79e78014418ba8a3c83882a53a06b0b2db7f20b4ab27975d43b5ad4d28cda67f

Analysis

max time kernel
152s
max time network
157s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/01/2024, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ddbad2e1f50a0d173a29e4ece6ea69d.exe
Size

360KB
MD5

7ddbad2e1f50a0d173a29e4ece6ea69d
SHA1

f5ce5f49647b2caeb2c084f295a931485bb19429
SHA256

79e78014418ba8a3c83882a53a06b0b2db7f20b4ab27975d43b5ad4d28cda67f
SHA512

c677fa122aeff2d56845ccbe3eaf82237bd61a03c158363f83b72e04fea9146533418edccb67a0bf2f4f5af5ec7761fae3d3770e4392d0ce0bdcb675921e38f2
SSDEEP

6144:3Qsc2OoOm21M8U3ttWeRn6XvVaxx6N/kP/5Y/3bzAakyNfDJm:3xPNyi3EfOxv5YP3rlNfDI

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
2720	clipsrv.exe
2620	combine.exe
1572	cmss.exe
1500	live.exe
2476	services32.exe
1548	RDS.exe
1812	live.exe
2380	live.exe
948	live.exe

Loads dropped DLL 50 IoCs

pid	Process
2168	7ddbad2e1f50a0d173a29e4ece6ea69d.exe
2168	7ddbad2e1f50a0d173a29e4ece6ea69d.exe
2720	clipsrv.exe
2720	clipsrv.exe
2720	clipsrv.exe
2720	clipsrv.exe
2720	clipsrv.exe
2620	combine.exe
2620	combine.exe
2620	combine.exe
2720	clipsrv.exe
2720	clipsrv.exe
2720	clipsrv.exe
2720	clipsrv.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1500	live.exe
1500	live.exe
1500	live.exe
1572	cmss.exe
1572	cmss.exe
2476	services32.exe
2476	services32.exe
2476	services32.exe
2476	services32.exe
1572	cmss.exe
1572	cmss.exe
1548	RDS.exe
1548	RDS.exe
1548	RDS.exe
1548	RDS.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1812	live.exe
1812	live.exe
1812	live.exe
1572	cmss.exe
1572	cmss.exe
2380	live.exe
2380	live.exe
2380	live.exe
1572	cmss.exe
1572	cmss.exe
948	live.exe
948	live.exe
948	live.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemControler = "C:\\PROGRA~2\\SATACO~1\\cmss.exe"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ccUpdate = "C:\\PROGRA~2\\SATACO~1\\cmss.exe"	cmss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	clipsrv.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	clipsrv.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	whatismyip.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSWINSCK.OCX	clipsrv.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SataControl\RDS.exe	clipsrv.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	live.exe
File opened for modification	C:\Program Files\Accessories\Common\28 Jan 24 19_53_55 Admin .tcm	cmss.exe
File created	C:\Program Files (x86)\SataControl\live.exe	clipsrv.exe
File opened for modification	C:\Program Files\Accessories\Common	clipsrv.exe
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	clipsrv.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	cmss.exe
File opened for modification	C:\Program Files\Accessories\Common\LostStolenPC.txt	cmss.exe
File created	C:\Program Files (x86)\SataControl\services32.exe	clipsrv.exe
File created	C:\Program Files (x86)\SataControl\cmss.exe	clipsrv.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	clipsrv.exe
File opened for modification	C:\Program Files\Accessories\Common\Chat_log.txt	live.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	live.exe
File opened for modification	C:\Program Files\Accessories\Common\Chat_log.txt	live.exe
File opened for modification	C:\Program Files\Accessories\Common\PC_Active_Time.txt	cmss.exe
File opened for modification	C:\Program Files\Accessories\Common\Chat_log.txt	cmss.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\netcox.exe	clipsrv.exe
File created	C:\Windows\refsdm.dll	clipsrv.exe
File created	C:\Windows\hpvert.dll	clipsrv.exe
File opened for modification	C:\Windows\hpvert.dll	clipsrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	cmss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmss.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1712	ipconfig.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX, 1"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\Version = "1.1"	live.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\TypeLib\ = "{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}"	live.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP5)"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	clipsrv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	live.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	clipsrv.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	cmss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	cmss.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	cmss.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe
1572	cmss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1812	live.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2720	clipsrv.exe
2620	combine.exe
1572	cmss.exe
1500	live.exe
2476	services32.exe
1500	live.exe
1548	RDS.exe
1812	live.exe
2380	live.exe
1812	live.exe
948	live.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2720	2168	7ddbad2e1f50a0d173a29e4ece6ea69d.exe	28
PID 2168 wrote to memory of 2720	2168	7ddbad2e1f50a0d173a29e4ece6ea69d.exe	28
PID 2168 wrote to memory of 2720	2168	7ddbad2e1f50a0d173a29e4ece6ea69d.exe	28
PID 2168 wrote to memory of 2720	2168	7ddbad2e1f50a0d173a29e4ece6ea69d.exe	28
PID 2168 wrote to memory of 2720	2168	7ddbad2e1f50a0d173a29e4ece6ea69d.exe	28
PID 2168 wrote to memory of 2720	2168	7ddbad2e1f50a0d173a29e4ece6ea69d.exe	28
PID 2168 wrote to memory of 2720	2168	7ddbad2e1f50a0d173a29e4ece6ea69d.exe	28
PID 2720 wrote to memory of 2620	2720	clipsrv.exe	29
PID 2720 wrote to memory of 2620	2720	clipsrv.exe	29
PID 2720 wrote to memory of 2620	2720	clipsrv.exe	29
PID 2720 wrote to memory of 2620	2720	clipsrv.exe	29
PID 2720 wrote to memory of 2620	2720	clipsrv.exe	29
PID 2720 wrote to memory of 2620	2720	clipsrv.exe	29
PID 2720 wrote to memory of 2620	2720	clipsrv.exe	29
PID 2720 wrote to memory of 2332	2720	clipsrv.exe	30
PID 2720 wrote to memory of 2332	2720	clipsrv.exe	30
PID 2720 wrote to memory of 2332	2720	clipsrv.exe	30
PID 2720 wrote to memory of 2332	2720	clipsrv.exe	30
PID 2720 wrote to memory of 2332	2720	clipsrv.exe	30
PID 2720 wrote to memory of 2332	2720	clipsrv.exe	30
PID 2720 wrote to memory of 2332	2720	clipsrv.exe	30
PID 2332 wrote to memory of 852	2332	cmd.exe	32
PID 2332 wrote to memory of 852	2332	cmd.exe	32
PID 2332 wrote to memory of 852	2332	cmd.exe	32
PID 2332 wrote to memory of 852	2332	cmd.exe	32
PID 2332 wrote to memory of 852	2332	cmd.exe	32
PID 2332 wrote to memory of 852	2332	cmd.exe	32
PID 2332 wrote to memory of 852	2332	cmd.exe	32
PID 2720 wrote to memory of 1684	2720	clipsrv.exe	35
PID 2720 wrote to memory of 1684	2720	clipsrv.exe	35
PID 2720 wrote to memory of 1684	2720	clipsrv.exe	35
PID 2720 wrote to memory of 1684	2720	clipsrv.exe	35
PID 2720 wrote to memory of 1684	2720	clipsrv.exe	35
PID 2720 wrote to memory of 1684	2720	clipsrv.exe	35
PID 2720 wrote to memory of 1684	2720	clipsrv.exe	35
PID 2332 wrote to memory of 528	2332	cmd.exe	33
PID 2332 wrote to memory of 528	2332	cmd.exe	33
PID 2332 wrote to memory of 528	2332	cmd.exe	33
PID 2332 wrote to memory of 528	2332	cmd.exe	33
PID 2332 wrote to memory of 528	2332	cmd.exe	33
PID 2332 wrote to memory of 528	2332	cmd.exe	33
PID 2332 wrote to memory of 528	2332	cmd.exe	33
PID 1684 wrote to memory of 536	1684	cmd.exe	36
PID 1684 wrote to memory of 536	1684	cmd.exe	36
PID 1684 wrote to memory of 536	1684	cmd.exe	36
PID 1684 wrote to memory of 536	1684	cmd.exe	36
PID 1684 wrote to memory of 536	1684	cmd.exe	36
PID 1684 wrote to memory of 536	1684	cmd.exe	36
PID 1684 wrote to memory of 536	1684	cmd.exe	36
PID 1684 wrote to memory of 320	1684	cmd.exe	37
PID 1684 wrote to memory of 320	1684	cmd.exe	37
PID 1684 wrote to memory of 320	1684	cmd.exe	37
PID 1684 wrote to memory of 320	1684	cmd.exe	37
PID 1684 wrote to memory of 320	1684	cmd.exe	37
PID 1684 wrote to memory of 320	1684	cmd.exe	37
PID 1684 wrote to memory of 320	1684	cmd.exe	37
PID 2720 wrote to memory of 1572	2720	clipsrv.exe	38
PID 2720 wrote to memory of 1572	2720	clipsrv.exe	38
PID 2720 wrote to memory of 1572	2720	clipsrv.exe	38
PID 2720 wrote to memory of 1572	2720	clipsrv.exe	38
PID 2720 wrote to memory of 1572	2720	clipsrv.exe	38
PID 2720 wrote to memory of 1572	2720	clipsrv.exe	38
PID 2720 wrote to memory of 1572	2720	clipsrv.exe	38
PID 1572 wrote to memory of 1500	1572	cmss.exe	39

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\7ddbad2e1f50a0d173a29e4ece6ea69d.exe
  "C:\Users\Admin\AppData\Local\Temp\7ddbad2e1f50a0d173a29e4ece6ea69d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Users\Admin\AppData\Local\Temp\Compress0\clipsrv.exe
    "C:\Users\Admin\AppData\Local\Temp\Compress0\clipsrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe
      C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo y| CACLS C:\PROGRA~2\SATACO~1 /G Everyone:f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:852
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS C:\PROGRA~2\SATACO~1 /G Everyone:f
        5⤵
        
        PID:528
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo y| CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:536
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
        5⤵
        
        PID:320
  - - C:\PROGRA~2\SATACO~1\cmss.exe
      C:\PROGRA~2\SATACO~1\cmss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      Checks processor information in registry
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Program Files (x86)\SataControl\live.exe
        
        "C:\Program Files (x86)\SataControl\live.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1500
    - - C:\Program Files (x86)\SataControl\services32.exe
        
        "C:\Program Files (x86)\SataControl\services32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2476
    - - C:\Program Files (x86)\SataControl\RDS.exe
        
        "C:\Program Files (x86)\SataControl\RDS.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:1548
    - - C:\PROGRA~2\SATACO~1\live.exe
        
        C:\PROGRA~2\SATACO~1\live.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:1812
    - - C:\PROGRA~2\SATACO~1\live.exe
        
        C:\PROGRA~2\SATACO~1\live.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2380
    - - C:\PROGRA~2\SATACO~1\live.exe
        
        C:\PROGRA~2\SATACO~1\live.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:948
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig
        5⤵
        Gathers network information
        
        PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Accessories\Common\Chat_log.txt

Filesize
248B

MD5
e92006e34ed89daef309f55c8c617637

SHA1
7ab7459289e5138916f94bb93b9b3f2cc1426354

SHA256
1d3e7e5a4fd1d4ae560fd079f9e13c9bd08a270a1cf01b5a8e074292ee57248b

SHA512
8b31f91198dff63e5634d37cf7998df1d97d741cbf31d938e1c3b931e5cb99cbdd1434fe359ab3e22c737bbc1824e00db696f39e2e099705ab5a53147aa8f90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4971.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\MSWINSCK.OCX

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\RDS.exe

Filesize
104KB

MD5
052fd6bae4ba35be16ed8bc0a08a893f

SHA1
b113ce8d4a750cf6456c57e1dfb0391999ddebf0

SHA256
4ccb55c823cacae9ec532b05a74b0fc4867c2a47f24cc36529e108276420427e

SHA512
ced575141d70d7bfa9f7b72c76a62eb3550202ecf31015a8a2413b44bafe4a95e47532e477593712b46e3286c27ee273c9d5bc915816087183599c60d15cf790

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe

Filesize
44KB

MD5
8b25189725446cbdf5d573e53ca6ffe8

SHA1
d2e89b7a6f352887a5dd8c923949e0bbf82944d7

SHA256
27ba6478d1d92132044955a97f26bfe9e2750b6a595436fac81b72bde03831f9

SHA512
dc1f03096ac22555ed9c41859ddc49cebd600914fe07b3fea05a11f8f826b7fea585c79c73fd8d2a087be0057563a4c5732ddf68c18758b341f010d8143cf456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\dunin.dll

Filesize
2B

MD5
9bf31c7ff062936a96d3c8bd1f8f2ff3

SHA1
f1abd670358e036c31296e66b3b66c382ac00812

SHA256
e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb

SHA512
9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emfzb.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\eminu.dll

Filesize
2B

MD5
34173cb38f07f89ddbebc2ac9128303f

SHA1
22d200f8670dbdb3e253a90eee5098477c95c23d

SHA256
624b60c58c9d8bfb6ff1886c2fd605d2adeb6ea4da576068201b6c6958ce93f4

SHA512
1ccbff33e55627a50beca8cf5c89f77c3165dcb3218171308423f250f0bb0be9700bbfdd92d35dfa2e579110266a40194d707b50e7d27b6f09b81fbbf80231a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftin.dll

Filesize
2B

MD5
d3d9446802a44259755d38e6d163e820

SHA1
b1d5781111d84f7b3fe45a0852e59758cd7a87e5

SHA256
4a44dc15364204a80fe80e9039455cc1608281820fe2b24f1e5233ade6af1dd5

SHA512
3c11e4f316c956a27655902dc1a19b925b8887d59eff791eea63edc8a05454ec594d5eb0f40ae151df87acd6e101761ecc5bb0d3b829bf3a85f5432493b22f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftpa.dll

Filesize
27B

MD5
759b992d02650723e5969d7956b32a6e

SHA1
26e38e31580beb28ff010a6e678c5b74018a5432

SHA256
4f039cc3b6ba0cc69a8a751d82a0ae4046ca39c5b3669d9e50f82a002eade4f8

SHA512
7c3dee5f17617d527d5d8533af6f69a9b1879f3e35c55cd87c717518b86dbe30f9ee65cf25c42695eb5128405a2434ac29c7291fab70b412ec9cd434e22323f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftps.dll

Filesize
2B

MD5
05ab88fb98453f3a811b785145662131

SHA1
93ac8946882128457cd9e283b30ca851945e6690

SHA256
76a71fbef8a8339fcbcaff8c9aadfb85c834bc3cc0c07069a5ebb2eea3d90d68

SHA512
ad40c2c7c7aee848934e415d0156ba6069e44436e67f438d3c654c16c53491c4596b19e021fa0aed91dc1e9ed7f95d1ef7b4f60cf38bed7d4fd1e7810a5b4ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\hpvert.dll

Filesize
176KB

MD5
a0ce0247d48fecaac607edb1e2d87fd8

SHA1
346bf586bdf6ae4181c685fa74adf4524328d469

SHA256
5a0b1c4e5d91fd67a1ad23e5ce869899b79a7282cb6e5533dc5c074eb59306ec

SHA512
38a03530dfafe3030ece87dad7af28baff8e79f87618f1510bcb5b7f994632745dc70f9062ba6bdbcd408062786bbb3c37a53c21423d1f172663d9e57c232986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\inmsg.dll

Filesize
40B

MD5
62158ca606dfd1b74f03b03f43e597c4

SHA1
f91a0aaaa72c124282fd28dbd9326072f789f19f

SHA256
4f45cc3a4c63bbd0e99ede09409dd656575c3bf68da68f1af11c01f1a3015d00

SHA512
389095d037013a09cb02d6d1fcc65d7f37ab86c82aa63600fba375376b0d3cc317b7bd984abcd325154c132823216d1134a303ab90cd96f8e5b7b836d68315f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\live.exe

Filesize
104KB

MD5
2715c22e452203f8024a43e59058df59

SHA1
4648001204d4d2e9c29f708d1bbdbd1e6b6009a6

SHA256
8ee198ffd91d86dd67cf66340f848707e239659954b26f377da7d66eb8900f75

SHA512
2086bb056583e874946a33d8bb808432bdf7746c039ea3c3109a6419967ffdd7f2efa09a56b73401294e1e1007c1f463f76e7c68b0219a1e12e22498a0ab3cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\mail.dll

Filesize
17B

MD5
10c5258fd99e64b1098b0b2654766aea

SHA1
45e34e7b6f9f6d6bd5feb27228cbe2e0e14b2d67

SHA256
d5dce3b5a174501aa40e594d55dc5a05904f8ecc2686f0a3b51256db1fcd1d61

SHA512
2eb31445e3fb47e3f8cbd7e8bccf9df016d9fb399672b9392b10c5639db17a3c8ed7b69b45a8e5ee1600b6ecbe668f4a429e2748147d786a4d01f1b17f4d6935

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\oem.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\port.dll

Filesize
3B

MD5
13f3cf8c531952d72e5847c4183e6910

SHA1
ac3e7b007d7ab0ba379faa8ab62d9da35c5444f4

SHA256
6d05621ab7cb7b4fb796ca2ffbe1a141e0d4319d3deb6a05322b9de85d69b923

SHA512
c2b37e4037631aaa4809e9a0dc82ad5ce7a04fa98a6b6de280d16181dc88de0b3e337a96a7aac19619ac65d68537dbe171b3857a72344a1a9d74bd3923460854

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\refsdm.dll

Filesize
26B

MD5
1f1c74663b07c128d4433547b50555e8

SHA1
bc63ef61188945abf83e7485da38c4a1f059bdbc

SHA256
81d29e5d9215bddefc3b9af2947f64b18239351691e3432abbcd944453ebd688

SHA512
f301325b15432285d4fe3377ed3c807c3c4b86095074d05352b7d543e98d7e19b2b4d765956a08ceee4c7b8eb584660e2e502b34d0613079298aa3cee0ba4940

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\resu.dll

Filesize
5B

MD5
73acd9a5972130b75066c82595a1fae3

SHA1
b521caa6e1db82e5a01c924a419870cb72b81635

SHA256
835d6dc88b708bc646d6db82c853ef4182fabbd4a8de59c213f2b5ab3ae7d9be

SHA512
238b90e6e2382ddafadc35266b2fa9a371fb3962b675ccab1b5538321f469070d0f3762f29b21ac7ad772eb6bd299d09f8e75d38ed8b7067965d5d5f26ebc3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scloc.dll

Filesize
36B

MD5
0af629b1df207fd25f221a50059140a5

SHA1
1bdf9311af713c98ef038fcf89ee678884e8fb3d

SHA256
5d795ca75d4e40986ae410a8063f6a23a3cb1e6b2456bea570e5247ced6d9177

SHA512
7531d36dac630adc84e88cd75cddc3e92e23b89ddbc4994780693772a106878879a9b0a458f96262ad2df01dc5ef0c641a9c1a21dfe75b4e43a14ad37a2244b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\services32.exe

Filesize
168KB

MD5
320d5faf8c35c0b73dcdbe3c9b239e26

SHA1
77d4a31e99ee2cfc86e962997452c8dc4501806a

SHA256
935de86dc436cc5a1494356f1eb83219f6b66b5829d456ea00dd0699d541d9cb

SHA512
af152f6982f9cec85429bddc6e528bad733fb9d587c01eba9f29160b82b6d798c98a0be8a1c8a5b06fc17a044492522d6dde814dfd8a4682028a3db4f3d21dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\sid2.dll

Filesize
12B

MD5
b415616b1824c2bd2b01cca0a8595ed5

SHA1
00b16a0c19c9cb12a069db1b03b47f884f335b36

SHA256
337b301dd57998ebe840a491131abfd399f73466fadfe9e532d60e4aff848e08

SHA512
ecc522268e3963f9ad9646f97e448cf682b01eb3799c92f4c1f547ebcc59f8fc1a0c90b0c714c9a679fb171c3b1350bc049491ad19ec4236601a5bacfa711413

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ssap.dll

Filesize
7B

MD5
138fbe5e909dfd0d97184bd702df78fa

SHA1
a4154f00e68887eeae79e1e36ebe99c630f82ebc

SHA256
80b7010a14d435b781ff99d5858b05e149f72af21e23ea460d188646a3075362

SHA512
045d767c9354661b446eae957d91afda34af1b56f02ee174cf316e874639dc28e79961c98eba3657644c7f2472672e495476cd3470d311166f18ca91c3ddd3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\type.dll

Filesize
7B

MD5
c3eef34d092ed60c3b2791814511903a

SHA1
815f979888d7a7d3cb622eee67d445c0fc94469b

SHA256
6bd1454e4848ba9ec48363db5afdc51f2a67b2e87bf7478b681cda2df245779a

SHA512
519b141185f3b4dcaf0990844aa125a23caa552d347fa69972ecf565b08b82d6b0fad321ebc0bbacca06b36fa603f4d8bd080a5a9b760e4405199b57082190ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\unir.exe

Filesize
40KB

MD5
06fd6337b5dfafe722a6bc22f40f9963

SHA1
0b3ab7a3ad5708aef4d4a534f9457c3e5247aaa2

SHA256
a59ab9930d06dad4bfe8aa3e2197ad249365c11832c28beba7cbc78d7ddd2798

SHA512
87eccb5783727e40e068917f237a8c0ebe6b4cd270821abb88b01dfaf4feda1dd45eb3924f22b69132121ab27d4ef8f8959a910b990ae83655ed6783388d903e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\user.dll

Filesize
7B

MD5
e61bc88138e5338ce33b982e7883b072

SHA1
da48abd4bc7fff393bd4d4a2f64dcca8042b885f

SHA256
57b3b38b5b7caa625b63d159a8d13aa007538029eabbd4b76ed9f5a4cad52af8

SHA512
715eae1ebeeec12feaeb93d169504f6e3e6ca2271795800d1bae1db0c27d7dab1766bf935ab27f7aedb438a787ef8132ab3363554ec4be8b4c872c310b14a811

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\winsyst32.exe

Filesize
220KB

MD5
aa4dc525e925cad7b3faa38e9e4662e5

SHA1
006ebdb4bd8d0f411235562c5632b5d98dc12a6b

SHA256
094e86922d81eb8d0a6f3e18f486541aab071a091de3561922d838cdd65140cf

SHA512
38c6a6348afad9f254575c733fdc75877b550d23f441895cebf050499787acef38c0ec845391f3f3869b32ee966aecbbebee4033e5167bae4a09fe018181a40b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar49A3.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
\Users\Admin\AppData\Local\Temp\Compress0\clipsrv.exe

Filesize
128KB

MD5
e914ed28794547ec3d60672103cec178

SHA1
c8b9c9e010543209782131412f073dbca3e10c30

SHA256
88bcda4bea0bd0b8a5a37dd0137f776e2e3f96787a55a77e3677c9132c3511d0

SHA512
175cf7614a072e266fa7b78169a2d606c3c3053757a58467d70904ce56ccb25b1f781dac144a1fe8f5f87e46b38c6e460445fd33eb3aa6f5e318ff4468e62a99

Download Submit
memory/1212-185-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download
memory/1212-188-0x0000000002920000-0x0000000002921000-memory.dmp

Filesize
4KB

Download