d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59

Analysis

max time kernel
151s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Size

423KB
MD5

03b64ed58d209f272cbe5da1148b8eab
SHA1

42c9f8d9dfb7d621839a6de1ea8c4025cb4f104e
SHA256

d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59
SHA512

9b1efac42d64be6fa5ac495b15cc6ac20a5627ee9ba6e0634045e8e1a01a66cb9a5f860e74b2a8c05451b2d45a07a845c8b4f41da540769081e6cd3f4fb7de8c
SSDEEP

6144:knXjmM0NamNjJESIjmvhvMyeuHH+zSAzdWlZhELgf/W33a:ov0NamNjJESIjgkyV+zSudiZhFK3a

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cisvc = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\cisvc.exe"	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Spooler = "C:\\Users\\Admin\\AppData\\Roaming\\spoolsv.exe"	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\wininit.exe	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RCXC6C4.tmp	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe

Executes dropped EXE 18 IoCs

pid	Process
800	cisvc.exe
2032	mstsc.exe
2776	spoolsv.exe
3668	mstsc.exe
4992	wininit.exe
908	mstsc.exe
1564	sessmgr.exe
3124	wininit.exe
1316	cisvc.exe
868	cisvc.exe
1740	cisvc.exe
1936	mstsc.exe
4580	spoolsv.exe
1688	mstsc.exe
4516	wininit.exe
3128	mstsc.exe
3872	sessmgr.exe
1780	wininit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Mstsc = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\mstsc.exe"	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Mstsc = "C:\\Users\\Admin\\Local Settings\\Application Data\\mstsc.exe"	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Sessmgr = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\sessmgr.exe"	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Key created	\REGISTRY\USER\.DEFAULT	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WinInit = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\wininit.exe"	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 800	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	84
PID 1968 wrote to memory of 800	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	84
PID 1968 wrote to memory of 800	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	84
PID 1968 wrote to memory of 2032	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	85
PID 1968 wrote to memory of 2032	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	85
PID 1968 wrote to memory of 2032	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	85
PID 1968 wrote to memory of 2776	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	87
PID 1968 wrote to memory of 2776	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	87
PID 1968 wrote to memory of 2776	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	87
PID 1968 wrote to memory of 3668	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	88
PID 1968 wrote to memory of 3668	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	88
PID 1968 wrote to memory of 3668	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	88
PID 1968 wrote to memory of 4992	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	89
PID 1968 wrote to memory of 4992	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	89
PID 1968 wrote to memory of 4992	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	89
PID 1968 wrote to memory of 908	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	90
PID 1968 wrote to memory of 908	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	90
PID 1968 wrote to memory of 908	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	90
PID 1968 wrote to memory of 1564	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	91
PID 1968 wrote to memory of 1564	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	91
PID 1968 wrote to memory of 1564	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	91
PID 1968 wrote to memory of 3124	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	92
PID 1968 wrote to memory of 3124	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	92
PID 1968 wrote to memory of 3124	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	92
PID 1968 wrote to memory of 1316	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	93
PID 1968 wrote to memory of 1316	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	93
PID 1968 wrote to memory of 1316	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	93
PID 1968 wrote to memory of 868	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	98
PID 1968 wrote to memory of 868	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	98
PID 1968 wrote to memory of 868	1968	d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe	98
PID 868 wrote to memory of 1740	868	cisvc.exe	99
PID 868 wrote to memory of 1740	868	cisvc.exe	99
PID 868 wrote to memory of 1740	868	cisvc.exe	99
PID 868 wrote to memory of 1936	868	cisvc.exe	100
PID 868 wrote to memory of 1936	868	cisvc.exe	100
PID 868 wrote to memory of 1936	868	cisvc.exe	100
PID 868 wrote to memory of 4580	868	cisvc.exe	101
PID 868 wrote to memory of 4580	868	cisvc.exe	101
PID 868 wrote to memory of 4580	868	cisvc.exe	101
PID 868 wrote to memory of 1688	868	cisvc.exe	102
PID 868 wrote to memory of 1688	868	cisvc.exe	102
PID 868 wrote to memory of 1688	868	cisvc.exe	102
PID 868 wrote to memory of 4516	868	cisvc.exe	103
PID 868 wrote to memory of 4516	868	cisvc.exe	103
PID 868 wrote to memory of 4516	868	cisvc.exe	103
PID 868 wrote to memory of 3128	868	cisvc.exe	104
PID 868 wrote to memory of 3128	868	cisvc.exe	104
PID 868 wrote to memory of 3128	868	cisvc.exe	104
PID 868 wrote to memory of 3872	868	cisvc.exe	105
PID 868 wrote to memory of 3872	868	cisvc.exe	105
PID 868 wrote to memory of 3872	868	cisvc.exe	105
PID 868 wrote to memory of 1780	868	cisvc.exe	107
PID 868 wrote to memory of 1780	868	cisvc.exe	107
PID 868 wrote to memory of 1780	868	cisvc.exe	107

C:\Users\Admin\AppData\Local\Temp\d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe
"C:\Users\Admin\AppData\Local\Temp\d7bad2f1576e59b884f9888968754484ec4687154b5d9455d208d9d59b43ca59.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe /c 43
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Users\Admin\Local Settings\Application Data\Microsoft\mstsc.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\mstsc.exe" /c 66
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Users\Admin\AppData\Roaming\spoolsv.exe
  C:\Users\Admin\AppData\Roaming\spoolsv.exe /c 44
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Users\Admin\Local Settings\Application Data\mstsc.exe
  "C:\Users\Admin\Local Settings\Application Data\mstsc.exe" /c 23
  2⤵
  - Executes dropped EXE
  PID:3668
- C:\Windows\SysWOW64\drivers\wininit.exe
  C:\Windows\System32\drivers\wininit.exe /c 68
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Users\Admin\AppData\Roaming\MICROS~1\mstsc.exe
  C:\Users\Admin\AppData\Roaming\MICROS~1\mstsc.exe /c 57
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\sessmgr.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\sessmgr.exe" /c 4
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Users\Admin\Local Settings\Application Data\Microsoft\wininit.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\wininit.exe" /c 50
  2⤵
  - Executes dropped EXE
  PID:3124
- C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe /c 6
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe /r
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe /c 2
    3⤵
    - Executes dropped EXE
    PID:1740
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\mstsc.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\mstsc.exe" /c 79
    3⤵
    - Executes dropped EXE
    PID:1936
- - C:\Users\Admin\AppData\Roaming\spoolsv.exe
    C:\Users\Admin\AppData\Roaming\spoolsv.exe /c 26
    3⤵
    - Executes dropped EXE
    PID:4580
- - C:\Users\Admin\Local Settings\Application Data\mstsc.exe
    "C:\Users\Admin\Local Settings\Application Data\mstsc.exe" /c 50
    3⤵
    - Executes dropped EXE
    PID:1688
- - C:\Windows\SysWOW64\drivers\wininit.exe
    C:\Windows\System32\drivers\wininit.exe /c 78
    3⤵
    - Executes dropped EXE
    PID:4516
- - C:\Users\Admin\AppData\Roaming\MICROS~1\mstsc.exe
    C:\Users\Admin\AppData\Roaming\MICROS~1\mstsc.exe /c 28
    3⤵
    - Executes dropped EXE
    PID:3128
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\sessmgr.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\sessmgr.exe" /c 50
    3⤵
    - Executes dropped EXE
    PID:3872
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\wininit.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\wininit.exe" /c 67
    3⤵
    - Executes dropped EXE
    PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\sessmgr.exe

Filesize
423KB

MD5
0f6e4ff52b877a34044f06aadacadce8

SHA1
b2426258bee58c0a8e81bf8c321dd380613a10b7

SHA256
fc2ac69ff7a07dec5e99ddfc49a218f5739016db0ee714fd1d6fcfb39e471cc7

SHA512
55c74d5c7dbb13f05d6428d74b798778d3001386d1c3b139b8f2a8fcc27463f24f9b8e890434f120ffa0039d195b97fb611d2d7cad9ef78378b594ded4cf2305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\sessmgr.exe

Filesize
423KB

MD5
0f6e4ff52b877a34044f06aadacadce8

SHA1
b2426258bee58c0a8e81bf8c321dd380613a10b7

SHA256
fc2ac69ff7a07dec5e99ddfc49a218f5739016db0ee714fd1d6fcfb39e471cc7

SHA512
55c74d5c7dbb13f05d6428d74b798778d3001386d1c3b139b8f2a8fcc27463f24f9b8e890434f120ffa0039d195b97fb611d2d7cad9ef78378b594ded4cf2305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\mstsc.exe

Filesize
423KB

MD5
a74263d35ee7a558adf1736ffc383059

SHA1
52c444a238c1231f909632f5495d6ea33579f8f0

SHA256
8fb78e9f8ee2bbc8f2f2707e12c15e0445de2609c2d4971e6c389b70143a1c90

SHA512
83cdf09b7423c1896e5bfd0beaf2ca4d9645333323adaa497f4449b2f6a05886ccf53bcb66c194c13790404cf5e77658a8c57023884acb00ac66e07c7d019035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\mstsc.exe

Filesize
423KB

MD5
a74263d35ee7a558adf1736ffc383059

SHA1
52c444a238c1231f909632f5495d6ea33579f8f0

SHA256
8fb78e9f8ee2bbc8f2f2707e12c15e0445de2609c2d4971e6c389b70143a1c90

SHA512
83cdf09b7423c1896e5bfd0beaf2ca4d9645333323adaa497f4449b2f6a05886ccf53bcb66c194c13790404cf5e77658a8c57023884acb00ac66e07c7d019035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\wininit.exe

Filesize
423KB

MD5
75478dec987b4a9b30a601b8dffd2337

SHA1
f215a59f86707da7e1fd068bca5fe5876d15be63

SHA256
b732ef81c84ccabc0764f3e50240a0a600f418c6cb5501c45b774d97dbc8b478

SHA512
5112eb02205e5a970905afa707ecc4a0509bcfe452693d43df6ea375a56af8f441f5deb3b74c72a1a75a202c6a8a0d72a3f4e9cba32dfe4cac1556a174019e5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\wininit.exe

Filesize
423KB

MD5
75478dec987b4a9b30a601b8dffd2337

SHA1
f215a59f86707da7e1fd068bca5fe5876d15be63

SHA256
b732ef81c84ccabc0764f3e50240a0a600f418c6cb5501c45b774d97dbc8b478

SHA512
5112eb02205e5a970905afa707ecc4a0509bcfe452693d43df6ea375a56af8f441f5deb3b74c72a1a75a202c6a8a0d72a3f4e9cba32dfe4cac1556a174019e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
10B

MD5
fdd13a4b3247c22079c882d96d744875

SHA1
1c1436f08be6e590e28440f7149e48f52fbbcc86

SHA256
6209cfb5ccc115c0c25c8321d981c5235ef1b4a12fa6314f57a6cdb9e39d1844

SHA512
fb9bfcfcf0079aa278a94c9ba745464af500814656b3a53f679af9ed8de49abf5965495949dff035bef28fb01826b3caeaec224f7172ffaa8a2fa8d8b2903205

Download Submit
C:\Users\Admin\AppData\Local\mstsc.exe

Filesize
423KB

MD5
a74263d35ee7a558adf1736ffc383059

SHA1
52c444a238c1231f909632f5495d6ea33579f8f0

SHA256
8fb78e9f8ee2bbc8f2f2707e12c15e0445de2609c2d4971e6c389b70143a1c90

SHA512
83cdf09b7423c1896e5bfd0beaf2ca4d9645333323adaa497f4449b2f6a05886ccf53bcb66c194c13790404cf5e77658a8c57023884acb00ac66e07c7d019035

Download Submit
C:\Users\Admin\AppData\Local\mstsc.exe

Filesize
423KB

MD5
a74263d35ee7a558adf1736ffc383059

SHA1
52c444a238c1231f909632f5495d6ea33579f8f0

SHA256
8fb78e9f8ee2bbc8f2f2707e12c15e0445de2609c2d4971e6c389b70143a1c90

SHA512
83cdf09b7423c1896e5bfd0beaf2ca4d9645333323adaa497f4449b2f6a05886ccf53bcb66c194c13790404cf5e77658a8c57023884acb00ac66e07c7d019035

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\mstsc.exe

Filesize
423KB

MD5
a74263d35ee7a558adf1736ffc383059

SHA1
52c444a238c1231f909632f5495d6ea33579f8f0

SHA256
8fb78e9f8ee2bbc8f2f2707e12c15e0445de2609c2d4971e6c389b70143a1c90

SHA512
83cdf09b7423c1896e5bfd0beaf2ca4d9645333323adaa497f4449b2f6a05886ccf53bcb66c194c13790404cf5e77658a8c57023884acb00ac66e07c7d019035

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe

Filesize
423KB

MD5
9e116029b35b9cd1410b72ea6256737d

SHA1
02e5e6d56951cbc3e7d9266bad0ce3a9cc40d6d7

SHA256
fb0d423bc59dbaf6b6ae76bf0483b6e2eb58a23687c6ad08d632f1c8a464cdc3

SHA512
fc22d0faba901d62cccb523cb6e1ec3767617d7e829ab4c561b1ef0d8cbeb4e07ec6a26bd288585a61a573f97a948167fdbc5064c50d5ea164397211c25fa8b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe

Filesize
423KB

MD5
9e116029b35b9cd1410b72ea6256737d

SHA1
02e5e6d56951cbc3e7d9266bad0ce3a9cc40d6d7

SHA256
fb0d423bc59dbaf6b6ae76bf0483b6e2eb58a23687c6ad08d632f1c8a464cdc3

SHA512
fc22d0faba901d62cccb523cb6e1ec3767617d7e829ab4c561b1ef0d8cbeb4e07ec6a26bd288585a61a573f97a948167fdbc5064c50d5ea164397211c25fa8b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe

Filesize
423KB

MD5
9e116029b35b9cd1410b72ea6256737d

SHA1
02e5e6d56951cbc3e7d9266bad0ce3a9cc40d6d7

SHA256
fb0d423bc59dbaf6b6ae76bf0483b6e2eb58a23687c6ad08d632f1c8a464cdc3

SHA512
fc22d0faba901d62cccb523cb6e1ec3767617d7e829ab4c561b1ef0d8cbeb4e07ec6a26bd288585a61a573f97a948167fdbc5064c50d5ea164397211c25fa8b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe

Filesize
423KB

MD5
9e116029b35b9cd1410b72ea6256737d

SHA1
02e5e6d56951cbc3e7d9266bad0ce3a9cc40d6d7

SHA256
fb0d423bc59dbaf6b6ae76bf0483b6e2eb58a23687c6ad08d632f1c8a464cdc3

SHA512
fc22d0faba901d62cccb523cb6e1ec3767617d7e829ab4c561b1ef0d8cbeb4e07ec6a26bd288585a61a573f97a948167fdbc5064c50d5ea164397211c25fa8b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\cisvc.exe

Filesize
423KB

MD5
9e116029b35b9cd1410b72ea6256737d

SHA1
02e5e6d56951cbc3e7d9266bad0ce3a9cc40d6d7

SHA256
fb0d423bc59dbaf6b6ae76bf0483b6e2eb58a23687c6ad08d632f1c8a464cdc3

SHA512
fc22d0faba901d62cccb523cb6e1ec3767617d7e829ab4c561b1ef0d8cbeb4e07ec6a26bd288585a61a573f97a948167fdbc5064c50d5ea164397211c25fa8b7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\mstsc.exe

Filesize
423KB

MD5
a74263d35ee7a558adf1736ffc383059

SHA1
52c444a238c1231f909632f5495d6ea33579f8f0

SHA256
8fb78e9f8ee2bbc8f2f2707e12c15e0445de2609c2d4971e6c389b70143a1c90

SHA512
83cdf09b7423c1896e5bfd0beaf2ca4d9645333323adaa497f4449b2f6a05886ccf53bcb66c194c13790404cf5e77658a8c57023884acb00ac66e07c7d019035

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\mstsc.exe

Filesize
423KB

MD5
a74263d35ee7a558adf1736ffc383059

SHA1
52c444a238c1231f909632f5495d6ea33579f8f0

SHA256
8fb78e9f8ee2bbc8f2f2707e12c15e0445de2609c2d4971e6c389b70143a1c90

SHA512
83cdf09b7423c1896e5bfd0beaf2ca4d9645333323adaa497f4449b2f6a05886ccf53bcb66c194c13790404cf5e77658a8c57023884acb00ac66e07c7d019035

Download Submit
C:\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
423KB

MD5
ae1e3dd07ebf8d094977e1cbd2e5d51b

SHA1
a067a7591deaf15849b7cc783b817644e02f1545

SHA256
388995cdcc241cfdcee515de7cf821db8bd1ae2a7a81bce16c7e86322de88fb3

SHA512
27207bc520a20ed6675036ca463d026703899e698bd3b0cf4ed341a4cfcd8e683028ef6d461c3cdfa87ef835ea8f67ac43e951ebd812e96b9287deef57c05c02

Download Submit
C:\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
423KB

MD5
ae1e3dd07ebf8d094977e1cbd2e5d51b

SHA1
a067a7591deaf15849b7cc783b817644e02f1545

SHA256
388995cdcc241cfdcee515de7cf821db8bd1ae2a7a81bce16c7e86322de88fb3

SHA512
27207bc520a20ed6675036ca463d026703899e698bd3b0cf4ed341a4cfcd8e683028ef6d461c3cdfa87ef835ea8f67ac43e951ebd812e96b9287deef57c05c02

Download Submit
C:\Users\Admin\AppData\Roaming\spoolsv.exe

Filesize
423KB

MD5
ae1e3dd07ebf8d094977e1cbd2e5d51b

SHA1
a067a7591deaf15849b7cc783b817644e02f1545

SHA256
388995cdcc241cfdcee515de7cf821db8bd1ae2a7a81bce16c7e86322de88fb3

SHA512
27207bc520a20ed6675036ca463d026703899e698bd3b0cf4ed341a4cfcd8e683028ef6d461c3cdfa87ef835ea8f67ac43e951ebd812e96b9287deef57c05c02

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\sessmgr.exe

Filesize
423KB

MD5
0f6e4ff52b877a34044f06aadacadce8

SHA1
b2426258bee58c0a8e81bf8c321dd380613a10b7

SHA256
fc2ac69ff7a07dec5e99ddfc49a218f5739016db0ee714fd1d6fcfb39e471cc7

SHA512
55c74d5c7dbb13f05d6428d74b798778d3001386d1c3b139b8f2a8fcc27463f24f9b8e890434f120ffa0039d195b97fb611d2d7cad9ef78378b594ded4cf2305

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\mstsc.exe

Filesize
423KB

MD5
a74263d35ee7a558adf1736ffc383059

SHA1
52c444a238c1231f909632f5495d6ea33579f8f0

SHA256
8fb78e9f8ee2bbc8f2f2707e12c15e0445de2609c2d4971e6c389b70143a1c90

SHA512
83cdf09b7423c1896e5bfd0beaf2ca4d9645333323adaa497f4449b2f6a05886ccf53bcb66c194c13790404cf5e77658a8c57023884acb00ac66e07c7d019035

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\wininit.exe

Filesize
423KB

MD5
75478dec987b4a9b30a601b8dffd2337

SHA1
f215a59f86707da7e1fd068bca5fe5876d15be63

SHA256
b732ef81c84ccabc0764f3e50240a0a600f418c6cb5501c45b774d97dbc8b478

SHA512
5112eb02205e5a970905afa707ecc4a0509bcfe452693d43df6ea375a56af8f441f5deb3b74c72a1a75a202c6a8a0d72a3f4e9cba32dfe4cac1556a174019e5a

Download Submit
C:\Users\Admin\Local Settings\Application Data\mstsc.exe

Filesize
423KB

MD5
a74263d35ee7a558adf1736ffc383059

SHA1
52c444a238c1231f909632f5495d6ea33579f8f0

SHA256
8fb78e9f8ee2bbc8f2f2707e12c15e0445de2609c2d4971e6c389b70143a1c90

SHA512
83cdf09b7423c1896e5bfd0beaf2ca4d9645333323adaa497f4449b2f6a05886ccf53bcb66c194c13790404cf5e77658a8c57023884acb00ac66e07c7d019035

Download Submit
C:\Windows\SysWOW64\drivers\wininit.exe

Filesize
423KB

MD5
75478dec987b4a9b30a601b8dffd2337

SHA1
f215a59f86707da7e1fd068bca5fe5876d15be63

SHA256
b732ef81c84ccabc0764f3e50240a0a600f418c6cb5501c45b774d97dbc8b478

SHA512
5112eb02205e5a970905afa707ecc4a0509bcfe452693d43df6ea375a56af8f441f5deb3b74c72a1a75a202c6a8a0d72a3f4e9cba32dfe4cac1556a174019e5a

Download Submit
C:\Windows\SysWOW64\drivers\wininit.exe

Filesize
423KB

MD5
75478dec987b4a9b30a601b8dffd2337

SHA1
f215a59f86707da7e1fd068bca5fe5876d15be63

SHA256
b732ef81c84ccabc0764f3e50240a0a600f418c6cb5501c45b774d97dbc8b478

SHA512
5112eb02205e5a970905afa707ecc4a0509bcfe452693d43df6ea375a56af8f441f5deb3b74c72a1a75a202c6a8a0d72a3f4e9cba32dfe4cac1556a174019e5a

Download Submit
C:\Windows\SysWOW64\drivers\wininit.exe

Filesize
423KB

MD5
75478dec987b4a9b30a601b8dffd2337

SHA1
f215a59f86707da7e1fd068bca5fe5876d15be63

SHA256
b732ef81c84ccabc0764f3e50240a0a600f418c6cb5501c45b774d97dbc8b478

SHA512
5112eb02205e5a970905afa707ecc4a0509bcfe452693d43df6ea375a56af8f441f5deb3b74c72a1a75a202c6a8a0d72a3f4e9cba32dfe4cac1556a174019e5a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads