a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 11:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Size

460KB
MD5

0fa9e5ff0638b42b2ecb1877e16528db
SHA1

f8ee6db8f9960a40cff6a87974247a9cf720bcdb
SHA256

a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b
SHA512

a6722e8915dfab68bfc29e3e68e97e98e4dda243cd3422d2afd3aa6ccc087ae9ae7bcdce1dbc8056b4a17b2eb00c2664a3eedc4ff0909eff34c77af140497000
SSDEEP

12288:ppLCnVtGQ6vRSDB4fkCmHQrBecfKZI3sN:8ofHQaVfKZI8N

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Session Manager = "C:\\Windows\\System\\smss.exe"	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MessageService = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\mqtgsvc.exe"	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\cmstp.exe	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RCXC1B5.tmp	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe

Executes dropped EXE 18 IoCs

pid	Process
4368	smss.exe
4208	logman.exe
1620	mqtgsvc.exe
3624	csrss.exe
2388	logman.exe
2840	ieudinit.exe
440	cmstp.exe
3120	mstsc.exe
3904	smss.exe
3152	smss.exe
5032	smss.exe
2160	logman.exe
4896	mqtgsvc.exe
5004	csrss.exe
1588	logman.exe
2480	ieudinit.exe
4828	cmstp.exe
3916	mstsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Logman = "C:\\Users\\Admin\\AppData\\Roaming\\logman.exe"	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Csrss = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\csrss.exe"	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System\RCXBB85.tmp	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
File created	C:\Windows\System\logman.exe	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
File opened for modification	C:\Windows\System\RCXC01C.tmp	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
File created	C:\Windows\ieudinit.exe	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
File opened for modification	C:\Windows\RCXC117.tmp	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
File created	C:\Windows\System\smss.exe	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
File opened for modification	C:\Windows\System\smss.exe	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft Connection Manager = "C:\\Windows\\System32\\drivers\\cmstp.exe"	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Mstsc = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\mstsc.exe"	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
Key created	\REGISTRY\USER\.DEFAULT	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3144 wrote to memory of 4368	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	76
PID 3144 wrote to memory of 4368	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	76
PID 3144 wrote to memory of 4368	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	76
PID 3144 wrote to memory of 4208	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	77
PID 3144 wrote to memory of 4208	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	77
PID 3144 wrote to memory of 4208	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	77
PID 3144 wrote to memory of 1620	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	78
PID 3144 wrote to memory of 1620	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	78
PID 3144 wrote to memory of 1620	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	78
PID 3144 wrote to memory of 3624	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	79
PID 3144 wrote to memory of 3624	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	79
PID 3144 wrote to memory of 3624	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	79
PID 3144 wrote to memory of 2388	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	80
PID 3144 wrote to memory of 2388	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	80
PID 3144 wrote to memory of 2388	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	80
PID 3144 wrote to memory of 2840	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	81
PID 3144 wrote to memory of 2840	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	81
PID 3144 wrote to memory of 2840	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	81
PID 3144 wrote to memory of 440	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	82
PID 3144 wrote to memory of 440	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	82
PID 3144 wrote to memory of 440	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	82
PID 3144 wrote to memory of 3120	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	83
PID 3144 wrote to memory of 3120	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	83
PID 3144 wrote to memory of 3120	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	83
PID 3144 wrote to memory of 3904	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	84
PID 3144 wrote to memory of 3904	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	84
PID 3144 wrote to memory of 3904	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	84
PID 3144 wrote to memory of 3152	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	86
PID 3144 wrote to memory of 3152	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	86
PID 3144 wrote to memory of 3152	3144	a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe	86
PID 3152 wrote to memory of 5032	3152	smss.exe	87
PID 3152 wrote to memory of 5032	3152	smss.exe	87
PID 3152 wrote to memory of 5032	3152	smss.exe	87
PID 3152 wrote to memory of 2160	3152	smss.exe	88
PID 3152 wrote to memory of 2160	3152	smss.exe	88
PID 3152 wrote to memory of 2160	3152	smss.exe	88
PID 3152 wrote to memory of 4896	3152	smss.exe	89
PID 3152 wrote to memory of 4896	3152	smss.exe	89
PID 3152 wrote to memory of 4896	3152	smss.exe	89
PID 3152 wrote to memory of 5004	3152	smss.exe	90
PID 3152 wrote to memory of 5004	3152	smss.exe	90
PID 3152 wrote to memory of 5004	3152	smss.exe	90
PID 3152 wrote to memory of 1588	3152	smss.exe	91
PID 3152 wrote to memory of 1588	3152	smss.exe	91
PID 3152 wrote to memory of 1588	3152	smss.exe	91
PID 3152 wrote to memory of 2480	3152	smss.exe	92
PID 3152 wrote to memory of 2480	3152	smss.exe	92
PID 3152 wrote to memory of 2480	3152	smss.exe	92
PID 3152 wrote to memory of 4828	3152	smss.exe	93
PID 3152 wrote to memory of 4828	3152	smss.exe	93
PID 3152 wrote to memory of 4828	3152	smss.exe	93
PID 3152 wrote to memory of 3916	3152	smss.exe	94
PID 3152 wrote to memory of 3916	3152	smss.exe	94
PID 3152 wrote to memory of 3916	3152	smss.exe	94

C:\Users\Admin\AppData\Local\Temp\a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe
"C:\Users\Admin\AppData\Local\Temp\a814425bed4127fc646e9dcb77ebd414d12c7c24a663197e977289d448f2562b.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Windows\System\smss.exe
  C:\Windows\System\smss.exe /c 52
  2⤵
  - Executes dropped EXE
  PID:4368
- C:\Users\Admin\AppData\Roaming\logman.exe
  C:\Users\Admin\AppData\Roaming\logman.exe /c 70
  2⤵
  - Executes dropped EXE
  PID:4208
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mqtgsvc.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mqtgsvc.exe" /c 47
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Users\Admin\AppData\Roaming\MICROS~1\csrss.exe
  C:\Users\Admin\AppData\Roaming\MICROS~1\csrss.exe /c 84
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\logman.exe
  C:\Windows\System\logman.exe /c 82
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\Windows\ieudinit.exe
  C:\Windows\ieudinit.exe /c 89
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\SysWOW64\drivers\cmstp.exe
  C:\Windows\System32\drivers\cmstp.exe /c 66
  2⤵
  - Executes dropped EXE
  PID:440
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstsc.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstsc.exe" /c 29
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\smss.exe
  C:\Windows\System\smss.exe /c 29
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Windows\System\smss.exe
  C:\Windows\System\smss.exe /r
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3152
- - C:\Windows\System\smss.exe
    C:\Windows\System\smss.exe /c 97
    3⤵
    - Executes dropped EXE
    PID:5032
- - C:\Users\Admin\AppData\Roaming\logman.exe
    C:\Users\Admin\AppData\Roaming\logman.exe /c 78
    3⤵
    - Executes dropped EXE
    PID:2160
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mqtgsvc.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mqtgsvc.exe" /c 95
    3⤵
    - Executes dropped EXE
    PID:4896
- - C:\Users\Admin\AppData\Roaming\MICROS~1\csrss.exe
    C:\Users\Admin\AppData\Roaming\MICROS~1\csrss.exe /c 16
    3⤵
    - Executes dropped EXE
    PID:5004
- - C:\Windows\System\logman.exe
    C:\Windows\System\logman.exe /c 6
    3⤵
    - Executes dropped EXE
    PID:1588
- - C:\Windows\ieudinit.exe
    C:\Windows\ieudinit.exe /c 41
    3⤵
    - Executes dropped EXE
    PID:2480
- - C:\Windows\SysWOW64\drivers\cmstp.exe
    C:\Windows\System32\drivers\cmstp.exe /c 64
    3⤵
    - Executes dropped EXE
    PID:4828
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstsc.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstsc.exe" /c 22
    3⤵
    - Executes dropped EXE
    PID:3916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\mqtgsvc.exe

Filesize
460KB

MD5
dc6bd0e698ad797bdace68302eb3b7a7

SHA1
55d4dd31f4042349e38e2153318ee737c017b6d0

SHA256
c96dfa2719c0c3716d0b6d9279f3f490eb7d8da09f87b52f8eca31a7d007d873

SHA512
2e3f9a4044f36db07151100213b7811efe41c122c6b7fe63b8e3d4313a590ba3f71204050413b9bca7e2245bd15a9786d62afc19ba0ad761bdea9be1cc0a7214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\mqtgsvc.exe

Filesize
460KB

MD5
dc6bd0e698ad797bdace68302eb3b7a7

SHA1
55d4dd31f4042349e38e2153318ee737c017b6d0

SHA256
c96dfa2719c0c3716d0b6d9279f3f490eb7d8da09f87b52f8eca31a7d007d873

SHA512
2e3f9a4044f36db07151100213b7811efe41c122c6b7fe63b8e3d4313a590ba3f71204050413b9bca7e2245bd15a9786d62afc19ba0ad761bdea9be1cc0a7214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\mstsc.exe

Filesize
460KB

MD5
c34abdfa0b3e299acef7dfd4b22285ab

SHA1
6559d6b31905caa4d6c70ad08f6090b458b75f3e

SHA256
95d5c162b6c0e7df8617fbbd1858d91a8101f6988e7e26ae5b27f428d3ab6623

SHA512
8f3f36d7cadfb90ff4835a6da9e135fb6796d42823dcf23e67fc2e417ba90a8b686d4273147d83e9b8fb72c0b08b57d31a97b514aefe088ead2e9156b46786d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\mstsc.exe

Filesize
460KB

MD5
c34abdfa0b3e299acef7dfd4b22285ab

SHA1
6559d6b31905caa4d6c70ad08f6090b458b75f3e

SHA256
95d5c162b6c0e7df8617fbbd1858d91a8101f6988e7e26ae5b27f428d3ab6623

SHA512
8f3f36d7cadfb90ff4835a6da9e135fb6796d42823dcf23e67fc2e417ba90a8b686d4273147d83e9b8fb72c0b08b57d31a97b514aefe088ead2e9156b46786d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
10B

MD5
fd213f7411b212af3ca2877274591bb5

SHA1
e43e9a5584ff62b8bfe88f4ca05eb85a54a0faa2

SHA256
f447648eb8838bb5471974a00f25c57568e64c5a4b719d8ca6d78707c6e5b6eb

SHA512
85c9f984dad9b6995af6b567231b163a88993ff43e69990fca7a2ec73ee2d032da6683897784d3d2cf34c47027ba8bac8f9de7413194e11586f95f0d3984445e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\csrss.exe

Filesize
460KB

MD5
8b95e69809b524659f8c7a88d134731d

SHA1
8b7265f6f52871ee725276fe2d77848263612401

SHA256
0782361e402bea1f43d554ba05b7f490d1047cf6c1f4172f9832275e685ecfd0

SHA512
fb675993c78664a6380c9dda29510e532b74165f1e3650145994bd42ab2f1ee2f4be1119ab37d5afb0eb3de10b3870f8f2825fde8ecb865c8593aed4726ce8cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe

Filesize
460KB

MD5
8b95e69809b524659f8c7a88d134731d

SHA1
8b7265f6f52871ee725276fe2d77848263612401

SHA256
0782361e402bea1f43d554ba05b7f490d1047cf6c1f4172f9832275e685ecfd0

SHA512
fb675993c78664a6380c9dda29510e532b74165f1e3650145994bd42ab2f1ee2f4be1119ab37d5afb0eb3de10b3870f8f2825fde8ecb865c8593aed4726ce8cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe

Filesize
460KB

MD5
8b95e69809b524659f8c7a88d134731d

SHA1
8b7265f6f52871ee725276fe2d77848263612401

SHA256
0782361e402bea1f43d554ba05b7f490d1047cf6c1f4172f9832275e685ecfd0

SHA512
fb675993c78664a6380c9dda29510e532b74165f1e3650145994bd42ab2f1ee2f4be1119ab37d5afb0eb3de10b3870f8f2825fde8ecb865c8593aed4726ce8cc

Download Submit
C:\Users\Admin\AppData\Roaming\logman.exe

Filesize
460KB

MD5
cad109d0dfc38e85f6c1397f4c49307c

SHA1
3c9070a1125f70a669669e33d2752ff9c4f168cf

SHA256
861488004447c158cc8db22e86e4c064f8fdac30116b723cdf6cbd1250129c9f

SHA512
f47a6025b77928f6b619f543841a7dfcab21f7a5a19d0c994cc611006f434aca51748995919ca9e3f89fadc2b92f692873e2e51ae787b42b45ec0817548a80f5

Download Submit
C:\Users\Admin\AppData\Roaming\logman.exe

Filesize
460KB

MD5
cad109d0dfc38e85f6c1397f4c49307c

SHA1
3c9070a1125f70a669669e33d2752ff9c4f168cf

SHA256
861488004447c158cc8db22e86e4c064f8fdac30116b723cdf6cbd1250129c9f

SHA512
f47a6025b77928f6b619f543841a7dfcab21f7a5a19d0c994cc611006f434aca51748995919ca9e3f89fadc2b92f692873e2e51ae787b42b45ec0817548a80f5

Download Submit
C:\Users\Admin\AppData\Roaming\logman.exe

Filesize
460KB

MD5
cad109d0dfc38e85f6c1397f4c49307c

SHA1
3c9070a1125f70a669669e33d2752ff9c4f168cf

SHA256
861488004447c158cc8db22e86e4c064f8fdac30116b723cdf6cbd1250129c9f

SHA512
f47a6025b77928f6b619f543841a7dfcab21f7a5a19d0c994cc611006f434aca51748995919ca9e3f89fadc2b92f692873e2e51ae787b42b45ec0817548a80f5

