79e78014418ba8a3c83882a53a06b0b2db7f20b4ab27975d43b5ad4d28cda67f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2024, 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7ddbad2e1f50a0d173a29e4ece6ea69d.exe
Size

360KB
MD5

7ddbad2e1f50a0d173a29e4ece6ea69d
SHA1

f5ce5f49647b2caeb2c084f295a931485bb19429
SHA256

79e78014418ba8a3c83882a53a06b0b2db7f20b4ab27975d43b5ad4d28cda67f
SHA512

c677fa122aeff2d56845ccbe3eaf82237bd61a03c158363f83b72e04fea9146533418edccb67a0bf2f4f5af5ec7761fae3d3770e4392d0ce0bdcb675921e38f2
SSDEEP

6144:3Qsc2OoOm21M8U3ttWeRn6XvVaxx6N/kP/5Y/3bzAakyNfDJm:3xPNyi3EfOxv5YP3rlNfDI

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 9 IoCs

pid	Process
4732	clipsrv.exe
2384	combine.exe
4904	cmss.exe
4620	live.exe
952	services32.exe
2076	RDS.exe
316	live.exe
4868	live.exe
3084	live.exe

Loads dropped DLL 6 IoCs

pid	Process
4732	clipsrv.exe
4732	clipsrv.exe
952	services32.exe
2076	RDS.exe
4904	cmss.exe
4904	cmss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemControler = "C:\\PROGRA~2\\SATACO~1\\cmss.exe"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccUpdate = "C:\\PROGRA~2\\SATACO~1\\cmss.exe"	cmss.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	clipsrv.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	clipsrv.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
64	whatismyip.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSWINSCK.OCX	clipsrv.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\SataControl\live.exe	clipsrv.exe
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	clipsrv.exe
File created	C:\Program Files (x86)\SataControl\services32.exe	clipsrv.exe
File created	C:\Program Files (x86)\SataControl\RDS.exe	clipsrv.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	live.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	cmss.exe
File opened for modification	C:\Program Files\Accessories\Common\Chat_log.txt	live.exe
File opened for modification	C:\Program Files\Accessories\Common\LostStolenPC.txt	cmss.exe
File opened for modification	C:\Program Files (x86)\SataControl\services32.exe	clipsrv.exe
File created	C:\Program Files (x86)\SataControl\cmss.exe	clipsrv.exe
File opened for modification	C:\Program Files\Accessories\Common	clipsrv.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	clipsrv.exe
File opened for modification	C:\Program Files\Accessories\Common\PC_Active_Time.txt	cmss.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	live.exe
File opened for modification	C:\Program Files\Accessories\Common\28 Jan 24 19_53_47 Admin .tcm	cmss.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\netcox.exe	clipsrv.exe
File created	C:\Windows\refsdm.dll	clipsrv.exe
File created	C:\Windows\hpvert.dll	clipsrv.exe
File opened for modification	C:\Windows\hpvert.dll	clipsrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	cmss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmss.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1812	ipconfig.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP5)"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	clipsrv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	clipsrv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	clipsrv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	clipsrv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe
4904	cmss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
316	live.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
4732	clipsrv.exe
2384	combine.exe
4904	cmss.exe
4620	live.exe
952	services32.exe
2076	RDS.exe
316	live.exe
4868	live.exe
316	live.exe
3084	live.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4732	4928	7ddbad2e1f50a0d173a29e4ece6ea69d.exe	84
PID 4928 wrote to memory of 4732	4928	7ddbad2e1f50a0d173a29e4ece6ea69d.exe	84
PID 4928 wrote to memory of 4732	4928	7ddbad2e1f50a0d173a29e4ece6ea69d.exe	84
PID 4732 wrote to memory of 2384	4732	clipsrv.exe	85
PID 4732 wrote to memory of 2384	4732	clipsrv.exe	85
PID 4732 wrote to memory of 2384	4732	clipsrv.exe	85
PID 4732 wrote to memory of 4784	4732	clipsrv.exe	86
PID 4732 wrote to memory of 4784	4732	clipsrv.exe	86
PID 4732 wrote to memory of 4784	4732	clipsrv.exe	86
PID 4784 wrote to memory of 4520	4784	cmd.exe	88
PID 4784 wrote to memory of 4520	4784	cmd.exe	88
PID 4784 wrote to memory of 4520	4784	cmd.exe	88
PID 4784 wrote to memory of 5032	4784	cmd.exe	89
PID 4784 wrote to memory of 5032	4784	cmd.exe	89
PID 4784 wrote to memory of 5032	4784	cmd.exe	89
PID 4732 wrote to memory of 1940	4732	clipsrv.exe	90
PID 4732 wrote to memory of 1940	4732	clipsrv.exe	90
PID 4732 wrote to memory of 1940	4732	clipsrv.exe	90
PID 1940 wrote to memory of 4764	1940	cmd.exe	92
PID 1940 wrote to memory of 4764	1940	cmd.exe	92
PID 1940 wrote to memory of 4764	1940	cmd.exe	92
PID 1940 wrote to memory of 4840	1940	cmd.exe	93
PID 1940 wrote to memory of 4840	1940	cmd.exe	93
PID 1940 wrote to memory of 4840	1940	cmd.exe	93
PID 4732 wrote to memory of 4904	4732	clipsrv.exe	94
PID 4732 wrote to memory of 4904	4732	clipsrv.exe	94
PID 4732 wrote to memory of 4904	4732	clipsrv.exe	94
PID 4904 wrote to memory of 4620	4904	cmss.exe	95
PID 4904 wrote to memory of 4620	4904	cmss.exe	95
PID 4904 wrote to memory of 4620	4904	cmss.exe	95
PID 4904 wrote to memory of 952	4904	cmss.exe	96
PID 4904 wrote to memory of 952	4904	cmss.exe	96
PID 4904 wrote to memory of 952	4904	cmss.exe	96
PID 4904 wrote to memory of 2076	4904	cmss.exe	97
PID 4904 wrote to memory of 2076	4904	cmss.exe	97
PID 4904 wrote to memory of 2076	4904	cmss.exe	97
PID 4904 wrote to memory of 316	4904	cmss.exe	106
PID 4904 wrote to memory of 316	4904	cmss.exe	106
PID 4904 wrote to memory of 316	4904	cmss.exe	106
PID 4904 wrote to memory of 4868	4904	cmss.exe	107
PID 4904 wrote to memory of 4868	4904	cmss.exe	107
PID 4904 wrote to memory of 4868	4904	cmss.exe	107
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 4904 wrote to memory of 3084	4904	cmss.exe	108
PID 4904 wrote to memory of 3084	4904	cmss.exe	108
PID 4904 wrote to memory of 3084	4904	cmss.exe	108
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43
PID 316 wrote to memory of 3440	316	live.exe	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3440
- C:\Users\Admin\AppData\Local\Temp\7ddbad2e1f50a0d173a29e4ece6ea69d.exe
  "C:\Users\Admin\AppData\Local\Temp\7ddbad2e1f50a0d173a29e4ece6ea69d.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Users\Admin\AppData\Local\Temp\Compress0\clipsrv.exe
    "C:\Users\Admin\AppData\Local\Temp\Compress0\clipsrv.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4732
  - - C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe
      C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo y| CACLS C:\PROGRA~2\SATACO~1 /G Everyone:f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:4520
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS C:\PROGRA~2\SATACO~1 /G Everyone:f
        5⤵
        
        PID:5032
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo y| CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        
        PID:4764
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
        5⤵
        
        PID:4840
  - - C:\PROGRA~2\SATACO~1\cmss.exe
      C:\PROGRA~2\SATACO~1\cmss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Program Files directory
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4904
    - - C:\Program Files (x86)\SataControl\live.exe
        
        "C:\Program Files (x86)\SataControl\live.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of SetWindowsHookEx
        
        PID:4620
    - - C:\Program Files (x86)\SataControl\services32.exe
        
        "C:\Program Files (x86)\SataControl\services32.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:952
    - - C:\Program Files (x86)\SataControl\RDS.exe
        
        "C:\Program Files (x86)\SataControl\RDS.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetWindowsHookEx
        
        PID:2076
    - - C:\PROGRA~2\SATACO~1\live.exe
        
        C:\PROGRA~2\SATACO~1\live.exe
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:316
    - - C:\PROGRA~2\SATACO~1\live.exe
        
        C:\PROGRA~2\SATACO~1\live.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4868
    - - C:\PROGRA~2\SATACO~1\live.exe
        
        C:\PROGRA~2\SATACO~1\live.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3084
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig
        5⤵
        Gathers network information
        
        PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Accessories\Common\Chat_log.txt

Filesize
248B

MD5
5b9e72de242c9d92f958105f054e2ae9

SHA1
bcae8eadc83c2119d23689ec45e5a305612f762a

SHA256
fc2098233c7d2e3f351dc2223986b50676951c14c062d1947410fff612369d86

SHA512
a5624bebac082f3e69f22f1962c8e3c3f601304e591fef795e2d6db448e65812a30c26b2411899f494828e1c32fe206dcb65ad7e0c27c9ff2e16ca1c8595a633

Download Submit
C:\Program Files\Accessories\Common\PC_Active_Time.txt

Filesize
319B

MD5
3df05b90a29e309da55ee46153b8b84a

SHA1
f30533c95605cbac17a00c5783d31794ee5d8282

SHA256
a5b77c2eebe8955e0e65701d92db0c1da5219ac38d61663727a2c0ef7dbee4fd

SHA512
2f5f0106e24350d403f852f676e85502b57059131c081f18aeba54eed511cad463a56405f3da28cd2bd45a059cf8a833cb797db9e2d8ad4682eea95f9dc59aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\MSWINSCK.OCX

Filesize
106KB

MD5
3d8fd62d17a44221e07d5c535950449b

SHA1
6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

SHA256
eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

SHA512
501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\RDS.exe

Filesize
104KB

MD5
052fd6bae4ba35be16ed8bc0a08a893f

SHA1
b113ce8d4a750cf6456c57e1dfb0391999ddebf0

SHA256
4ccb55c823cacae9ec532b05a74b0fc4867c2a47f24cc36529e108276420427e

SHA512
ced575141d70d7bfa9f7b72c76a62eb3550202ecf31015a8a2413b44bafe4a95e47532e477593712b46e3286c27ee273c9d5bc915816087183599c60d15cf790

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\clipsrv.exe

Filesize
128KB

MD5
e914ed28794547ec3d60672103cec178

SHA1
c8b9c9e010543209782131412f073dbca3e10c30

SHA256
88bcda4bea0bd0b8a5a37dd0137f776e2e3f96787a55a77e3677c9132c3511d0

SHA512
175cf7614a072e266fa7b78169a2d606c3c3053757a58467d70904ce56ccb25b1f781dac144a1fe8f5f87e46b38c6e460445fd33eb3aa6f5e318ff4468e62a99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\combine.exe

Filesize
44KB

MD5
8b25189725446cbdf5d573e53ca6ffe8

SHA1
d2e89b7a6f352887a5dd8c923949e0bbf82944d7

SHA256
27ba6478d1d92132044955a97f26bfe9e2750b6a595436fac81b72bde03831f9

SHA512
dc1f03096ac22555ed9c41859ddc49cebd600914fe07b3fea05a11f8f826b7fea585c79c73fd8d2a087be0057563a4c5732ddf68c18758b341f010d8143cf456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\dunin.dll

Filesize
2B

MD5
9bf31c7ff062936a96d3c8bd1f8f2ff3

SHA1
f1abd670358e036c31296e66b3b66c382ac00812

SHA256
e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb

SHA512
9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emfzb.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\eminu.dll

Filesize
2B

MD5
34173cb38f07f89ddbebc2ac9128303f

SHA1
22d200f8670dbdb3e253a90eee5098477c95c23d

SHA256
624b60c58c9d8bfb6ff1886c2fd605d2adeb6ea4da576068201b6c6958ce93f4

SHA512
1ccbff33e55627a50beca8cf5c89f77c3165dcb3218171308423f250f0bb0be9700bbfdd92d35dfa2e579110266a40194d707b50e7d27b6f09b81fbbf80231a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftin.dll

Filesize
2B

MD5
d3d9446802a44259755d38e6d163e820

SHA1
b1d5781111d84f7b3fe45a0852e59758cd7a87e5

SHA256
4a44dc15364204a80fe80e9039455cc1608281820fe2b24f1e5233ade6af1dd5

SHA512
3c11e4f316c956a27655902dc1a19b925b8887d59eff791eea63edc8a05454ec594d5eb0f40ae151df87acd6e101761ecc5bb0d3b829bf3a85f5432493b22f37

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftpa.dll

Filesize
27B

MD5
759b992d02650723e5969d7956b32a6e

SHA1
26e38e31580beb28ff010a6e678c5b74018a5432

SHA256
4f039cc3b6ba0cc69a8a751d82a0ae4046ca39c5b3669d9e50f82a002eade4f8

SHA512
7c3dee5f17617d527d5d8533af6f69a9b1879f3e35c55cd87c717518b86dbe30f9ee65cf25c42695eb5128405a2434ac29c7291fab70b412ec9cd434e22323f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftps.dll

Filesize
2B

MD5
05ab88fb98453f3a811b785145662131

SHA1
93ac8946882128457cd9e283b30ca851945e6690

SHA256
76a71fbef8a8339fcbcaff8c9aadfb85c834bc3cc0c07069a5ebb2eea3d90d68

SHA512
ad40c2c7c7aee848934e415d0156ba6069e44436e67f438d3c654c16c53491c4596b19e021fa0aed91dc1e9ed7f95d1ef7b4f60cf38bed7d4fd1e7810a5b4ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\hpvert.dll

Filesize
176KB

MD5
a0ce0247d48fecaac607edb1e2d87fd8

SHA1
346bf586bdf6ae4181c685fa74adf4524328d469

SHA256
5a0b1c4e5d91fd67a1ad23e5ce869899b79a7282cb6e5533dc5c074eb59306ec

SHA512
38a03530dfafe3030ece87dad7af28baff8e79f87618f1510bcb5b7f994632745dc70f9062ba6bdbcd408062786bbb3c37a53c21423d1f172663d9e57c232986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\inmsg.dll

Filesize
40B

MD5
62158ca606dfd1b74f03b03f43e597c4

SHA1
f91a0aaaa72c124282fd28dbd9326072f789f19f

SHA256
4f45cc3a4c63bbd0e99ede09409dd656575c3bf68da68f1af11c01f1a3015d00

SHA512
389095d037013a09cb02d6d1fcc65d7f37ab86c82aa63600fba375376b0d3cc317b7bd984abcd325154c132823216d1134a303ab90cd96f8e5b7b836d68315f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\live.exe

Filesize
104KB

MD5
2715c22e452203f8024a43e59058df59

SHA1
4648001204d4d2e9c29f708d1bbdbd1e6b6009a6

SHA256
8ee198ffd91d86dd67cf66340f848707e239659954b26f377da7d66eb8900f75

SHA512
2086bb056583e874946a33d8bb808432bdf7746c039ea3c3109a6419967ffdd7f2efa09a56b73401294e1e1007c1f463f76e7c68b0219a1e12e22498a0ab3cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\mail.dll

Filesize
17B

MD5
10c5258fd99e64b1098b0b2654766aea

SHA1
45e34e7b6f9f6d6bd5feb27228cbe2e0e14b2d67

SHA256
d5dce3b5a174501aa40e594d55dc5a05904f8ecc2686f0a3b51256db1fcd1d61

SHA512
2eb31445e3fb47e3f8cbd7e8bccf9df016d9fb399672b9392b10c5639db17a3c8ed7b69b45a8e5ee1600b6ecbe668f4a429e2748147d786a4d01f1b17f4d6935

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\oem.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\port.dll

Filesize
3B

MD5
13f3cf8c531952d72e5847c4183e6910

SHA1
ac3e7b007d7ab0ba379faa8ab62d9da35c5444f4

SHA256
6d05621ab7cb7b4fb796ca2ffbe1a141e0d4319d3deb6a05322b9de85d69b923

SHA512
c2b37e4037631aaa4809e9a0dc82ad5ce7a04fa98a6b6de280d16181dc88de0b3e337a96a7aac19619ac65d68537dbe171b3857a72344a1a9d74bd3923460854

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\pwhost.dll

Filesize
4B

MD5
334c4a4c42fdb79d7ebc3e73b517e6f8

SHA1
71f8e7976e4cbc4561c9d62fb283e7f788202acb

SHA256
140bedbf9c3f6d56a9846d2ba7088798683f4da0c248231336e6a05679e4fdfe

SHA512
ab93a9e95d70edb06025511cea4e2b8047fb7e1deaf7244fc0d3edf5e7cb57d8fb7b951bdeb3c6b552714878749eb19b9103e64a83635e8885c7d3e1d0fc5649

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\refsdm.dll

Filesize
26B

MD5
1f1c74663b07c128d4433547b50555e8

SHA1
bc63ef61188945abf83e7485da38c4a1f059bdbc

SHA256
81d29e5d9215bddefc3b9af2947f64b18239351691e3432abbcd944453ebd688

SHA512
f301325b15432285d4fe3377ed3c807c3c4b86095074d05352b7d543e98d7e19b2b4d765956a08ceee4c7b8eb584660e2e502b34d0613079298aa3cee0ba4940

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\resu.dll

Filesize
5B

MD5
73acd9a5972130b75066c82595a1fae3

SHA1
b521caa6e1db82e5a01c924a419870cb72b81635

SHA256
835d6dc88b708bc646d6db82c853ef4182fabbd4a8de59c213f2b5ab3ae7d9be

SHA512
238b90e6e2382ddafadc35266b2fa9a371fb3962b675ccab1b5538321f469070d0f3762f29b21ac7ad772eb6bd299d09f8e75d38ed8b7067965d5d5f26ebc3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rvhost.dll

Filesize
5B

MD5
34c4c50fc7bdd0394f3954f73f2be34d

SHA1
9f537f977fa2ecd1f91ff057ce1667e98ab04729

SHA256
c226b0485361a7d12f677de5fd6d094fce775723bed9f5cb44000056b45636fc

SHA512
eda815d970711a13f2ae66ccee2e4752689e0f2c8e08d9162533e5eaadc08bd201e3e545f4c8806216eb3f775656f1c3ab9a8210bbecb29a5541e5c8284f9e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rvport.dll

Filesize
7B

MD5
7a1920d61156abc05a60135aefe8bc67

SHA1
808d7dca8a74d84af27a2d6602c3d786de45fe1e

SHA256
21b111cbfe6e8fca2d181c43f53ad548b22e38aca955b9824706a504b0a07a2d

SHA512
94abfc7b11f4311e8e279b580907fefc1118690479fb7e13f0c22ade816bc2b63346498833b0241eec2b09e15172e13027dc85024bacb7bc40c150f4131f7292

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rwci.dll

Filesize
4B

MD5
e93028bdc1aacdfb3687181f2031765d

SHA1
7507d41ecbd162a0d6dfdaaa9988a91184351735

SHA256
a176eeb31e601c3877c87c2843a2f584968975269e369d5c86788b4c2f92d2a2

SHA512
5d2951e35a8e507db30cab1ed234ba19c083b235465029b1b25ebe3a2e50ab544413e2576d168326cb7fe927e0f75ca16964f5a8b7940cecdcb637d17fb5edde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rwcs.dll

Filesize
3B

MD5
f899139df5e1059396431415e770c6dd

SHA1
310b86e0b62b828562fc91c7be5380a992b2786a

SHA256
ad57366865126e55649ecb23ae1d48887544976efea46a48eb5d85a6eeb4d306

SHA512
643c30f73a3017050b287794fc8c5bb9ab06b9ce38a1fc58df402a8b66ff58f69bf0a606ae17585352a0306f0e9752de8c5c064aed7003f52808b43ff992a603

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scloc.dll

Filesize
36B

MD5
0af629b1df207fd25f221a50059140a5

SHA1
1bdf9311af713c98ef038fcf89ee678884e8fb3d

SHA256
5d795ca75d4e40986ae410a8063f6a23a3cb1e6b2456bea570e5247ced6d9177

SHA512
7531d36dac630adc84e88cd75cddc3e92e23b89ddbc4994780693772a106878879a9b0a458f96262ad2df01dc5ef0c641a9c1a21dfe75b4e43a14ad37a2244b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\services32.exe

Filesize
168KB

MD5
320d5faf8c35c0b73dcdbe3c9b239e26

SHA1
77d4a31e99ee2cfc86e962997452c8dc4501806a

SHA256
935de86dc436cc5a1494356f1eb83219f6b66b5829d456ea00dd0699d541d9cb

SHA512
af152f6982f9cec85429bddc6e528bad733fb9d587c01eba9f29160b82b6d798c98a0be8a1c8a5b06fc17a044492522d6dde814dfd8a4682028a3db4f3d21dc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\sid2.dll

Filesize
12B

MD5
b415616b1824c2bd2b01cca0a8595ed5

SHA1
00b16a0c19c9cb12a069db1b03b47f884f335b36

SHA256
337b301dd57998ebe840a491131abfd399f73466fadfe9e532d60e4aff848e08

SHA512
ecc522268e3963f9ad9646f97e448cf682b01eb3799c92f4c1f547ebcc59f8fc1a0c90b0c714c9a679fb171c3b1350bc049491ad19ec4236601a5bacfa711413

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ssap.dll

Filesize
7B

MD5
138fbe5e909dfd0d97184bd702df78fa

SHA1
a4154f00e68887eeae79e1e36ebe99c630f82ebc

SHA256
80b7010a14d435b781ff99d5858b05e149f72af21e23ea460d188646a3075362

SHA512
045d767c9354661b446eae957d91afda34af1b56f02ee174cf316e874639dc28e79961c98eba3657644c7f2472672e495476cd3470d311166f18ca91c3ddd3ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\type.dll

Filesize
7B

MD5
c3eef34d092ed60c3b2791814511903a

SHA1
815f979888d7a7d3cb622eee67d445c0fc94469b

SHA256
6bd1454e4848ba9ec48363db5afdc51f2a67b2e87bf7478b681cda2df245779a

SHA512
519b141185f3b4dcaf0990844aa125a23caa552d347fa69972ecf565b08b82d6b0fad321ebc0bbacca06b36fa603f4d8bd080a5a9b760e4405199b57082190ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\unir.exe

Filesize
40KB

MD5
06fd6337b5dfafe722a6bc22f40f9963

SHA1
0b3ab7a3ad5708aef4d4a534f9457c3e5247aaa2

SHA256
a59ab9930d06dad4bfe8aa3e2197ad249365c11832c28beba7cbc78d7ddd2798

SHA512
87eccb5783727e40e068917f237a8c0ebe6b4cd270821abb88b01dfaf4feda1dd45eb3924f22b69132121ab27d4ef8f8959a910b990ae83655ed6783388d903e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\user.dll

Filesize
7B

MD5
e61bc88138e5338ce33b982e7883b072

SHA1
da48abd4bc7fff393bd4d4a2f64dcca8042b885f

SHA256
57b3b38b5b7caa625b63d159a8d13aa007538029eabbd4b76ed9f5a4cad52af8

SHA512
715eae1ebeeec12feaeb93d169504f6e3e6ca2271795800d1bae1db0c27d7dab1766bf935ab27f7aedb438a787ef8132ab3363554ec4be8b4c872c310b14a811

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\winsyst32.exe

Filesize
220KB

MD5
aa4dc525e925cad7b3faa38e9e4662e5

SHA1
006ebdb4bd8d0f411235562c5632b5d98dc12a6b

SHA256
094e86922d81eb8d0a6f3e18f486541aab071a091de3561922d838cdd65140cf

SHA512
38c6a6348afad9f254575c733fdc75877b550d23f441895cebf050499787acef38c0ec845391f3f3869b32ee966aecbbebee4033e5167bae4a09fe018181a40b

Download Submit