCK.OCX, 1"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	ccsvchst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe
4076	cmss.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3444	ccsvchst1.exe
3280	ccsvchst.exe
4076	cmss.exe
2664	msmsgs.exe
208	comres.exe
2664	msmsgs.exe
5016	RDS.exe
4592	msmsgs.exe
4592	msmsgs.exe
5020	msmsgs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 3444	1572	855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe	86
PID 1572 wrote to memory of 3444	1572	855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe	86
PID 1572 wrote to memory of 3444	1572	855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe	86
PID 3444 wrote to memory of 3280	3444	ccsvchst1.exe	88
PID 3444 wrote to memory of 3280	3444	ccsvchst1.exe	88
PID 3444 wrote to memory of 3280	3444	ccsvchst1.exe	88
PID 3280 wrote to memory of 2252	3280	ccsvchst.exe	90
PID 3280 wrote to memory of 2252	3280	ccsvchst.exe	90
PID 3280 wrote to memory of 2252	3280	ccsvchst.exe	90
PID 3280 wrote to memory of 3992	3280	ccsvchst.exe	92
PID 3280 wrote to memory of 3992	3280	ccsvchst.exe	92
PID 3280 wrote to memory of 3992	3280	ccsvchst.exe	92
PID 3280 wrote to memory of 3544	3280	ccsvchst.exe	93
PID 3280 wrote to memory of 3544	3280	ccsvchst.exe	93
PID 3280 wrote to memory of 3544	3280	ccsvchst.exe	93
PID 3280 wrote to memory of 3460	3280	ccsvchst.exe	94
PID 3280 wrote to memory of 3460	3280	ccsvchst.exe	94
PID 3280 wrote to memory of 3460	3280	ccsvchst.exe	94
PID 3280 wrote to memory of 5104	3280	ccsvchst.exe	95
PID 3280 wrote to memory of 5104	3280	ccsvchst.exe	95
PID 3280 wrote to memory of 5104	3280	ccsvchst.exe	95
PID 3280 wrote to memory of 744	3280	ccsvchst.exe	98
PID 3280 wrote to memory of 744	3280	ccsvchst.exe	98
PID 3280 wrote to memory of 744	3280	ccsvchst.exe	98
PID 3280 wrote to memory of 4448	3280	ccsvchst.exe	96
PID 3280 wrote to memory of 4448	3280	ccsvchst.exe	96
PID 3280 wrote to memory of 4448	3280	ccsvchst.exe	96
PID 3280 wrote to memory of 4556	3280	ccsvchst.exe	100
PID 3280 wrote to memory of 4556	3280	ccsvchst.exe	100
PID 3280 wrote to memory of 4556	3280	ccsvchst.exe	100
PID 3280 wrote to memory of 4756	3280	ccsvchst.exe	106
PID 3280 wrote to memory of 4756	3280	ccsvchst.exe	106
PID 3280 wrote to memory of 4756	3280	ccsvchst.exe	106
PID 3280 wrote to memory of 3396	3280	ccsvchst.exe	111
PID 3280 wrote to memory of 3396	3280	ccsvchst.exe	111
PID 3280 wrote to memory of 3396	3280	ccsvchst.exe	111
PID 3280 wrote to memory of 1276	3280	ccsvchst.exe	107
PID 3280 wrote to memory of 1276	3280	ccsvchst.exe	107
PID 3280 wrote to memory of 1276	3280	ccsvchst.exe	107
PID 3280 wrote to memory of 4824	3280	ccsvchst.exe	112
PID 3280 wrote to memory of 4824	3280	ccsvchst.exe	112
PID 3280 wrote to memory of 4824	3280	ccsvchst.exe	112
PID 3992 wrote to memory of 1988	3992	cmd.exe	113
PID 3992 wrote to memory of 1988	3992	cmd.exe	113
PID 3992 wrote to memory of 1988	3992	cmd.exe	113
PID 4824 wrote to memory of 1984	4824	cmd.exe	115
PID 4824 wrote to memory of 1984	4824	cmd.exe	115
PID 4824 wrote to memory of 1984	4824	cmd.exe	115
PID 4824 wrote to memory of 1888	4824	cmd.exe	117
PID 4824 wrote to memory of 1888	4824	cmd.exe	117
PID 4824 wrote to memory of 1888	4824	cmd.exe	117
PID 3992 wrote to memory of 1444	3992	cmd.exe	116
PID 3992 wrote to memory of 1444	3992	cmd.exe	116
PID 3992 wrote to memory of 1444	3992	cmd.exe	116
PID 3280 wrote to memory of 4076	3280	ccsvchst.exe	118
PID 3280 wrote to memory of 4076	3280	ccsvchst.exe	118
PID 3280 wrote to memory of 4076	3280	ccsvchst.exe	118
PID 4076 wrote to memory of 2664	4076	cmss.exe	119
PID 4076 wrote to memory of 2664	4076	cmss.exe	119
PID 4076 wrote to memory of 2664	4076	cmss.exe	119
PID 4076 wrote to memory of 208	4076	cmss.exe	120
PID 4076 wrote to memory of 208	4076	cmss.exe	120
PID 4076 wrote to memory of 208	4076	cmss.exe	120
PID 4076 wrote to memory of 5016	4076	cmss.exe	121

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2584
- C:\Users\Admin\AppData\Local\Temp\855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe
  "C:\Users\Admin\AppData\Local\Temp\855edc8cfedaa48f9168bf102e52dcfe63f6c0b834d6ac9487b0beec42a308ec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe
    "C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe
      C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3280
    - - C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe
        
        C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2252
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo y| CACLS C:\PROGRA~2\WinApps /G Everyone:f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3992
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        
        PID:1988
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS C:\PROGRA~2\WinApps /G Everyone:f
        6⤵
        
        PID:1444
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\PROGRA~2\WinApps\comres.exe" "comres.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:3544
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="comres.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\comres.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3460
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="comres.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\comres.exe" enable=yes profile=public
        5⤵
        Modifies Windows Firewall
        
        PID:5104
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="cmss.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\cmss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:4448
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\PROGRA~2\WinApps\cmss.exe" "cmss.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:744
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="cmss.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\cmss.exe" enable=yes profile=public
        5⤵
        Modifies Windows Firewall
        
        PID:4556
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\PROGRA~2\WinApps\RDS.exe" "RDS.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        
        PID:4756
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDS.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\RDS.exe" enable=yes profile=public
        5⤵
        Modifies Windows Firewall
        
        PID:1276
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="RDS.exe" dir=in action=allow program="C:\PROGRA~2\WinApps\RDS.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:3396
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c echo y| CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        6⤵
        
        PID:1984
      - C:\Windows\SysWOW64\cacls.exe
        
        CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
        6⤵
        
        PID:1888
    - - C:\PROGRA~2\WinApps\cmss.exe
        
        C:\PROGRA~2\WinApps\cmss.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4076
      - C:\Program Files (x86)\WinApps\msmsgs.exe
        
        "C:\Program Files (x86)\WinApps\msmsgs.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:2664
      - C:\Program Files (x86)\WinApps\comres.exe
        
        "C:\Program Files (x86)\WinApps\comres.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:208
      - C:\Program Files (x86)\WinApps\RDS.exe
        
        "C:\Program Files (x86)\WinApps\RDS.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5016
      - C:\PROGRA~2\WinApps\msmsgs.exe
        
        C:\PROGRA~2\WinApps\msmsgs.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4592
      - C:\PROGRA~2\WinApps\msmsgs.exe
        
        C:\PROGRA~2\WinApps\msmsgs.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:5020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Compress0\MSWINSCK.OCX

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\RDS.exe

Filesize
180KB

MD5
7f864e74ffb1fc642c9b46af6ec72409

SHA1
46c8f62146292efe6a138b1073c32f3fce426490

SHA256
12f78e88db35a4e05aa445bd2d884ed4d7f5ab7ef87e73b07f027944f191defb

SHA512
7f555d369659e2bf3c367684f07ff5119e6b38c846f05a99c667fa9749eb5deb96bc1a5fca6f5274695e49a95503068209c506abbd2543d35a1ecb934f634b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ass.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe

Filesize
120KB

MD5
4d0df8bc0bf7e8465b37908b9c06e0bd

SHA1
380d8cd584f9df6fddc85bf016767ca1b9a11b82

SHA256
831b5bbd6e27aed50b7b50534130a21fb0262b074968b1e6959c0843a7dbd698

SHA512
c390dfc2ea459ec03b87df7c64f16c9b9c1c269baee96a369ba2c532e8804029c3151ba3c7ae20073b4591af5892d33b18cdd7f4887a4a4c82fb39387c45ee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe

Filesize
120KB

MD5
4d0df8bc0bf7e8465b37908b9c06e0bd

SHA1
380d8cd584f9df6fddc85bf016767ca1b9a11b82

SHA256
831b5bbd6e27aed50b7b50534130a21fb0262b074968b1e6959c0843a7dbd698

SHA512
c390dfc2ea459ec03b87df7c64f16c9b9c1c269baee96a369ba2c532e8804029c3151ba3c7ae20073b4591af5892d33b18cdd7f4887a4a4c82fb39387c45ee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe

Filesize
44KB

MD5
df3437a455a8271c47a93964e5479f0b

SHA1
053c1ef12239d10fb2a66a7a73dbdec63d031ec4

SHA256
e8ad3b07bd48e56908cc9d7a96a425d358110b1087871a358cb77b0ab5c0841f

SHA512
a225717fdc13178aee8494d7a7a3dad3444c8a5f991a9f7af602724b9fccbf7f5b43fa81b53d36bedb2942b12fa7ae6757ef6b243622e04a449e57f61cecdab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst1.exe

Filesize
44KB

MD5
df3437a455a8271c47a93964e5479f0b

SHA1
053c1ef12239d10fb2a66a7a73dbdec63d031ec4

SHA256
e8ad3b07bd48e56908cc9d7a96a425d358110b1087871a358cb77b0ab5c0841f

SHA512
a225717fdc13178aee8494d7a7a3dad3444c8a5f991a9f7af602724b9fccbf7f5b43fa81b53d36bedb2942b12fa7ae6757ef6b243622e04a449e57f61cecdab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe

Filesize
1000KB

MD5
d9d05f12c5dbb54e2f3451cfa66c00f2

SHA1
ce1d03a6b2579a8ec62fd2fb7f21f04c2806b47b

SHA256
3d91a7277026743286d159a034dde1eded6790ce5855f6ce5b2a52ed674b0e16

SHA512
7270997ef5374c791af3a3e71b85b11d1c925479df131e65f7405bafb7f1714ce60f77451fd58095055b3ee7e60f7b93913b8f2e54095c7242179083fc80bff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe

Filesize
1000KB

MD5
d9d05f12c5dbb54e2f3451cfa66c00f2

SHA1
ce1d03a6b2579a8ec62fd2fb7f21f04c2806b47b

SHA256
3d91a7277026743286d159a034dde1eded6790ce5855f6ce5b2a52ed674b0e16

SHA512
7270997ef5374c791af3a3e71b85b11d1c925479df131e65f7405bafb7f1714ce60f77451fd58095055b3ee7e60f7b93913b8f2e54095c7242179083fc80bff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\comres.exe

Filesize
196KB

MD5
979d869f691367229511803ce8fca97d

SHA1
0674b145a3962a1b81d28ef00d3ff67a3f6236fa

SHA256
6271e553e424d6901868f9d9437fa8afd72b8d21ea8c6f0f70737eeb04cb670a

SHA512
8c24a77582ce5fe9fc0c9c57e8c540e768f75895069c83fea5f091c49045c9cb5e2a96bb2c5a17d86a079fcbbd119a0bd2d4177544a58dbe2ddab82b54b0c5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\delkl.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\dunin.dll

Filesize
1B

MD5
8f14e45fceea167a5a36dedd4bea2543

SHA1
902ba3cda1883801594b6e1b452790cc53948fda

SHA256
7902699be42c8a8e46fbbb4501726517e86b22c56a189f7625a6da49081b2451

SHA512
f05210c5b4263f0ec4c3995bdab458d81d3953f354a9109520f159db1e8800bcd45b97c56dce90a1fc27ab03e0b8a9af8673747023c406299374116d6f966981

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emdc.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emfz.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emfzb.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emine.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\eminu.dll

Filesize
2B

MD5
34173cb38f07f89ddbebc2ac9128303f

SHA1
22d200f8670dbdb3e253a90eee5098477c95c23d

SHA256
624b60c58c9d8bfb6ff1886c2fd605d2adeb6ea4da576068201b6c6958ce93f4

SHA512
1ccbff33e55627a50beca8cf5c89f77c3165dcb3218171308423f250f0bb0be9700bbfdd92d35dfa2e579110266a40194d707b50e7d27b6f09b81fbbf80231a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emon.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emoo.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftde.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ften.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftin.dll

Filesize
2B

MD5
6f4922f45568161a8cdf4ad2299f6d23

SHA1
9e6a55b6b4563e652a23be9d623ca5055c356940

SHA256
4ec9599fc203d176a301536c2e091a19bc852759b255bd6818810a42c5fed14a

SHA512
f107ba2da059fa640eccb9533e859a6435f6b83aa2e0636a47444dfdcde33a6e1f3cc1c9437bcfd42675af265a0d0b9d66c86c9e66347aa41534204745e41fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftpa.dll

Filesize
12B

MD5
65ae869c42d1fa5b9551fe15f4f12be0

SHA1
9ace597cebaa22e0cf310ccb0ef9f149c6fb3641

SHA256
4a4558dde9376a1f613111081182398fadcc83008d3605b981f82fbb2f19cea8

SHA512
8c13eae61c8c2185036ae2c226393c9c862d4ba3e6faee11b18aaaa0ff572e46fcdb93fcd94f6b54672dd820df1c6570f2c58e18c4f407b6ce40ed43cebab959

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftps.dll

Filesize
10B

MD5
98c56301a60666b2f4c3d534c21d402a

SHA1
1ff46c8843a886ab491e0959101abd2e65c8685a

SHA256
12ba9ef47014071e6b149ad937c7fb5196b5d7f5bae2b520cb7a916e5ebc0584

SHA512
61865e80d23f3a7f59e7d42076bfd38eb9f6697aa2255f1a9d2f9e5c26af3c00cf0fd9e10faea8cb75c76d2f3b62fdd10f6091b7dfc01a44f366c76e60666111

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftsv.dll

Filesize
15B

MD5
c5cda75f24225cca73e5bff31a1080bf

SHA1
ceba46c46187407b8367ec66b248517203eea6ee

SHA256
49314380caae717c1dd34b07b4ca47ed3b4cd53ed0f95f80fc35b8e337dd9450

SHA512
01caf83f9fb83f4e1aac29fb782d417a686cba7457c60dfe8bc29a7032a71d5573b4b0c654da5420fbc395e2bc21d0d1b10b6336d913e6de3968f34519cb0184

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\fttx.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftus.dll

Filesize
8B

MD5
433815f0665e5ad4355dfc0df4f1228f

SHA1
2aa4c78660471af463a77946783edf09158eb3bd

SHA256
5e9f8f7ab5429cc589b5c41dcff6ad83ddd8235b7ecd2576fb46e6b7b23317fe

SHA512
a5911e33fb59f963646bbee8fb94313c2dc11afd149e429729bf0e52f815d8a480869002155348f2c4d41f449e0bfab8dae9dcfd94cacb7f6884bb10cfbff696

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\inmsg.dll

Filesize
40B

MD5
62158ca606dfd1b74f03b03f43e597c4

SHA1
f91a0aaaa72c124282fd28dbd9326072f789f19f

SHA256
4f45cc3a4c63bbd0e99ede09409dd656575c3bf68da68f1af11c01f1a3015d00

SHA512
389095d037013a09cb02d6d1fcc65d7f37ab86c82aa63600fba375376b0d3cc317b7bd984abcd325154c132823216d1134a303ab90cd96f8e5b7b836d68315f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\inter.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\inuser.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\mail.dll

Filesize
16B

MD5
850ef2569cad0612b4e2180f45428a80

SHA1
4f1133590e98a1be80bcc5604d9a982c52f627cf

SHA256
85fda0b7ca19d9f836076c421de754503f7c1867ab56e58691901ce2d7f7f1e6

SHA512
1638a4f01ac56cc660acc123f68eb4161fbff770e26cdf378371f35d51f6eafb1eda963dcb7ec15b00f9b3c013e458fa9fe18f42fa3b490af5e8480e92126bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\mailkl.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\mailsc.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\msmsgs.exe

Filesize
164KB

MD5
03f8efe9796bb03ec9ed971d56d4397f

SHA1
d8afa680786981186f8f0a81acab16eeea00eee4

SHA256
010a729a55ab6285a8b7daecb4052df92aad0d7366432093e847e3ed8a9fb4d6

SHA512
895c70b359a09bd793cc0a8349135a8ebe9bf174af154cbde57e29d78da09c8ae320a5adf51af410bd176c5183b1e17515d85d46b522a897bebd648a4aa66e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ntfsv.dll

Filesize
176KB

MD5
a0ce0247d48fecaac607edb1e2d87fd8

SHA1
346bf586bdf6ae4181c685fa74adf4524328d469

SHA256
5a0b1c4e5d91fd67a1ad23e5ce869899b79a7282cb6e5533dc5c074eb59306ec

SHA512
38a03530dfafe3030ece87dad7af28baff8e79f87618f1510bcb5b7f994632745dc70f9062ba6bdbcd408062786bbb3c37a53c21423d1f172663d9e57c232986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\oem.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\port.dll

Filesize
3B

MD5
13f3cf8c531952d72e5847c4183e6910

SHA1
ac3e7b007d7ab0ba379faa8ab62d9da35c5444f4

SHA256
6d05621ab7cb7b4fb796ca2ffbe1a141e0d4319d3deb6a05322b9de85d69b923

SHA512
c2b37e4037631aaa4809e9a0dc82ad5ce7a04fa98a6b6de280d16181dc88de0b3e337a96a7aac19619ac65d68537dbe171b3857a72344a1a9d74bd3923460854

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\refsdm.dll

Filesize
26B

MD5
d44cabf1793adb0d348374be9ed1adf7

SHA1
f3edf7f5d35d10715220f7556f0c03ab1a1a8d34

SHA256
d0a84b18a92aa9182b66f66b3f53bee77ec64f7bc55318befd0f25ec4fd5db12

SHA512
9b4e23ec769e187594dae7857f0e14e38bad99314b6fd48cac7462a636ac9984be1b124ef88e9d9c38e648816f9ce9b091e5eaa6e42e7fad0e7f26c570439e42

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\resu.dll

Filesize
6B

MD5
c34986dbebf6fc39721449a9b7053a0f

SHA1
d48465af6c32fdb8829d8e8931b6b5bf12307340

SHA256
7860808354d1b5c502b6aaa9d1277af2bc9f7bf2bdde2f5e4337f1a9952294a1

SHA512
d5376c89afab277a912fd00235a3e1b2df1525beb2c96d38ed054ebf891ae2fdc0b28c0271a70913dadc15b05a8b447818ed38c60f27d8cd7ba4fa344eb46924

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rmdesk.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rwce.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rwci.dll

Filesize
4B

MD5
e93028bdc1aacdfb3687181f2031765d

SHA1
7507d41ecbd162a0d6dfdaaa9988a91184351735

SHA256
a176eeb31e601c3877c87c2843a2f584968975269e369d5c86788b4c2f92d2a2

SHA512
5d2951e35a8e507db30cab1ed234ba19c083b235465029b1b25ebe3a2e50ab544413e2576d168326cb7fe927e0f75ca16964f5a8b7940cecdcb637d17fb5edde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rwcs.dll

Filesize
3B

MD5
f899139df5e1059396431415e770c6dd

SHA1
310b86e0b62b828562fc91c7be5380a992b2786a

SHA256
ad57366865126e55649ecb23ae1d48887544976efea46a48eb5d85a6eeb4d306

SHA512
643c30f73a3017050b287794fc8c5bb9ab06b9ce38a1fc58df402a8b66ff58f69bf0a606ae17585352a0306f0e9752de8c5c064aed7003f52808b43ff992a603

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\sccle.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scday.dll

Filesize
2B

MD5
9bf31c7ff062936a96d3c8bd1f8f2ff3

SHA1
f1abd670358e036c31296e66b3b66c382ac00812

SHA256
e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb

SHA512
9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scen.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scint.dll

Filesize
2B

MD5
34173cb38f07f89ddbebc2ac9128303f

SHA1
22d200f8670dbdb3e253a90eee5098477c95c23d

SHA256
624b60c58c9d8bfb6ff1886c2fd605d2adeb6ea4da576068201b6c6958ce93f4

SHA512
1ccbff33e55627a50beca8cf5c89f77c3165dcb3218171308423f250f0bb0be9700bbfdd92d35dfa2e579110266a40194d707b50e7d27b6f09b81fbbf80231a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scint2.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scloc.dll

Filesize
36B

MD5
0af629b1df207fd25f221a50059140a5

SHA1
1bdf9311af713c98ef038fcf89ee678884e8fb3d

SHA256
5d795ca75d4e40986ae410a8063f6a23a3cb1e6b2456bea570e5247ced6d9177

SHA512
7531d36dac630adc84e88cd75cddc3e92e23b89ddbc4994780693772a106878879a9b0a458f96262ad2df01dc5ef0c641a9c1a21dfe75b4e43a14ad37a2244b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\seek.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\seekil.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\sid2.dll

Filesize
12B

MD5
fb303d350350b380601955ca494f1e01

SHA1
8e6c9921d6e8a3f5f40beb62db38519249ac4ed8

SHA256
681266cf131ec21fb9ab413e57673573c48fe0b99c4031f2d28ef4354b9f8ca3

SHA512
a1037f31ddd3a3ca9ce563fd6f12134ab4695357e8d6f099637729f466d7c4f8bebbed2d4ac77bce4d13dd17b4b563573ee640e16897ffccfecd0b75940d59b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ssap.dll

Filesize
5B

MD5
cff42d769fc6a027224a1a20c4ab567a

SHA1
c716084845f60944f0ccfd3046e9665113c093b0

SHA256
e7b0c01604266fd889ba808bb54be0932fabdbae6c8347ed940b81c0a6a89e66

SHA512
debad827c84f0748c81247ba49bf7600c02f35892f396f6ce8e07c5ecc5af5ef624bf618c52563cb5a6c83d105a057b5b71892b8fad0e89424e6258ff2a311fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\type.dll

Filesize
7B

MD5
c3eef34d092ed60c3b2791814511903a

SHA1
815f979888d7a7d3cb622eee67d445c0fc94469b

SHA256
6bd1454e4848ba9ec48363db5afdc51f2a67b2e87bf7478b681cda2df245779a

SHA512
519b141185f3b4dcaf0990844aa125a23caa552d347fa69972ecf565b08b82d6b0fad321ebc0bbacca06b36fa603f4d8bd080a5a9b760e4405199b57082190ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\unin.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\update.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\user.dll

Filesize
11B

MD5
bb0cbd251c5c5374dde2674ba08a227f

SHA1
aa1f622d3a8c20c5f3e524c39ec621ed089f96ba

SHA256
e8cf2acd7a0c3650f6a53808b9919f5fc80d85e608484287ffadb4a6b64f6234

SHA512
79b860f1d211c5db2fe0fe7d2d75fc14a06f989e2dbda2acc174ff15eeff43d69922ca80489ce8a1d1e7f5a436200831015e43107160f5f4d5b9a6cf9046970b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\weben.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\winsyst32.exe

Filesize
396KB

MD5
c9c35b256d707aefd361a753627f229c

SHA1
db925a03ad02a17ba23dc656242f8e8c3bd2405f

SHA256
60f0960913b465b877264d0c546cab6bdb342f1dd98c76b873458d49f7f29324

SHA512
6f0aa139691e638290d5b9aadb5b0ea2a2988eed180318636a81ad7ff692ffb29698fac27a5c2628f8b05cec7506a5346e3a2d1b30d3d141933b9fd8bb2eb45e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC7385.tmp

Filesize
157KB

MD5
fbd929bfc7b4a9e4fa4506655bab4c4a

SHA1
b4df84de80729a04ed90dc976a3e730a568f24f8

SHA256
adf8dea5d36b58cf621e2bb0c4549f94e0919308dd7cc1215d942417c45e54a4

SHA512
b310e79848dc2a3c6a4524e0b120e2e3dd73ecb6852c65a9eec368045f7bab0b141210726476dd3cb0c1d9008e1f34149f35c03a0156a9eef7d4a7fbc61ea1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK74FD.tmp

Filesize
30KB

MD5
3df61e5730883b2d338addd7acbe4bc4

SHA1
03166e6230231e7e3583cf9c8944f4967aa1bf1b

SHA256
2efe9a54c8eb878711d9b6cd18f276838645aff52fe69d8a864376cb258ec616

SHA512
36e9d705d22dad3d952b4da578a990f2b63ec2f9fbf2734efdaea9ecbd4f07a8d7232792eb5bdd81c553354d51334993cb6103c377f3483a680eac9e41cd2087

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK74FD.tmp

Filesize
30KB

MD5
3df61e5730883b2d338addd7acbe4bc4

SHA1
03166e6230231e7e3583cf9c8944f4967aa1bf1b

SHA256
2efe9a54c8eb878711d9b6cd18f276838645aff52fe69d8a864376cb258ec616

SHA512
36e9d705d22dad3d952b4da578a990f2b63ec2f9fbf2734efdaea9ecbd4f07a8d7232792eb5bdd81c553354d51334993cb6103c377f3483a680eac9e41cd2087

Download Submit
C:\Windows\SysWOW64\ieobject.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\ieobject.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
memory/2252-170-0x0000000003FC1000-0x0000000003FC3000-memory.dmp

Filesize
8KB

Download