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mqtgsvc.exe

Filesize
460KB

MD5
dc6bd0e698ad797bdace68302eb3b7a7

SHA1
55d4dd31f4042349e38e2153318ee737c017b6d0

SHA256
c96dfa2719c0c3716d0b6d9279f3f490eb7d8da09f87b52f8eca31a7d007d873

SHA512
2e3f9a4044f36db07151100213b7811efe41c122c6b7fe63b8e3d4313a590ba3f71204050413b9bca7e2245bd15a9786d62afc19ba0ad761bdea9be1cc0a7214

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstsc.exe

Filesize
460KB

MD5
c34abdfa0b3e299acef7dfd4b22285ab

SHA1
6559d6b31905caa4d6c70ad08f6090b458b75f3e

SHA256
95d5c162b6c0e7df8617fbbd1858d91a8101f6988e7e26ae5b27f428d3ab6623

SHA512
8f3f36d7cadfb90ff4835a6da9e135fb6796d42823dcf23e67fc2e417ba90a8b686d4273147d83e9b8fb72c0b08b57d31a97b514aefe088ead2e9156b46786d5

Download Submit
C:\Windows\SysWOW64\drivers\cmstp.exe

Filesize
460KB

MD5
cd68a3f0169717a673a9502de6d7b02d

SHA1
1666d03879e31d9177b9915ac995cfdfd3ece7ea

SHA256
2e5f42eb9e989fc9eb8c37fb027b25f7aa174d4972477aa28effae7bb5c6d76f

SHA512
cc34309dce52924c74a0cec98e97e11a0f0d7b5c4d54241bdea6b34ada4dedbbb56357de1395145e44a713c9f402c4c40689596626a5d012e91d5dc07224380f

Download Submit
C:\Windows\SysWOW64\drivers\cmstp.exe

Filesize
460KB

MD5
cd68a3f0169717a673a9502de6d7b02d

SHA1
1666d03879e31d9177b9915ac995cfdfd3ece7ea

SHA256
2e5f42eb9e989fc9eb8c37fb027b25f7aa174d4972477aa28effae7bb5c6d76f

SHA512
cc34309dce52924c74a0cec98e97e11a0f0d7b5c4d54241bdea6b34ada4dedbbb56357de1395145e44a713c9f402c4c40689596626a5d012e91d5dc07224380f

Download Submit
C:\Windows\SysWOW64\drivers\cmstp.exe

Filesize
460KB

MD5
cd68a3f0169717a673a9502de6d7b02d

SHA1
1666d03879e31d9177b9915ac995cfdfd3ece7ea

SHA256
2e5f42eb9e989fc9eb8c37fb027b25f7aa174d4972477aa28effae7bb5c6d76f

SHA512
cc34309dce52924c74a0cec98e97e11a0f0d7b5c4d54241bdea6b34ada4dedbbb56357de1395145e44a713c9f402c4c40689596626a5d012e91d5dc07224380f

Download Submit
C:\Windows\System\logman.exe

Filesize
460KB

MD5
cad109d0dfc38e85f6c1397f4c49307c

SHA1
3c9070a1125f70a669669e33d2752ff9c4f168cf

SHA256
861488004447c158cc8db22e86e4c064f8fdac30116b723cdf6cbd1250129c9f

SHA512
f47a6025b77928f6b619f543841a7dfcab21f7a5a19d0c994cc611006f434aca51748995919ca9e3f89fadc2b92f692873e2e51ae787b42b45ec0817548a80f5

Download Submit
C:\Windows\System\logman.exe

Filesize
460KB

MD5
cad109d0dfc38e85f6c1397f4c49307c

SHA1
3c9070a1125f70a669669e33d2752ff9c4f168cf

SHA256
861488004447c158cc8db22e86e4c064f8fdac30116b723cdf6cbd1250129c9f

SHA512
f47a6025b77928f6b619f543841a7dfcab21f7a5a19d0c994cc611006f434aca51748995919ca9e3f89fadc2b92f692873e2e51ae787b42b45ec0817548a80f5

Download Submit
C:\Windows\System\logman.exe

Filesize
460KB

MD5
cad109d0dfc38e85f6c1397f4c49307c

SHA1
3c9070a1125f70a669669e33d2752ff9c4f168cf

SHA256
861488004447c158cc8db22e86e4c064f8fdac30116b723cdf6cbd1250129c9f

SHA512
f47a6025b77928f6b619f543841a7dfcab21f7a5a19d0c994cc611006f434aca51748995919ca9e3f89fadc2b92f692873e2e51ae787b42b45ec0817548a80f5

Download Submit
C:\Windows\System\smss.exe

Filesize
460KB

MD5
1a8d44072c5b7cc17769ccc19852c092

SHA1
7e617a132f65d3df543946ecb02fbbff93cd732d

SHA256
b9eb3af2c66eb4be232afa8048c1a6ce4c6dc337a1f81fd0c9631fb7d6b48833

SHA512
f308a280c64b5b660493bf4400354549f88370077926673f7b1f6d9e824bdd8c5593ca449173a5c8435e175554d577e2939a26f49cc8c13d56daa20225c95aa3

Download Submit
C:\Windows\System\smss.exe

Filesize
460KB

MD5
1a8d44072c5b7cc17769ccc19852c092

SHA1
7e617a132f65d3df543946ecb02fbbff93cd732d

SHA256
b9eb3af2c66eb4be232afa8048c1a6ce4c6dc337a1f81fd0c9631fb7d6b48833

SHA512
f308a280c64b5b660493bf4400354549f88370077926673f7b1f6d9e824bdd8c5593ca449173a5c8435e175554d577e2939a26f49cc8c13d56daa20225c95aa3

Download Submit
C:\Windows\System\smss.exe

Filesize
460KB

MD5
1a8d44072c5b7cc17769ccc19852c092

SHA1
7e617a132f65d3df543946ecb02fbbff93cd732d

SHA256
b9eb3af2c66eb4be232afa8048c1a6ce4c6dc337a1f81fd0c9631fb7d6b48833

SHA512
f308a280c64b5b660493bf4400354549f88370077926673f7b1f6d9e824bdd8c5593ca449173a5c8435e175554d577e2939a26f49cc8c13d56daa20225c95aa3

Download Submit
C:\Windows\System\smss.exe

Filesize
460KB

MD5
1a8d44072c5b7cc17769ccc19852c092

SHA1
7e617a132f65d3df543946ecb02fbbff93cd732d

SHA256
b9eb3af2c66eb4be232afa8048c1a6ce4c6dc337a1f81fd0c9631fb7d6b48833

SHA512
f308a280c64b5b660493bf4400354549f88370077926673f7b1f6d9e824bdd8c5593ca449173a5c8435e175554d577e2939a26f49cc8c13d56daa20225c95aa3

Download Submit
C:\Windows\System\smss.exe

Filesize
460KB

MD5
1a8d44072c5b7cc17769ccc19852c092

SHA1
7e617a132f65d3df543946ecb02fbbff93cd732d

SHA256
b9eb3af2c66eb4be232afa8048c1a6ce4c6dc337a1f81fd0c9631fb7d6b48833

SHA512
f308a280c64b5b660493bf4400354549f88370077926673f7b1f6d9e824bdd8c5593ca449173a5c8435e175554d577e2939a26f49cc8c13d56daa20225c95aa3

Download Submit
C:\Windows\ieudinit.exe

Filesize
460KB

MD5
60c5b2c3e491287b5b7b89a4c0e98866

SHA1
34a58db99ad7378e10368d4e5d96caba7d471244

SHA256
4ae33bdf52274199b59320dc91501e7cf96063a580ea5d9d70a90ae30e997631

SHA512
0c8a4c41f8f50ae9a1be464a41157dd1867cde526ecf353b42c093507fdd36d1c4ef25ceae7b24ffefe7eec36732312f405f241d866261c9ede7a8f2029f73ad

Download Submit
C:\Windows\ieudinit.exe

Filesize
460KB

MD5
60c5b2c3e491287b5b7b89a4c0e98866

SHA1
34a58db99ad7378e10368d4e5d96caba7d471244

SHA256
4ae33bdf52274199b59320dc91501e7cf96063a580ea5d9d70a90ae30e997631

SHA512
0c8a4c41f8f50ae9a1be464a41157dd1867cde526ecf353b42c093507fdd36d1c4ef25ceae7b24ffefe7eec36732312f405f241d866261c9ede7a8f2029f73ad

Download Submit
C:\Windows\ieudinit.exe

Filesize
460KB

MD5
60c5b2c3e491287b5b7b89a4c0e98866

SHA1
34a58db99ad7378e10368d4e5d96caba7d471244

SHA256
4ae33bdf52274199b59320dc91501e7cf96063a580ea5d9d70a90ae30e997631

SHA512
0c8a4c41f8f50ae9a1be464a41157dd1867cde526ecf353b42c093507fdd36d1c4ef25ceae7b24ffefe7eec36732312f405f241d866261c9ede7a8f2029f73ad

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads