215da71f38539f2affe0a22eef65ec9371a40aebe34b8233ef7574c3edead34d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea25ee92461dbf850d57b2f35a793073_JaffaCakes118.exe
Size

703KB
MD5

ea25ee92461dbf850d57b2f35a793073
SHA1

a0bfbc971c0a6ee73bb54951023cfbe769448646
SHA256

215da71f38539f2affe0a22eef65ec9371a40aebe34b8233ef7574c3edead34d
SHA512

eacf84c569e3646e75fcdbe3d332d58df473217f8789c454379b265d04cdb4471c8fc03800536da02afea15f8bf69bf2198bed11029b3f0256a913cf3c32a439
SSDEEP

12288:aFCRXVDQrrNWNVppppppppppppppppppppppppppppp9odJmrlCiEnmYROK49bvN:LRXVQaodJmJNR9rWlWrOmF/ak0eifygo

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 9 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3764	netsh.exe
3772	netsh.exe
2108	netsh.exe
2540	netsh.exe
636	netsh.exe
1104	netsh.exe
1976	netsh.exe
3252	netsh.exe
1108	netsh.exe

Executes dropped EXE 8 IoCs

pid	Process
5108	ccsvchst.exe
4800	cmss.exe
1372	msmsgs.exe
4404	comres.exe
4536	RDS.exe
3936	msmsgs.exe
832	msmsgs.exe
3792	msmsgs.exe

Loads dropped DLL 5 IoCs

pid	Process
5108	ccsvchst.exe
5108	ccsvchst.exe
4404	comres.exe
4536	RDS.exe
4800	cmss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemPack = "C:\\PROGRA~2\\WinCache\\cmss.exe"	ccsvchst.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\PROGRA~2\WinCache\RDS.exe	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	cmss.exe
File opened for modification	C:\PROGRA~2\WinCache\comres.exe	ccsvchst.exe
File created	C:\PROGRA~2\WinCache\msmsgs.exe	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	msmsgs.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	msmsgs.exe
File opened for modification	C:\Program Files\Accessories\Common\Chat_log.txt	msmsgs.exe
File created	C:\PROGRA~2\WinCache\comres.exe	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common\KB_log.txt	msmsgs.exe
File opened for modification	C:\Program Files\Accessories\Common\PC_Active_Time.txt	cmss.exe
File created	C:\Program Files\Accessories\Common\desktop.ini	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common\Chat_log.txt	msmsgs.exe
File created	C:\PROGRA~2\WinCache\cmss.exe	ccsvchst.exe
File opened for modification	C:\Program Files\Accessories\Common	ccsvchst.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\svers.dll	ccsvchst.exe
File created	C:\Windows\refsdm.dll	ccsvchst.exe
File created	C:\Windows\hpvert.dll	ccsvchst.exe
File opened for modification	C:\Windows\hpvert.dll	ccsvchst.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 27 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmsgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmsgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RDS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmsgs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ccsvchst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea25ee92461dbf850d57b2f35a793073_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msmsgs.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP6)"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\MSWINSCK.OCX, 1"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	ccsvchst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\MSWINSCK.OCX"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0 (SP6)"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\MSWINSCK.OCX"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0 (SP6)"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\MSWINSCK.OCX"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	ccsvchst.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	ccsvchst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	ccsvchst.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ccsvchst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe
4800	cmss.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3792	msmsgs.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
5108	ccsvchst.exe
4800	cmss.exe
1372	msmsgs.exe
4404	comres.exe
4536	RDS.exe
3936	msmsgs.exe
832	msmsgs.exe
3936	msmsgs.exe
3792	msmsgs.exe
3792	msmsgs.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 5108	4960	ea25ee92461dbf850d57b2f35a793073_JaffaCakes118.exe	82
PID 4960 wrote to memory of 5108	4960	ea25ee92461dbf850d57b2f35a793073_JaffaCakes118.exe	82
PID 4960 wrote to memory of 5108	4960	ea25ee92461dbf850d57b2f35a793073_JaffaCakes118.exe	82
PID 5108 wrote to memory of 1496	5108	ccsvchst.exe	83
PID 5108 wrote to memory of 1496	5108	ccsvchst.exe	83
PID 5108 wrote to memory of 1496	5108	ccsvchst.exe	83
PID 5108 wrote to memory of 1104	5108	ccsvchst.exe	85
PID 5108 wrote to memory of 1104	5108	ccsvchst.exe	85
PID 5108 wrote to memory of 1104	5108	ccsvchst.exe	85
PID 5108 wrote to memory of 636	5108	ccsvchst.exe	86
PID 5108 wrote to memory of 636	5108	ccsvchst.exe	86
PID 5108 wrote to memory of 636	5108	ccsvchst.exe	86
PID 5108 wrote to memory of 3252	5108	ccsvchst.exe	87
PID 5108 wrote to memory of 3252	5108	ccsvchst.exe	87
PID 5108 wrote to memory of 3252	5108	ccsvchst.exe	87
PID 5108 wrote to memory of 2540	5108	ccsvchst.exe	88
PID 5108 wrote to memory of 2540	5108	ccsvchst.exe	88
PID 5108 wrote to memory of 2540	5108	ccsvchst.exe	88
PID 5108 wrote to memory of 2108	5108	ccsvchst.exe	89
PID 5108 wrote to memory of 2108	5108	ccsvchst.exe	89
PID 5108 wrote to memory of 2108	5108	ccsvchst.exe	89
PID 5108 wrote to memory of 1108	5108	ccsvchst.exe	90
PID 5108 wrote to memory of 1108	5108	ccsvchst.exe	90
PID 5108 wrote to memory of 1108	5108	ccsvchst.exe	90
PID 5108 wrote to memory of 3772	5108	ccsvchst.exe	96
PID 5108 wrote to memory of 3772	5108	ccsvchst.exe	96
PID 5108 wrote to memory of 3772	5108	ccsvchst.exe	96
PID 5108 wrote to memory of 3764	5108	ccsvchst.exe	97
PID 5108 wrote to memory of 3764	5108	ccsvchst.exe	97
PID 5108 wrote to memory of 3764	5108	ccsvchst.exe	97
PID 5108 wrote to memory of 1976	5108	ccsvchst.exe	98
PID 5108 wrote to memory of 1976	5108	ccsvchst.exe	98
PID 5108 wrote to memory of 1976	5108	ccsvchst.exe	98
PID 1496 wrote to memory of 3136	1496	cmd.exe	101
PID 1496 wrote to memory of 3136	1496	cmd.exe	101
PID 1496 wrote to memory of 3136	1496	cmd.exe	101
PID 1496 wrote to memory of 1448	1496	cmd.exe	102
PID 1496 wrote to memory of 1448	1496	cmd.exe	102
PID 1496 wrote to memory of 1448	1496	cmd.exe	102
PID 5108 wrote to memory of 2908	5108	ccsvchst.exe	105
PID 5108 wrote to memory of 2908	5108	ccsvchst.exe	105
PID 5108 wrote to memory of 2908	5108	ccsvchst.exe	105
PID 2908 wrote to memory of 4448	2908	cmd.exe	107
PID 2908 wrote to memory of 4448	2908	cmd.exe	107
PID 2908 wrote to memory of 4448	2908	cmd.exe	107
PID 2908 wrote to memory of 3960	2908	cmd.exe	108
PID 2908 wrote to memory of 3960	2908	cmd.exe	108
PID 2908 wrote to memory of 3960	2908	cmd.exe	108
PID 5108 wrote to memory of 4800	5108	ccsvchst.exe	113
PID 5108 wrote to memory of 4800	5108	ccsvchst.exe	113
PID 5108 wrote to memory of 4800	5108	ccsvchst.exe	113
PID 4800 wrote to memory of 1372	4800	cmss.exe	114
PID 4800 wrote to memory of 1372	4800	cmss.exe	114
PID 4800 wrote to memory of 1372	4800	cmss.exe	114
PID 4800 wrote to memory of 4404	4800	cmss.exe	115
PID 4800 wrote to memory of 4404	4800	cmss.exe	115
PID 4800 wrote to memory of 4404	4800	cmss.exe	115
PID 4800 wrote to memory of 4536	4800	cmss.exe	116
PID 4800 wrote to memory of 4536	4800	cmss.exe	116
PID 4800 wrote to memory of 4536	4800	cmss.exe	116
PID 4800 wrote to memory of 3936	4800	cmss.exe	122
PID 4800 wrote to memory of 3936	4800	cmss.exe	122
PID 4800 wrote to memory of 3936	4800	cmss.exe	122
PID 4800 wrote to memory of 832	4800	cmss.exe	123

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\ea25ee92461dbf850d57b2f35a793073_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\ea25ee92461dbf850d57b2f35a793073_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe
    "C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo y| CACLS C:\PROGRA~2\WinCache /G Everyone:f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS C:\PROGRA~2\WinCache /G Everyone:f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1448
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\PROGRA~2\WinCache\comres.exe" "comres.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1104
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="comres.exe" dir=in action=allow program="C:\PROGRA~2\WinCache\comres.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:636
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="comres.exe" dir=in action=allow program="C:\PROGRA~2\WinCache\comres.exe" enable=yes profile=public
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3252
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\PROGRA~2\WinCache\cmss.exe" "cmss.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2540
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="cmss.exe" dir=in action=allow program="C:\PROGRA~2\WinCache\cmss.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:2108
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="cmss.exe" dir=in action=allow program="C:\PROGRA~2\WinCache\cmss.exe" enable=yes profile=public
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1108
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall add allowedprogram "C:\PROGRA~2\WinCache\RDS.exe" "RDS.exe" ENABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3772
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="RDS.exe" dir=in action=allow program="C:\PROGRA~2\WinCache\RDS.exe" enable=yes
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:3764
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall firewall add rule name="RDS.exe" dir=in action=allow program="C:\PROGRA~2\WinCache\RDS.exe" enable=yes profile=public
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1976
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c echo y| CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo y"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4448
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS C:\PROGRA~1\ACCESS~1\Common /G Everyone:f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
  - - C:\PROGRA~2\WinCache\cmss.exe
      C:\PROGRA~2\WinCache\cmss.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Program Files (x86)\WinCache\msmsgs.exe
        
        "C:\Program Files (x86)\WinCache\msmsgs.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1372
    - - C:\Program Files (x86)\WinCache\comres.exe
        
        "C:\Program Files (x86)\WinCache\comres.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4404
    - - C:\Program Files (x86)\WinCache\RDS.exe
        
        "C:\Program Files (x86)\WinCache\RDS.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4536
    - - C:\PROGRA~2\WinCache\msmsgs.exe
        
        C:\PROGRA~2\WinCache\msmsgs.exe
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3936
    - - C:\PROGRA~2\WinCache\msmsgs.exe
        
        C:\PROGRA~2\WinCache\msmsgs.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:832
    - - C:\PROGRA~2\WinCache\msmsgs.exe
        
        C:\PROGRA~2\WinCache\msmsgs.exe
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:3792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Accessories\Common\Chat_log.txt

Filesize
248B

MD5
dbd2930be6b2f99d1176929cb210a943

SHA1
ce645c3aaa7e409f59b41c8944fc3eb5bea2d39a

SHA256
6d1fca31e1faf391a68a18eb2f83231521f47b834035aacc3ae4d2121ff7efd7

SHA512
9defac02ea8d4949f1bf669b3d81e84d38b4ee9fc55764434201eb91b8600ffe101575c9aabd14461280419bb8953579bb9f74b6a20fabaafd0c8a93d029cc10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\Image-JPEG.ico

Filesize
77KB

MD5
30adda56792acf132826636b472e3a8c

SHA1
504f573ca064d539b2c06e384d6448de6c289325

SHA256
7336ca3ff2ee039d96170b5513012a2dd2e901b5a311ce352c55808c19f89d4b

SHA512
8cd2eeee4ff425c0e38182497115fb2ca8f61eb71b57a693beb40b4b3209ee2cfe693cdca733ef87fc4ba48b094ddafca26b0a7657f239bf2f43ca0d2fc04adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\MSWINSCK.OCX

Filesize
121KB

MD5
e8a2190a9e8ee5e5d2e0b599bbf9dda6

SHA1
4e97bf9519c83835da9db309e61ec87ddf165167

SHA256
80ab0b86de58a657956b2a293bd9957f78e37e7383c86d6cd142208c153b6311

SHA512
57f8473eedaf7e8aad3b5bcbb16d373fd6aaec290c3230033fc50b5ec220e93520b8915c936e758bb19107429a49965516425350e012f8db0de6d4f6226b42ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\RDS.exe

Filesize
176KB

MD5
e8af5d10cd8f4fc475d4308e6a941de9

SHA1
7ef26bb4a673003e64838a4b7c2913cbc70c178a

SHA256
44a0a7810cb7fc3f9997403c427bc5827944fe46147832753d9c57f4b5f8e4d2

SHA512
aa67383aebd273712372d738197f330ea3ba7a6694c8fa542ad5ef6882238cf9a3c972db5958fa063120571b9d2c7e5901238d05eb48c0e2642f99846248e064

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ccsvchst.exe

Filesize
120KB

MD5
9abcbd5799683bc63fa4e6f291a288f0

SHA1
24b9b12a2405276f5ec0a663789e94bd5907e968

SHA256
9b8f5fda4c0b66a5bb0eeee6e658049efd47e77b3f21f870787f2bcfa2fc9ad6

SHA512
9b260bee2f61dfd7dcfc55b6f1e330e1d18d86feaa1ef4e30967b6eeba165e2d58cfbac0e6b3e187c42c52d86d34f156203e8b5c9288d6072675d27fccef930e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\comres.exe

Filesize
196KB

MD5
837e8ff17381d4732af0c14db6891e57

SHA1
d7798e24a046daafdb25f977d8896d5b643395a7

SHA256
5076d475040d2cb4dca67f2adba9d6568b66210588d580b1ae5dec92a5211630

SHA512
69f56449abf94bfd82a2272e15870b1962d300837917e3eac4f4229b1e2cf18be548a98cbd304198b0dc1e47b4baed9e9d6f1867b90b706efa177c5afe213d26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\dunin.dll

Filesize
2B

MD5
9bf31c7ff062936a96d3c8bd1f8f2ff3

SHA1
f1abd670358e036c31296e66b3b66c382ac00812

SHA256
e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb

SHA512
9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\emfz.dll

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\eminu.dll

Filesize
2B

MD5
34173cb38f07f89ddbebc2ac9128303f

SHA1
22d200f8670dbdb3e253a90eee5098477c95c23d

SHA256
624b60c58c9d8bfb6ff1886c2fd605d2adeb6ea4da576068201b6c6958ce93f4

SHA512
1ccbff33e55627a50beca8cf5c89f77c3165dcb3218171308423f250f0bb0be9700bbfdd92d35dfa2e579110266a40194d707b50e7d27b6f09b81fbbf80231a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftin.dll

Filesize
2B

MD5
6f4922f45568161a8cdf4ad2299f6d23

SHA1
9e6a55b6b4563e652a23be9d623ca5055c356940

SHA256
4ec9599fc203d176a301536c2e091a19bc852759b255bd6818810a42c5fed14a

SHA512
f107ba2da059fa640eccb9533e859a6435f6b83aa2e0636a47444dfdcde33a6e1f3cc1c9437bcfd42675af265a0d0b9d66c86c9e66347aa41534204745e41fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftpa.dll

