Analysis Overview
SHA256
a4a71e8143d4c321322829a9e0b84eff48327bdc39fc3f0a8c56263f153d17d3
Threat Level: Likely malicious
The file c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Remote Service Session Hijacking: RDP Hijacking
Grants admin privileges
Indicator Removal: Network Share Connection Removal
Loads dropped DLL
Executes dropped EXE
Modifies WinLogon
Adds Run key to start application
Drops desktop.ini file(s)
Drops file in System32 directory
Hide Artifacts: Hidden Users
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Permission Groups Discovery: Local Groups
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of SetWindowsHookEx
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-25 10:10
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-25 10:10
Reported
2024-08-25 10:12
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Indicator Removal: Network Share Connection Removal
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tzuP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| N/A | N/A | C:\Windows\spool\cmss.exe | N/A |
| N/A | N/A | C:\Windows\msn.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\msn.exe | N/A |
| N/A | N/A | C:\Windows\spool\cmss.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\spool\cmss.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccUpdate = "C:\\Windows\\msn.exe" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ccUpdate = "C:\\Windows\\msn.exe" | C:\Windows\spool\cmss.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Accessories\Common\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Program Files\Accessories\Common\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Windows\spool\cmss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Windows\spool\cmss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\RemoteAdmin = "0" | C:\Windows\spool\cmss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\MSWINSCK.OCX | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\RemoteAdmin = "0" | C:\Windows\spool\cmss.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Accessories\Common\clog.txt | C:\Windows\msn.exe | N/A |
| File opened for modification | C:\Program Files\Accessories\Common\25 Aug 24 10_10_38 Admin .rna | C:\Windows\spool\cmss.exe | N/A |
| File opened for modification | C:\Program Files\Accessories\Common\25 Aug 24 10_10_48 Admin .rna | C:\Windows\spool\cmss.exe | N/A |
| File opened for modification | C:\Program Files\Accessories\Common | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File opened for modification | C:\Program Files\Accessories\Common\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Program Files\Accessories\Common\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File opened for modification | C:\Program Files\Accessories\Common\log.txt | C:\Windows\msn.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\spool\cmss.exe | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\netcox.exe | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\ziplog.txt | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\hpreg.dll | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\spool\lsass.exe | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File opened for modification | C:\Windows\spool\lsass.exe | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File opened for modification | C:\Windows\hpreg.dll | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\msn.exe | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\refsdm.dll | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
Enumerates physical storage devices
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tzuP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\cmss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\cmss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\lsass.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX, 1" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D} | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP5)" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\msn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| N/A | N/A | C:\Windows\spool\cmss.exe | N/A |
| N/A | N/A | C:\Windows\msn.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\msn.exe | N/A |
| N/A | N/A | C:\Windows\spool\cmss.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\msn.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\tzuP.exe
tzuP.exe
C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c echo y| CACLS C:\Windows\spool /G Everyone:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\SysWOW64\cacls.exe
CACLS C:\Windows\spool /G Everyone:f
C:\Windows\SysWOW64\cmd.exe
cmd /c echo y| CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
C:\Windows\spool\cmss.exe
C:\Windows\spool\cmss.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\SysWOW64\cacls.exe
CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
C:\Windows\msn.exe
C:\Windows\msn.exe
C:\Windows\spool\lsass.exe
C:\Windows\spool\lsass.exe
C:\Windows\spool\lsass.exe
C:\Windows\spool\lsass.exe
C:\Windows\msn.exe
C:\Windows\msn.exe
C:\Windows\spool\cmss.exe
C:\Windows\spool\cmss.exe
C:\Windows\spool\lsass.exe
C:\Windows\spool\lsass.exe
C:\Windows\SysWOW64\net.exe
net user RemoteAdmin ecotopia /add
C:\Windows\SysWOW64\net.exe
net localgroup Administrators /Add RemoteAdmin
C:\Windows\SysWOW64\net.exe
net localgroup users /Delete RemoteAdmin
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" /Add RemoteAdmin
C:\Windows\spool\lsass.exe
C:\Windows\spool\lsass.exe
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user RemoteAdmin ecotopia /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup users /Delete RemoteAdmin
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" /Add RemoteAdmin
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators /Add RemoteAdmin
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 69.46.18.49:14001 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 69.46.18.49:14001 | tcp | |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.win-spy.com | udp |
| US | 69.46.18.49:14001 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 69.46.18.49:14001 | tcp | |
| US | 69.46.18.49:14001 | tcp |
Files
memory/1068-0-0x0000000002180000-0x0000000002181000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tzuP.exe
| MD5 | fb7a859807257aa10ebe35ebd0942911 |
| SHA1 | 499e645041348edca4c1d3c63709325f369dee27 |
| SHA256 | f337c1107ba8a9df8dc1a347e53791cf389ab16c7b409edb0278ec624d594b1b |
| SHA512 | ca33119ef0a9cb34841ec227c4fd259e9c843ec37f7f2d40ef3d42a93059eb09a24396eb1f1b3732c9a4e5afdc69211f4d9e96d446482c4da647ca100718ea4b |
C:\Users\Admin\AppData\Local\Temp\Compress0\inter.dll
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Temp\Compress0\oem.dll
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe
| MD5 | 76f8154e4981426d4928cdf4a673fa74 |
| SHA1 | 261af6de802a67017392841546d9b89b9a6127ed |
| SHA256 | ebc4cb98eb90b7a6e9c143b57b411eab4abb1c854e4673136c0d51bcba2fa930 |
| SHA512 | bd350912a87e41ed8e0fdc2bc9b8be73883f6307975667423f4cde32db69ed74ba1639ed9e92cb658a6f784947b562f0e05a974204e4183e68fdea88767533b4 |
C:\Users\Admin\AppData\Local\Temp\Compress0\type.dll
| MD5 | c3eef34d092ed60c3b2791814511903a |
| SHA1 | 815f979888d7a7d3cb622eee67d445c0fc94469b |
| SHA256 | 6bd1454e4848ba9ec48363db5afdc51f2a67b2e87bf7478b681cda2df245779a |
| SHA512 | 519b141185f3b4dcaf0990844aa125a23caa552d347fa69972ecf565b08b82d6b0fad321ebc0bbacca06b36fa603f4d8bd080a5a9b760e4405199b57082190ec |
C:\Users\Admin\AppData\Local\Temp\Compress0\services.exe
| MD5 | dff48c59b7a55eea69f81b2642d852ca |
| SHA1 | c9ce26516a5cf95c3f54297aa2dc9dc91e69f7c1 |
| SHA256 | a3809af3f27da2c16f2b77f2d87faf4399375eca2ff7130c9c4891dc79c8ce55 |
| SHA512 | 3b24d159eb652b42942250dec0881016fe99a0c61c5cb26c925828568cb1a4557bd93d91e8efd3d68c1badb178325057221bfd2eccd5caa682ff6c76b703223b |
C:\Users\Admin\AppData\Local\Temp\Compress0\winsyst32.exe
| MD5 | e502320ee741245f42d3c28982c93897 |
| SHA1 | b25015e41af91a19cc6bbdcca227f657f9b29540 |
| SHA256 | c394b72246f8e1bf35014a03756a97deaba87fbb07fe25e45c88412a36d05d68 |
| SHA512 | 65650e57de8f7a425e93b63b16eca4ed3011b6054274d2ea97f974a6479c62c68e65d3fc26e3596fa9cff44090dbd764204f34d0b86e7bed020716905d5ac9b6 |
C:\Users\Admin\AppData\Local\Temp\Compress0\msn.exe
| MD5 | 01faeac794a0bea918b8bf9e1af674e6 |
| SHA1 | 73aa0e774ea044950fc72c6a169f64d137df54a2 |
| SHA256 | bd1b7a67ddf481227ed7ebf17b7b6512f9926a5e69f16e17575d18fa9312a417 |
| SHA512 | a0a4e0d5da4e06582aefbbf33ebeed88a3ede6efc2987ab75fadb45d4eebef45a957d63820de55a4191897bbef7fe8ad50db8f6f91b8ceb30b037d2ff2613de0 |
C:\Users\Admin\AppData\Local\Temp\Compress0\unir.exe
| MD5 | 776ef97f5d72fb916946016f11054ef1 |
| SHA1 | b92105a2b50f402f1684b6bb4d61d60d94d39a3d |
| SHA256 | b6441da69e2709be96db9261e016229b3c18fd9d444126a89152b2002eb61530 |
| SHA512 | 9750200e8d0a048408b0f9c2bac6fddd97ae8a312de955d43b9e49db6a7e378f7809014a72e19ace8cd2141af079e44d3e3de12781d7deb9e680fa9d3d5be30f |
C:\Users\Admin\AppData\Local\Temp\Compress0\refsdm.dll
| MD5 | 30de44c2337b14e283e1f5de808e7721 |
| SHA1 | 9364673c62a2f270fc400c746c75843f0ed919ab |
| SHA256 | 3def9d36316debb39167d384f0810bc64ec0ba870019a6f844b5b22dfd0c288a |
| SHA512 | 13b3b29cfb25ab77ed4542b1a78c475206eb758da3f209a2ed43db19561d4abeac35146f8880aebf0877f4dc3d6603c64457c0e3d8494cbdacc9bd45c8d68f96 |
C:\Users\Admin\AppData\Local\Temp\Compress0\ziplog.txt
| MD5 | c16945c3b38f0eea5981cbc04ef94b30 |
| SHA1 | d667fdcb9205b71a23daf59f65e0afe7a4f37860 |
| SHA256 | 32e0bfc325f10c1012f4ee92d415517aa7d199cb35ebedfd006b05baad7682b5 |
| SHA512 | 686c24439e76a227b60b91e54f7b77aa55f96c41d6d02822847612d3667e93a780c481e346c2348df00e5370d0b7f329e71639422706e4008c51b1e8f7b43bec |
C:\Users\Admin\AppData\Local\Temp\Compress0\hpreg.dll
| MD5 | a0ce0247d48fecaac607edb1e2d87fd8 |
| SHA1 | 346bf586bdf6ae4181c685fa74adf4524328d469 |
| SHA256 | 5a0b1c4e5d91fd67a1ad23e5ce869899b79a7282cb6e5533dc5c074eb59306ec |
| SHA512 | 38a03530dfafe3030ece87dad7af28baff8e79f87618f1510bcb5b7f994632745dc70f9062ba6bdbcd408062786bbb3c37a53c21423d1f172663d9e57c232986 |
C:\Users\Admin\AppData\Local\Temp\Compress0\MSWINSCK.OCX
| MD5 | 3d8fd62d17a44221e07d5c535950449b |
| SHA1 | 6c9d2ecdd7c2d1b9660d342e2b95a82229486d27 |
| SHA256 | eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09 |
| SHA512 | 501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10 |
C:\Users\Admin\AppData\Local\Temp\Compress0\ftps.dll
| MD5 | 17cc45731514eb956c6ec43ca4dd2a71 |
| SHA1 | 487eaf8d52177e51dbefee855c4d9682f39c7ae1 |
| SHA256 | 116a593de27f51a4372ab3fff36b69f44f5394771fa6a8edd7a5dbd201bf3a2d |
| SHA512 | 9f4645a4902f2b607dea3c9c2fa4a0784d275e432c3279096d3295fcfa4a4d157ee09040f2e44f7ffa16db18d9f6e09f34ecda4d0a74301d390252de2abf1fd7 |
C:\Users\Admin\AppData\Local\Temp\Compress0\ftpa.dll
| MD5 | 32af4302da238b64605ef49f872aad21 |
| SHA1 | f97aaba396dbbbc143acd751cdf72150fe85f798 |
| SHA256 | d66928953a2c09d957b49ec0498550349b2f82a0f1d73931aeb39c9bff1e0dc3 |
| SHA512 | 22637137df12b596714a211dfbff022ca42142b4104068b4326511f84fe091e30ae66060be715a5be9fe59313c24e64ae99655a78ef00df8287091dc24484f27 |
C:\Users\Admin\AppData\Local\Temp\Compress0\rwcs.dll
| MD5 | 045117b0e0a11a242b9765e79cbf113f |
| SHA1 | ec7f1f65067126f3b2bd1037de8a18d0db2ec84b |
| SHA256 | 7b69759630f869f2723875f873935fed29d2d12b10ef763c1c33b8e0004cb405 |
| SHA512 | 1f748a9c15bdf0a5e3be241ac0b8ef75e4c0c339e9550c9f8fa342778c620ac88de6edd42b61398e72bea045b27649ef7992ae5ed0e0b162cd9f1aa71686a222 |
C:\Users\Admin\AppData\Local\Temp\Compress0\rwci.dll
| MD5 | 3f74a886c7f841699690962c497d4f30 |
| SHA1 | 271593a69439c052d4de63e50c569060dcd78e91 |
| SHA256 | d4c999ae43633bd2036188d2bca68e1be8202b2cc1f3a1c42a728eaff7d2483d |
| SHA512 | 72d7eb167391c298ee40fbf1ae613958e9c27fdca27f3256620e9c70ba37a6dabcf43c7fa1538609c555e0f686a48f04842b6ac308f306f9da51f4ca3a6ef1e8 |
C:\Users\Admin\AppData\Local\Temp\Compress0\pwhost.dll
| MD5 | 334c4a4c42fdb79d7ebc3e73b517e6f8 |
| SHA1 | 71f8e7976e4cbc4561c9d62fb283e7f788202acb |
| SHA256 | 140bedbf9c3f6d56a9846d2ba7088798683f4da0c248231336e6a05679e4fdfe |
| SHA512 | ab93a9e95d70edb06025511cea4e2b8047fb7e1deaf7244fc0d3edf5e7cb57d8fb7b951bdeb3c6b552714878749eb19b9103e64a83635e8885c7d3e1d0fc5649 |
C:\Users\Admin\AppData\Local\Temp\Compress0\rvport.dll
| MD5 | 7a1920d61156abc05a60135aefe8bc67 |
| SHA1 | 808d7dca8a74d84af27a2d6602c3d786de45fe1e |
| SHA256 | 21b111cbfe6e8fca2d181c43f53ad548b22e38aca955b9824706a504b0a07a2d |
| SHA512 | 94abfc7b11f4311e8e279b580907fefc1118690479fb7e13f0c22ade816bc2b63346498833b0241eec2b09e15172e13027dc85024bacb7bc40c150f4131f7292 |
C:\Users\Admin\AppData\Local\Temp\Compress0\rvhost.dll
| MD5 | 34c4c50fc7bdd0394f3954f73f2be34d |
| SHA1 | 9f537f977fa2ecd1f91ff057ce1667e98ab04729 |
| SHA256 | c226b0485361a7d12f677de5fd6d094fce775723bed9f5cb44000056b45636fc |
| SHA512 | eda815d970711a13f2ae66ccee2e4752689e0f2c8e08d9162533e5eaadc08bd201e3e545f4c8806216eb3f775656f1c3ab9a8210bbecb29a5541e5c8284f9e21 |
C:\Users\Admin\AppData\Local\Temp\Compress0\user.dll
| MD5 | 276b6c4692e78d4799c12ada515bc3e4 |
| SHA1 | 72019bbac0b3dac88beac9ddfef0ca808919104f |
| SHA256 | 24d4b96f58da6d4a8512313bbd02a28ebf0ca95dec6e4c86ef78ce7f01e788ac |
| SHA512 | 40c41475561375aa28d4d035445525f0e8f6bfaba1fdb4bc0c30dec2de112d7c7df168bdced38b4d87326b4c3f226c2ba1a09f4384451b0bc5f9c108c1c1df32 |
C:\Users\Admin\AppData\Local\Temp\Compress0\port.dll
| MD5 | 13f3cf8c531952d72e5847c4183e6910 |
| SHA1 | ac3e7b007d7ab0ba379faa8ab62d9da35c5444f4 |
| SHA256 | 6d05621ab7cb7b4fb796ca2ffbe1a141e0d4319d3deb6a05322b9de85d69b923 |
| SHA512 | c2b37e4037631aaa4809e9a0dc82ad5ce7a04fa98a6b6de280d16181dc88de0b3e337a96a7aac19619ac65d68537dbe171b3857a72344a1a9d74bd3923460854 |
C:\Users\Admin\AppData\Local\Temp\Compress0\dunin.dll
| MD5 | 9bf31c7ff062936a96d3c8bd1f8f2ff3 |
| SHA1 | f1abd670358e036c31296e66b3b66c382ac00812 |
| SHA256 | e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb |
| SHA512 | 9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a |
C:\Users\Admin\AppData\Local\Temp\Compress0\inmsg.dll
| MD5 | 62158ca606dfd1b74f03b03f43e597c4 |
| SHA1 | f91a0aaaa72c124282fd28dbd9326072f789f19f |
| SHA256 | 4f45cc3a4c63bbd0e99ede09409dd656575c3bf68da68f1af11c01f1a3015d00 |
| SHA512 | 389095d037013a09cb02d6d1fcc65d7f37ab86c82aa63600fba375376b0d3cc317b7bd984abcd325154c132823216d1134a303ab90cd96f8e5b7b836d68315f4 |
C:\Users\Admin\AppData\Local\Temp\Compress0\scint.dll
| MD5 | d3d9446802a44259755d38e6d163e820 |
| SHA1 | b1d5781111d84f7b3fe45a0852e59758cd7a87e5 |
| SHA256 | 4a44dc15364204a80fe80e9039455cc1608281820fe2b24f1e5233ade6af1dd5 |
| SHA512 | 3c11e4f316c956a27655902dc1a19b925b8887d59eff791eea63edc8a05454ec594d5eb0f40ae151df87acd6e101761ecc5bb0d3b829bf3a85f5432493b22f37 |
C:\Users\Admin\AppData\Local\Temp\Compress0\ssap.dll
| MD5 | e3a7a7ade9b32f5de04970e3111289f2 |
| SHA1 | db6023ca7df49c86894d30a6789e8ddea24afba8 |
| SHA256 | 9a5b2200baf3be5073eca02a71d0157138190ff5ab097aca02951120651ae321 |
| SHA512 | e746c5cabf138422fb3c699bd5275b419c106eae189a532c4e2f553e6a763b46519a26828f28a4b31d7511dde5cf5266e1f4d12e1a5eebb30bdd3a3f637b93a3 |
C:\Users\Admin\AppData\Local\Temp\Compress0\resu.dll
| MD5 | 79018b9d50483943a7891102073558e1 |
| SHA1 | e227bd10a8cb3fcc9ef3cc62be8b0785abfc4ad5 |
| SHA256 | bf511643f9ac25c6d6ec61e0af29cb561a0e6cdcd8afef273ab9fd2523f69cd5 |
| SHA512 | ddedf00256733686bdcc74a9670db5aaa85a10c4addd99ea540fd08bc5b1f01803c609047f5d3e57adf0684afdd44a89311686b3089ab00db98efa54248856e2 |
C:\Users\Admin\AppData\Local\Temp\Compress0\mail.dll
| MD5 | 850ef2569cad0612b4e2180f45428a80 |
| SHA1 | 4f1133590e98a1be80bcc5604d9a982c52f627cf |
| SHA256 | 85fda0b7ca19d9f836076c421de754503f7c1867ab56e58691901ce2d7f7f1e6 |
| SHA512 | 1638a4f01ac56cc660acc123f68eb4161fbff770e26cdf378371f35d51f6eafb1eda963dcb7ec15b00f9b3c013e458fa9fe18f42fa3b490af5e8480e92126bd4 |
C:\Users\Admin\AppData\Local\Temp\Compress0\ftus.dll
| MD5 | df7afd56b057ac5894d080b5044b2dbd |
| SHA1 | de45d927ec0cae7991cb24e0f0cd3012e1357fcd |
| SHA256 | 30f2daeec172c264f54892c9ef28f1f72a980f55167aa3ce39894b5602924ec7 |
| SHA512 | 3a9d2c62b04a2dd73ee6b0de49f547ea5be61541d30222a26b2550d2909dad340067ebbf97d1eb04d56f974af9bde409b66fbf7399d2b7448e67b52f8b15e814 |
C:\Users\Admin\AppData\Local\Temp\Compress0\ftsv.dll
| MD5 | b2bf8db5e80efb9d58528b6264fdf086 |
| SHA1 | 550df9d3b6f15afc80832ff2551f60938c1b4a63 |
| SHA256 | ccf1724ba72944874962927afe1b7a216adbaba3dca1b38730cdeacb133088ed |
| SHA512 | a496dd4a93a85bf5de100ec5d17afaed496d4e2526ba6a3f1d09da593d4b8aad85834924561877a90c9762e919bb3b87d7236389e8439c6fd21b838521c86f2a |
C:\Users\Admin\AppData\Local\Temp\Compress0\scloc.dll
| MD5 | 0af629b1df207fd25f221a50059140a5 |
| SHA1 | 1bdf9311af713c98ef038fcf89ee678884e8fb3d |
| SHA256 | 5d795ca75d4e40986ae410a8063f6a23a3cb1e6b2456bea570e5247ced6d9177 |
| SHA512 | 7531d36dac630adc84e88cd75cddc3e92e23b89ddbc4994780693772a106878879a9b0a458f96262ad2df01dc5ef0c641a9c1a21dfe75b4e43a14ad37a2244b7 |
memory/1068-165-0x0000000042050000-0x000000004212C000-memory.dmp
C:\Program Files\Accessories\Common\clog.txt
| MD5 | fceb994bd3c60029331a22a53c19871b |
| SHA1 | e9bd26049ba5b4bfdea8c8e0051ad37250d870c0 |
| SHA256 | 37ccab91655a12090dcecbcbc77f6457e2e15d50a04bcd46b90243cc356062f4 |
| SHA512 | 34769839b935372be642d19f029f87d5e7f9e5effbdd447d488840c07dc9e86d58cc3dd6bfd3f46af737a902f6cf33b39c048c68299314a42fd03dcbee0c4fc6 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-25 10:10
Reported
2024-08-25 10:13
Platform
win7-20240704-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Grants admin privileges
Remote Service Session Hijacking: RDP Hijacking
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Indicator Removal: Network Share Connection Removal
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\net1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tzuP.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| N/A | N/A | C:\Windows\spool\cmss.exe | N/A |
| N/A | N/A | C:\Windows\msn.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\spool\cmss.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\msn.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ccUpdate = "C:\\Windows\\msn.exe" | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ccUpdate = "C:\\Windows\\msn.exe" | C:\Windows\spool\cmss.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Accessories\Common\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Program Files\Accessories\Common\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
Modifies WinLogon
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts | C:\Windows\spool\cmss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList | C:\Windows\spool\cmss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\RemoteAdmin = "0" | C:\Windows\spool\cmss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\MSWINSCK.OCX | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
Hide Artifacts: Hidden Users
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\RemoteAdmin = "0" | C:\Windows\spool\cmss.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Accessories\Common\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File opened for modification | C:\Program Files\Accessories\Common\log.txt | C:\Windows\msn.exe | N/A |
| File opened for modification | C:\Program Files\Accessories\Common\clog.txt | C:\Windows\msn.exe | N/A |
| File opened for modification | C:\Program Files\Accessories\Common\25 Aug 24 10_10_43 Admin .rna | C:\Windows\spool\cmss.exe | N/A |
| File opened for modification | C:\Program Files\Accessories\Common\25 Aug 24 10_10_55 Admin .rna | C:\Windows\spool\cmss.exe | N/A |
| File opened for modification | C:\Program Files\Accessories\Common | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File opened for modification | C:\Program Files\Accessories\Common\desktop.ini | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\refsdm.dll | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\ziplog.txt | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\hpreg.dll | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File opened for modification | C:\Windows\hpreg.dll | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\spool\lsass.exe | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\spool\cmss.exe | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\msn.exe | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| File created | C:\Windows\netcox.exe | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
Enumerates physical storage devices
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\tzuP.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\cmss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cacls.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\cmss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\msn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\spool\lsass.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Compress0\\MSWINSCK.OCX" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0 | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories | C:\Windows\spool\lsass.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32 | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352} | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1 | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Compress0\\MSWINSCK.OCX, 1" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP5)" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32 | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1 | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32 | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents" | C:\Windows\spool\lsass.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352} | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D} | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32 | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0" | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352} | C:\Windows\spool\lsass.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0 | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\ | C:\Windows\spool\lsass.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}" | C:\Windows\spool\lsass.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\msn.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe | N/A |
| N/A | N/A | C:\Windows\spool\cmss.exe | N/A |
| N/A | N/A | C:\Windows\msn.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\spool\cmss.exe | N/A |
| N/A | N/A | C:\Windows\msn.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
| N/A | N/A | C:\Windows\msn.exe | N/A |
| N/A | N/A | C:\Windows\spool\lsass.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c0822b0d14b651b6e1c018c8c0bca9d2_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\tzuP.exe
tzuP.exe
C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c echo y| CACLS C:\Windows\spool /G Everyone:f
C:\Windows\SysWOW64\cmd.exe
cmd /c echo y| CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\SysWOW64\cacls.exe
CACLS C:\Windows\spool /G Everyone:f
C:\Windows\spool\cmss.exe
C:\Windows\spool\cmss.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
C:\Windows\SysWOW64\cacls.exe
CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
C:\Windows\msn.exe
C:\Windows\msn.exe
C:\Windows\spool\lsass.exe
C:\Windows\spool\lsass.exe
C:\Windows\spool\lsass.exe
C:\Windows\spool\lsass.exe
C:\Windows\spool\cmss.exe
C:\Windows\spool\cmss.exe
C:\Windows\spool\lsass.exe
C:\Windows\spool\lsass.exe
C:\Windows\msn.exe
C:\Windows\msn.exe
C:\Windows\spool\lsass.exe
C:\Windows\spool\lsass.exe
C:\Windows\SysWOW64\net.exe
net user RemoteAdmin ecotopia /add
C:\Windows\SysWOW64\net.exe
net localgroup Administrators /Add RemoteAdmin
C:\Windows\SysWOW64\net.exe
net localgroup users /Delete RemoteAdmin
C:\Windows\SysWOW64\net.exe
net localgroup "Remote Desktop Users" /Add RemoteAdmin
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 user RemoteAdmin ecotopia /add
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup "Remote Desktop Users" /Add RemoteAdmin
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup users /Delete RemoteAdmin
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup Administrators /Add RemoteAdmin
Network
| Country | Destination | Domain | Proto |
| US | 69.46.18.49:14001 | tcp | |
| US | 69.46.18.49:14001 | tcp | |
| US | 8.8.8.8:53 | www.win-spy.com | udp |
| US | 69.46.18.49:14001 | tcp | |
| US | 69.46.18.49:14001 | tcp | |
| US | 69.46.18.49:14001 | tcp |
Files
memory/2712-1-0x0000000000220000-0x0000000000221000-memory.dmp
\Users\Admin\AppData\Local\Temp\tzuP.exe
| MD5 | fb7a859807257aa10ebe35ebd0942911 |
| SHA1 | 499e645041348edca4c1d3c63709325f369dee27 |
| SHA256 | f337c1107ba8a9df8dc1a347e53791cf389ab16c7b409edb0278ec624d594b1b |
| SHA512 | ca33119ef0a9cb34841ec227c4fd259e9c843ec37f7f2d40ef3d42a93059eb09a24396eb1f1b3732c9a4e5afdc69211f4d9e96d446482c4da647ca100718ea4b |
C:\Users\Admin\AppData\Local\Temp\Compress0\inter.dll
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
C:\Users\Admin\AppData\Local\Temp\Compress0\oem.dll
| MD5 | cfcd208495d565ef66e7dff9f98764da |
| SHA1 | b6589fc6ab0dc82cf12099d1c2d40ab994e8410c |
| SHA256 | 5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9 |
| SHA512 | 31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99 |
\Users\Admin\AppData\Local\Temp\Compress0\desktop.exe
| MD5 | 76f8154e4981426d4928cdf4a673fa74 |
| SHA1 | 261af6de802a67017392841546d9b89b9a6127ed |
| SHA256 | ebc4cb98eb90b7a6e9c143b57b411eab4abb1c854e4673136c0d51bcba2fa930 |
| SHA512 | bd350912a87e41ed8e0fdc2bc9b8be73883f6307975667423f4cde32db69ed74ba1639ed9e92cb658a6f784947b562f0e05a974204e4183e68fdea88767533b4 |
C:\Users\Admin\AppData\Local\Temp\Compress0\type.dll
| MD5 | c3eef34d092ed60c3b2791814511903a |
| SHA1 | 815f979888d7a7d3cb622eee67d445c0fc94469b |
| SHA256 | 6bd1454e4848ba9ec48363db5afdc51f2a67b2e87bf7478b681cda2df245779a |
| SHA512 | 519b141185f3b4dcaf0990844aa125a23caa552d347fa69972ecf565b08b82d6b0fad321ebc0bbacca06b36fa603f4d8bd080a5a9b760e4405199b57082190ec |
C:\Users\Admin\AppData\Local\Temp\Compress0\services.exe
| MD5 | dff48c59b7a55eea69f81b2642d852ca |
| SHA1 | c9ce26516a5cf95c3f54297aa2dc9dc91e69f7c1 |
| SHA256 | a3809af3f27da2c16f2b77f2d87faf4399375eca2ff7130c9c4891dc79c8ce55 |
| SHA512 | 3b24d159eb652b42942250dec0881016fe99a0c61c5cb26c925828568cb1a4557bd93d91e8efd3d68c1badb178325057221bfd2eccd5caa682ff6c76b703223b |
C:\Users\Admin\AppData\Local\Temp\Compress0\winsyst32.exe
| MD5 | e502320ee741245f42d3c28982c93897 |
| SHA1 | b25015e41af91a19cc6bbdcca227f657f9b29540 |
| SHA256 | c394b72246f8e1bf35014a03756a97deaba87fbb07fe25e45c88412a36d05d68 |
| SHA512 | 65650e57de8f7a425e93b63b16eca4ed3011b6054274d2ea97f974a6479c62c68e65d3fc26e3596fa9cff44090dbd764204f34d0b86e7bed020716905d5ac9b6 |
C:\Users\Admin\AppData\Local\Temp\Compress0\unir.exe
| MD5 | 776ef97f5d72fb916946016f11054ef1 |
| SHA1 | b92105a2b50f402f1684b6bb4d61d60d94d39a3d |
| SHA256 | b6441da69e2709be96db9261e016229b3c18fd9d444126a89152b2002eb61530 |
| SHA512 | 9750200e8d0a048408b0f9c2bac6fddd97ae8a312de955d43b9e49db6a7e378f7809014a72e19ace8cd2141af079e44d3e3de12781d7deb9e680fa9d3d5be30f |
C:\Users\Admin\AppData\Local\Temp\Compress0\msn.exe
| MD5 | 01faeac794a0bea918b8bf9e1af674e6 |
| SHA1 | 73aa0e774ea044950fc72c6a169f64d137df54a2 |
| SHA256 | bd1b7a67ddf481227ed7ebf17b7b6512f9926a5e69f16e17575d18fa9312a417 |
| SHA512 | a0a4e0d5da4e06582aefbbf33ebeed88a3ede6efc2987ab75fadb45d4eebef45a957d63820de55a4191897bbef7fe8ad50db8f6f91b8ceb30b037d2ff2613de0 |
C:\Users\Admin\AppData\Local\Temp\Compress0\refsdm.dll
| MD5 | 30de44c2337b14e283e1f5de808e7721 |
| SHA1 | 9364673c62a2f270fc400c746c75843f0ed919ab |
| SHA256 | 3def9d36316debb39167d384f0810bc64ec0ba870019a6f844b5b22dfd0c288a |
| SHA512 | 13b3b29cfb25ab77ed4542b1a78c475206eb758da3f209a2ed43db19561d4abeac35146f8880aebf0877f4dc3d6603c64457c0e3d8494cbdacc9bd45c8d68f96 |
C:\Users\Admin\AppData\Local\Temp\Compress0\ziplog.txt
| MD5 | c16945c3b38f0eea5981cbc04ef94b30 |
| SHA1 | d667fdcb9205b71a23daf59f65e0afe7a4f37860 |
| SHA256 | 32e0bfc325f10c1012f4ee92d415517aa7d199cb35ebedfd006b05baad7682b5 |
| SHA512 | 686c24439e76a227b60b91e54f7b77aa55f96c41d6d02822847612d3667e93a780c481e346c2348df00e5370d0b7f329e71639422706e4008c51b1e8f7b43bec |
C:\Users\Admin\AppData\Local\Temp\Compress0\scloc.dll
| MD5 | 0af629b1df207fd25f221a50059140a5 |
| SHA1 | 1bdf9311af713c98ef038fcf89ee678884e8fb3d |
| SHA256 | 5d795ca75d4e40986ae410a8063f6a23a3cb1e6b2456bea570e5247ced6d9177 |
| SHA512 | 7531d36dac630adc84e88cd75cddc3e92e23b89ddbc4994780693772a106878879a9b0a458f96262ad2df01dc5ef0c641a9c1a21dfe75b4e43a14ad37a2244b7 |
C:\Users\Admin\AppData\Local\Temp\Compress0\hpreg.dll
| MD5 | a0ce0247d48fecaac607edb1e2d87fd8 |
| SHA1 | 346bf586bdf6ae4181c685fa74adf4524328d469 |
| SHA256 | 5a0b1c4e5d91fd67a1ad23e5ce869899b79a7282cb6e5533dc5c074eb59306ec |
| SHA512 | 38a03530dfafe3030ece87dad7af28baff8e79f87618f1510bcb5b7f994632745dc70f9062ba6bdbcd408062786bbb3c37a53c21423d1f172663d9e57c232986 |
C:\Users\Admin\AppData\Local\Temp\Compress0\MSWINSCK.OCX
| MD5 | 3d8fd62d17a44221e07d5c535950449b |
| SHA1 | 6c9d2ecdd7c2d1b9660d342e2b95a82229486d27 |
| SHA256 | eba048e3a9cb11671d0e3c5a0b243b304d421762361fe24fd5ea08cb66704b09 |
| SHA512 | 501e22a0f99e18f6405356184506bc5849adc2c1df3bdee71f2b4514ab0e3e36673b4aecbd615d24ebb4be5a28570b2a6f80bd52331edb658f7a5f5a9d686d10 |
C:\Users\Admin\AppData\Local\Temp\Compress0\mail.dll
| MD5 | 850ef2569cad0612b4e2180f45428a80 |
| SHA1 | 4f1133590e98a1be80bcc5604d9a982c52f627cf |
| SHA256 | 85fda0b7ca19d9f836076c421de754503f7c1867ab56e58691901ce2d7f7f1e6 |
| SHA512 | 1638a4f01ac56cc660acc123f68eb4161fbff770e26cdf378371f35d51f6eafb1eda963dcb7ec15b00f9b3c013e458fa9fe18f42fa3b490af5e8480e92126bd4 |
C:\Users\Admin\AppData\Local\Temp\Compress0\dunin.dll
| MD5 | 9bf31c7ff062936a96d3c8bd1f8f2ff3 |
| SHA1 | f1abd670358e036c31296e66b3b66c382ac00812 |
| SHA256 | e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb |
| SHA512 | 9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a |
C:\Users\Admin\AppData\Local\Temp\Compress0\inmsg.dll
| MD5 | 62158ca606dfd1b74f03b03f43e597c4 |
| SHA1 | f91a0aaaa72c124282fd28dbd9326072f789f19f |
| SHA256 | 4f45cc3a4c63bbd0e99ede09409dd656575c3bf68da68f1af11c01f1a3015d00 |
| SHA512 | 389095d037013a09cb02d6d1fcc65d7f37ab86c82aa63600fba375376b0d3cc317b7bd984abcd325154c132823216d1134a303ab90cd96f8e5b7b836d68315f4 |
C:\Users\Admin\AppData\Local\Temp\Compress0\port.dll
| MD5 | 13f3cf8c531952d72e5847c4183e6910 |
| SHA1 | ac3e7b007d7ab0ba379faa8ab62d9da35c5444f4 |
| SHA256 | 6d05621ab7cb7b4fb796ca2ffbe1a141e0d4319d3deb6a05322b9de85d69b923 |
| SHA512 | c2b37e4037631aaa4809e9a0dc82ad5ce7a04fa98a6b6de280d16181dc88de0b3e337a96a7aac19619ac65d68537dbe171b3857a72344a1a9d74bd3923460854 |
C:\Users\Admin\AppData\Local\Temp\Compress0\ftpa.dll
| MD5 | 32af4302da238b64605ef49f872aad21 |
| SHA1 | f97aaba396dbbbc143acd751cdf72150fe85f798 |
| SHA256 | d66928953a2c09d957b49ec0498550349b2f82a0f1d73931aeb39c9bff1e0dc3 |
| SHA512 | 22637137df12b596714a211dfbff022ca42142b4104068b4326511f84fe091e30ae66060be715a5be9fe59313c24e64ae99655a78ef00df8287091dc24484f27 |
C:\Users\Admin\AppData\Local\Temp\Compress0\ftps.dll
| MD5 | 17cc45731514eb956c6ec43ca4dd2a71 |
| SHA1 | 487eaf8d52177e51dbefee855c4d9682f39c7ae1 |
| SHA256 | 116a593de27f51a4372ab3fff36b69f44f5394771fa6a8edd7a5dbd201bf3a2d |
| SHA512 | 9f4645a4902f2b607dea3c9c2fa4a0784d275e432c3279096d3295fcfa4a4d157ee09040f2e44f7ffa16db18d9f6e09f34ecda4d0a74301d390252de2abf1fd7 |
C:\Users\Admin\AppData\Local\Temp\Compress0\ftus.dll
| MD5 | df7afd56b057ac5894d080b5044b2dbd |
| SHA1 | de45d927ec0cae7991cb24e0f0cd3012e1357fcd |
| SHA256 | 30f2daeec172c264f54892c9ef28f1f72a980f55167aa3ce39894b5602924ec7 |
| SHA512 | 3a9d2c62b04a2dd73ee6b0de49f547ea5be61541d30222a26b2550d2909dad340067ebbf97d1eb04d56f974af9bde409b66fbf7399d2b7448e67b52f8b15e814 |
C:\Users\Admin\AppData\Local\Temp\Compress0\ftsv.dll
| MD5 | b2bf8db5e80efb9d58528b6264fdf086 |
| SHA1 | 550df9d3b6f15afc80832ff2551f60938c1b4a63 |
| SHA256 | ccf1724ba72944874962927afe1b7a216adbaba3dca1b38730cdeacb133088ed |
| SHA512 | a496dd4a93a85bf5de100ec5d17afaed496d4e2526ba6a3f1d09da593d4b8aad85834924561877a90c9762e919bb3b87d7236389e8439c6fd21b838521c86f2a |
C:\Users\Admin\AppData\Local\Temp\Compress0\user.dll
| MD5 | 276b6c4692e78d4799c12ada515bc3e4 |
| SHA1 | 72019bbac0b3dac88beac9ddfef0ca808919104f |
| SHA256 | 24d4b96f58da6d4a8512313bbd02a28ebf0ca95dec6e4c86ef78ce7f01e788ac |
| SHA512 | 40c41475561375aa28d4d035445525f0e8f6bfaba1fdb4bc0c30dec2de112d7c7df168bdced38b4d87326b4c3f226c2ba1a09f4384451b0bc5f9c108c1c1df32 |
C:\Users\Admin\AppData\Local\Temp\Compress0\pwhost.dll
| MD5 | 334c4a4c42fdb79d7ebc3e73b517e6f8 |
| SHA1 | 71f8e7976e4cbc4561c9d62fb283e7f788202acb |
| SHA256 | 140bedbf9c3f6d56a9846d2ba7088798683f4da0c248231336e6a05679e4fdfe |
| SHA512 | ab93a9e95d70edb06025511cea4e2b8047fb7e1deaf7244fc0d3edf5e7cb57d8fb7b951bdeb3c6b552714878749eb19b9103e64a83635e8885c7d3e1d0fc5649 |
C:\Users\Admin\AppData\Local\Temp\Compress0\rvport.dll
| MD5 | 7a1920d61156abc05a60135aefe8bc67 |
| SHA1 | 808d7dca8a74d84af27a2d6602c3d786de45fe1e |
| SHA256 | 21b111cbfe6e8fca2d181c43f53ad548b22e38aca955b9824706a504b0a07a2d |
| SHA512 | 94abfc7b11f4311e8e279b580907fefc1118690479fb7e13f0c22ade816bc2b63346498833b0241eec2b09e15172e13027dc85024bacb7bc40c150f4131f7292 |
C:\Users\Admin\AppData\Local\Temp\Compress0\rvhost.dll
| MD5 | 34c4c50fc7bdd0394f3954f73f2be34d |
| SHA1 | 9f537f977fa2ecd1f91ff057ce1667e98ab04729 |
| SHA256 | c226b0485361a7d12f677de5fd6d094fce775723bed9f5cb44000056b45636fc |
| SHA512 | eda815d970711a13f2ae66ccee2e4752689e0f2c8e08d9162533e5eaadc08bd201e3e545f4c8806216eb3f775656f1c3ab9a8210bbecb29a5541e5c8284f9e21 |
C:\Users\Admin\AppData\Local\Temp\Compress0\rwcs.dll
| MD5 | 045117b0e0a11a242b9765e79cbf113f |
| SHA1 | ec7f1f65067126f3b2bd1037de8a18d0db2ec84b |
| SHA256 | 7b69759630f869f2723875f873935fed29d2d12b10ef763c1c33b8e0004cb405 |
| SHA512 | 1f748a9c15bdf0a5e3be241ac0b8ef75e4c0c339e9550c9f8fa342778c620ac88de6edd42b61398e72bea045b27649ef7992ae5ed0e0b162cd9f1aa71686a222 |
C:\Users\Admin\AppData\Local\Temp\Compress0\rwci.dll
| MD5 | 3f74a886c7f841699690962c497d4f30 |
| SHA1 | 271593a69439c052d4de63e50c569060dcd78e91 |
| SHA256 | d4c999ae43633bd2036188d2bca68e1be8202b2cc1f3a1c42a728eaff7d2483d |
| SHA512 | 72d7eb167391c298ee40fbf1ae613958e9c27fdca27f3256620e9c70ba37a6dabcf43c7fa1538609c555e0f686a48f04842b6ac308f306f9da51f4ca3a6ef1e8 |
C:\Users\Admin\AppData\Local\Temp\Compress0\scint.dll
| MD5 | d3d9446802a44259755d38e6d163e820 |
| SHA1 | b1d5781111d84f7b3fe45a0852e59758cd7a87e5 |
| SHA256 | 4a44dc15364204a80fe80e9039455cc1608281820fe2b24f1e5233ade6af1dd5 |
| SHA512 | 3c11e4f316c956a27655902dc1a19b925b8887d59eff791eea63edc8a05454ec594d5eb0f40ae151df87acd6e101761ecc5bb0d3b829bf3a85f5432493b22f37 |
memory/2712-153-0x0000000042050000-0x000000004212C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Compress0\ssap.dll
| MD5 | e3a7a7ade9b32f5de04970e3111289f2 |
| SHA1 | db6023ca7df49c86894d30a6789e8ddea24afba8 |
| SHA256 | 9a5b2200baf3be5073eca02a71d0157138190ff5ab097aca02951120651ae321 |
| SHA512 | e746c5cabf138422fb3c699bd5275b419c106eae189a532c4e2f553e6a763b46519a26828f28a4b31d7511dde5cf5266e1f4d12e1a5eebb30bdd3a3f637b93a3 |
C:\Users\Admin\AppData\Local\Temp\Compress0\resu.dll
| MD5 | 79018b9d50483943a7891102073558e1 |
| SHA1 | e227bd10a8cb3fcc9ef3cc62be8b0785abfc4ad5 |
| SHA256 | bf511643f9ac25c6d6ec61e0af29cb561a0e6cdcd8afef273ab9fd2523f69cd5 |
| SHA512 | ddedf00256733686bdcc74a9670db5aaa85a10c4addd99ea540fd08bc5b1f01803c609047f5d3e57adf0684afdd44a89311686b3089ab00db98efa54248856e2 |
memory/2144-188-0x0000000060000000-0x000000006002E000-memory.dmp
C:\Program Files\Accessories\Common\clog.txt
| MD5 | fceb994bd3c60029331a22a53c19871b |
| SHA1 | e9bd26049ba5b4bfdea8c8e0051ad37250d870c0 |
| SHA256 | 37ccab91655a12090dcecbcbc77f6457e2e15d50a04bcd46b90243cc356062f4 |
| SHA512 | 34769839b935372be642d19f029f87d5e7f9e5effbdd447d488840c07dc9e86d58cc3dd6bfd3f46af737a902f6cf33b39c048c68299314a42fd03dcbee0c4fc6 |