Filesize
24B

MD5
74723da3f7ce583f25ce3afc05b7da25

SHA1
a2fd2fa631e6e50ba814991dfeea980046235078

SHA256
c84ae58563495d72c6689b95ec1480977074100dc3865cdfef32ef0c3341eb27

SHA512
75237d30f9e55525f09c41b06d57b857e269d763e29bf22a1cfb6a5d190b17b8639d367e3b7db7ca954c61637767f4903e68a094ed40e267b6c7f7a46f9f8781

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\ftps.dll

Filesize
2B

MD5
05ab88fb98453f3a811b785145662131

SHA1
93ac8946882128457cd9e283b30ca851945e6690

SHA256
76a71fbef8a8339fcbcaff8c9aadfb85c834bc3cc0c07069a5ebb2eea3d90d68

SHA512
ad40c2c7c7aee848934e415d0156ba6069e44436e67f438d3c654c16c53491c4596b19e021fa0aed91dc1e9ed7f95d1ef7b4f60cf38bed7d4fd1e7810a5b4ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\hpvert.dll

Filesize
176KB

MD5
a0ce0247d48fecaac607edb1e2d87fd8

SHA1
346bf586bdf6ae4181c685fa74adf4524328d469

SHA256
5a0b1c4e5d91fd67a1ad23e5ce869899b79a7282cb6e5533dc5c074eb59306ec

SHA512
38a03530dfafe3030ece87dad7af28baff8e79f87618f1510bcb5b7f994632745dc70f9062ba6bdbcd408062786bbb3c37a53c21423d1f172663d9e57c232986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\inmsg.dll

Filesize
40B

MD5
62158ca606dfd1b74f03b03f43e597c4

SHA1
f91a0aaaa72c124282fd28dbd9326072f789f19f

SHA256
4f45cc3a4c63bbd0e99ede09409dd656575c3bf68da68f1af11c01f1a3015d00

SHA512
389095d037013a09cb02d6d1fcc65d7f37ab86c82aa63600fba375376b0d3cc317b7bd984abcd325154c132823216d1134a303ab90cd96f8e5b7b836d68315f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\mail.dll

Filesize
20B

MD5
bdc57e2f010da2cb2d7d1f3c13243e9e

SHA1
471856147891d0e020e0a793b587c1699c3f3b3e

SHA256
9645fdfbe9d8540ca065db366fe893868c88583fe549a9a74a164d9d77b24ae7

SHA512
765f0b1e6b3984b6bcf021cf785af74a09b3fc9f437c8c14ac34b9d137122d7244911ff79acbfec768c6b674d89d6f42b28fcca8af9398a7b99e6fb629f0182b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\msmsgs.exe

Filesize
164KB

MD5
52d57608ea44feab70a59e021014a10f

SHA1
fc91ffd70210f8ec311006c139b046bf6cced2e4

SHA256
66a81e58cdad8f6a6579de72631a597ffff5f329d29c258369a43bf1a4a129e0

SHA512
5513ffe94c21313e2c2463db1526f8885f83e2a8a5c12a506a99a36bec53d4d4d3b40ab6044c23552e66e2a006a4a2a87c086ab3a4f902785576183a807e8d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\picture.dll

Filesize
14B

MD5
e5410760d0637de06190b3fc89f7c177

SHA1
e56d2d765d75087d115bcbd2f417795eb00bcdb4

SHA256
d0cbc613a966d2c70e46feff229c83f821fda9ee8e45c92825fa6d5d3e58fd2e

SHA512
5bd4a99dd0658c33cd4dd05e84ad32c21f1f28360221292e0f35abbf120b254d733f4ed129f768647d83f185fb6bcccec54daa272d8190d60f0424785db713cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\port.dll

Filesize
3B

MD5
13f3cf8c531952d72e5847c4183e6910

SHA1
ac3e7b007d7ab0ba379faa8ab62d9da35c5444f4

SHA256
6d05621ab7cb7b4fb796ca2ffbe1a141e0d4319d3deb6a05322b9de85d69b923

SHA512
c2b37e4037631aaa4809e9a0dc82ad5ce7a04fa98a6b6de280d16181dc88de0b3e337a96a7aac19619ac65d68537dbe171b3857a72344a1a9d74bd3923460854

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\pwhost.dll

Filesize
4B

MD5
334c4a4c42fdb79d7ebc3e73b517e6f8

SHA1
71f8e7976e4cbc4561c9d62fb283e7f788202acb

SHA256
140bedbf9c3f6d56a9846d2ba7088798683f4da0c248231336e6a05679e4fdfe

SHA512
ab93a9e95d70edb06025511cea4e2b8047fb7e1deaf7244fc0d3edf5e7cb57d8fb7b951bdeb3c6b552714878749eb19b9103e64a83635e8885c7d3e1d0fc5649

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\refsdm.dll

Filesize
26B

MD5
4c257f287c406ecb4d1903d8d71869ff

SHA1
e6d0253144882a3864645c402b01a769d88baca8

SHA256
87729f0488fc16487e2f96e2fac05c7c5ea53fe49151f6b9517c40203cea3726

SHA512
4d8510c1f24d2ee25579d9eeda2184c46b507736e5923e6437efac6c4b9c5c41fcf295eca39ec6413c68baa3d43d7052af4f3f8ab334a181ffd810204a2ce6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\resu.dll

Filesize
3B

MD5
73d2b65353d7b00e0f198ffdc085edc8

SHA1
aa91214ab6cca295fb3f38a13a4b03edd95286e1

SHA256
c6cd4cf936fd5ad884ed4c278d147982124a6b7df27d95ddf58cd7a60660664c

SHA512
8cd0cf7b63d133e4ebde384744e5c8e2503b8f2ced89225602f77b8ddb68a2a59bde0d9250c07ce0f38261f22eefdf5ce70dce3a81271342beed4c09296bb73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rvhost.dll

Filesize
5B

MD5
34c4c50fc7bdd0394f3954f73f2be34d

SHA1
9f537f977fa2ecd1f91ff057ce1667e98ab04729

SHA256
c226b0485361a7d12f677de5fd6d094fce775723bed9f5cb44000056b45636fc

SHA512
eda815d970711a13f2ae66ccee2e4752689e0f2c8e08d9162533e5eaadc08bd201e3e545f4c8806216eb3f775656f1c3ab9a8210bbecb29a5541e5c8284f9e21

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rvport.dll

Filesize
7B

MD5
7a1920d61156abc05a60135aefe8bc67

SHA1
808d7dca8a74d84af27a2d6602c3d786de45fe1e

SHA256
21b111cbfe6e8fca2d181c43f53ad548b22e38aca955b9824706a504b0a07a2d

SHA512
94abfc7b11f4311e8e279b580907fefc1118690479fb7e13f0c22ade816bc2b63346498833b0241eec2b09e15172e13027dc85024bacb7bc40c150f4131f7292

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rwci.dll

Filesize
4B

MD5
e93028bdc1aacdfb3687181f2031765d

SHA1
7507d41ecbd162a0d6dfdaaa9988a91184351735

SHA256
a176eeb31e601c3877c87c2843a2f584968975269e369d5c86788b4c2f92d2a2

SHA512
5d2951e35a8e507db30cab1ed234ba19c083b235465029b1b25ebe3a2e50ab544413e2576d168326cb7fe927e0f75ca16964f5a8b7940cecdcb637d17fb5edde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\rwcs.dll

Filesize
3B

MD5
f899139df5e1059396431415e770c6dd

SHA1
310b86e0b62b828562fc91c7be5380a992b2786a

SHA256
ad57366865126e55649ecb23ae1d48887544976efea46a48eb5d85a6eeb4d306

SHA512
643c30f73a3017050b287794fc8c5bb9ab06b9ce38a1fc58df402a8b66ff58f69bf0a606ae17585352a0306f0e9752de8c5c064aed7003f52808b43ff992a603

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\sccle.dll

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scint.dll

Filesize
2B

MD5
c51ce410c124a10e0db5e4b97fc2af39

SHA1
bd307a3ec329e10a2cff8fb87480823da114f8f4

SHA256
3fdba35f04dc8c462986c992bcf875546257113072a909c162f7e470e581e278

SHA512
413f2ba78c7ed4ccefbe0cc4f51d3eb5cb15f13fec999de4884be925076746663aa5d34476a3df4a8729fd8eea01defa4f3f66e99bf943f4d84382d64bbbfa9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\scloc.dll

Filesize
36B

MD5
0af629b1df207fd25f221a50059140a5

SHA1
1bdf9311af713c98ef038fcf89ee678884e8fb3d

SHA256
5d795ca75d4e40986ae410a8063f6a23a3cb1e6b2456bea570e5247ced6d9177

SHA512
7531d36dac630adc84e88cd75cddc3e92e23b89ddbc4994780693772a106878879a9b0a458f96262ad2df01dc5ef0c641a9c1a21dfe75b4e43a14ad37a2244b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\sid2.dll

Filesize
12B

MD5
368e30e3411e1f4e292e9f821b9f8dcb

SHA1
b1fa26e3e77b7c2a98bd2145e46eaeeb62c1df5a

SHA256
605b6113f3acf5a23ac996b8164d2ccd22279440e984d01dfe7cfe4c31b00f02

SHA512
4981825e88f58334522b59b67306cade56e863a7b00fa60b2d89681ea9d7801a18b78a87bf621d5861e34fa77caf915da1981dc684aa5b42ec9a228ec4af030e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\svers.dll

Filesize
74KB

MD5
c75f24419e15c409594ff81bd947d387

SHA1
26ccbdf17eeedc088efaf605331d893d334b70f0

SHA256
77cc18a868bc144dc03e6577b4697e726c475187559642d97c9ce7ec1f69a905

SHA512
b1d7b3f7455ab3d636f966027f68afd86a5f88a2d330664a6783829f08a5a27e9a6cc8f3c4ccfdf5636a5a9c4a3f469b6baa961a0320703753d9257de9ae4d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\type.dll

Filesize
3B

MD5
98e83379d45538379c2ac4e47c3be81d

SHA1
d659d96d15c7a1206f44eb36ed72495563140859

SHA256
9095bdb859308b62acf04036ffd4adfe366d7f737d276eb6c46ae434f3816c9b

SHA512
789f09c2868b1f6aa75bcdc4a2c761525d7a50617c76a8892307bc268bd0c4a6e4c5359486e556f9f6233a32dc4b5b97e41a63d03a28d2da37d1aa7bf15f8ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\user.dll

Filesize
6B

MD5
094bfe664161213fa259180d7a812fe5

SHA1
84d76cf416f5219a052a74c109c035381c4a1288

SHA256
45975d7c9a56d888ebd4ff454064075ca00e9c62070659278065bf45247f809d

SHA512
f7352bbd653c8c2446b5705e30952faab86d846d650fd5b1d38305385de79bacef90e2523c6f3c0129f127f820b8e231b608ca28d177158209b04ee292b853fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Compress0\winsyst32.exe

Filesize
396KB

MD5
ca51008f42d241f5b28357a3e94551ab

SHA1
8049d9effafc58f30b4f6a6747c062b6ff24e2bb

SHA256
48b9bf4d492e19bb2b40e74f0bd00a4ed865865629d8ce6d6b072a08e9bc63c3

SHA512
e79c319ba4c0f628ecd4bbf70d3cf3c97d0255bcd852a3901e6b0fbe3bc8d83dc303747f6300b41cb2349c1d8f3383f9a3fc287ee2924963caf83e8034b3c8b3

Download Submit