796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623

Analysis

max time kernel
180s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Size

460KB
MD5

56b8f8fe5290fa9df79e12386cdedce0
SHA1

8d99129e6d1e75ef3ffb43878ae1f57b23254b2d
SHA256

796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623
SHA512

e7e2ca7f58159c162782791e8036efde17e020a901758cd90232d4460783bc56fd85e9790cd804d7c78afcd7e2089de6bc28d10a0e96aa3dcfb63d4d93fa4e11
SSDEEP

12288:ppLCnVtGQ6vRSDB4fkCmHQrBecfKZIUN:8ofHQaVfKZIUN

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ClipSrv = "C:\\Windows\\clipsrv.exe"	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Csrss = "C:\\Windows\\System32\\drivers\\csrss.exe"	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\csrss.exe	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RCX5054.tmp	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe

Executes dropped EXE 18 IoCs

pid	Process
3460	clipsrv.exe
2656	mstinit.exe
2776	csrss.exe
4864	clipsrv.exe
4148	rsvp.exe
204	csrss.exe
3380	dllhst3g.exe
4344	ieudinit.exe
3468	clipsrv.exe
2268	clipsrv.exe
3160	clipsrv.exe
4276	mstinit.exe
5068	csrss.exe
3856	clipsrv.exe
4196	rsvp.exe
1680	csrss.exe
3444	dllhst3g.exe
4324	ieudinit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Task Scheduler = "C:\\ProgramData\\Microsoft\\mstinit.exe"	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ClipSrv = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\clipsrv.exe"	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\clipsrv.exe	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
File opened for modification	C:\Windows\clipsrv.exe	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
File opened for modification	C:\Windows\RCX4CE7.tmp	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
File created	C:\Windows\rsvp.exe	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
File opened for modification	C:\Windows\RCX524A.tmp	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
File created	C:\Windows\System\dllhst3g.exe	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
File opened for modification	C:\Windows\System\RCX54BD.tmp	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\IEudInit = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\ieudinit.exe"	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Key created	\REGISTRY\USER\.DEFAULT	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DllHost3g = "C:\\Windows\\System\\dllhst3g.exe"	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 3460	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	81
PID 1536 wrote to memory of 3460	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	81
PID 1536 wrote to memory of 3460	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	81
PID 1536 wrote to memory of 2656	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	82
PID 1536 wrote to memory of 2656	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	82
PID 1536 wrote to memory of 2656	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	82
PID 1536 wrote to memory of 2776	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	83
PID 1536 wrote to memory of 2776	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	83
PID 1536 wrote to memory of 2776	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	83
PID 1536 wrote to memory of 4864	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	84
PID 1536 wrote to memory of 4864	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	84
PID 1536 wrote to memory of 4864	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	84
PID 1536 wrote to memory of 4148	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	85
PID 1536 wrote to memory of 4148	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	85
PID 1536 wrote to memory of 4148	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	85
PID 1536 wrote to memory of 204	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	86
PID 1536 wrote to memory of 204	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	86
PID 1536 wrote to memory of 204	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	86
PID 1536 wrote to memory of 3380	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	87
PID 1536 wrote to memory of 3380	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	87
PID 1536 wrote to memory of 3380	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	87
PID 1536 wrote to memory of 4344	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	88
PID 1536 wrote to memory of 4344	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	88
PID 1536 wrote to memory of 4344	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	88
PID 1536 wrote to memory of 3468	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	89
PID 1536 wrote to memory of 3468	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	89
PID 1536 wrote to memory of 3468	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	89
PID 1536 wrote to memory of 2268	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	90
PID 1536 wrote to memory of 2268	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	90
PID 1536 wrote to memory of 2268	1536	796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe	90
PID 2268 wrote to memory of 3160	2268	clipsrv.exe	91
PID 2268 wrote to memory of 3160	2268	clipsrv.exe	91
PID 2268 wrote to memory of 3160	2268	clipsrv.exe	91
PID 2268 wrote to memory of 4276	2268	clipsrv.exe	92
PID 2268 wrote to memory of 4276	2268	clipsrv.exe	92
PID 2268 wrote to memory of 4276	2268	clipsrv.exe	92
PID 2268 wrote to memory of 5068	2268	clipsrv.exe	93
PID 2268 wrote to memory of 5068	2268	clipsrv.exe	93
PID 2268 wrote to memory of 5068	2268	clipsrv.exe	93
PID 2268 wrote to memory of 3856	2268	clipsrv.exe	94
PID 2268 wrote to memory of 3856	2268	clipsrv.exe	94
PID 2268 wrote to memory of 3856	2268	clipsrv.exe	94
PID 2268 wrote to memory of 4196	2268	clipsrv.exe	97
PID 2268 wrote to memory of 4196	2268	clipsrv.exe	97
PID 2268 wrote to memory of 4196	2268	clipsrv.exe	97
PID 2268 wrote to memory of 1680	2268	clipsrv.exe	98
PID 2268 wrote to memory of 1680	2268	clipsrv.exe	98
PID 2268 wrote to memory of 1680	2268	clipsrv.exe	98
PID 2268 wrote to memory of 3444	2268	clipsrv.exe	99
PID 2268 wrote to memory of 3444	2268	clipsrv.exe	99
PID 2268 wrote to memory of 3444	2268	clipsrv.exe	99
PID 2268 wrote to memory of 4324	2268	clipsrv.exe	100
PID 2268 wrote to memory of 4324	2268	clipsrv.exe	100
PID 2268 wrote to memory of 4324	2268	clipsrv.exe	100

C:\Users\Admin\AppData\Local\Temp\796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe
"C:\Users\Admin\AppData\Local\Temp\796d7d0446a5d1c105ef14a220eebb15052905a2b5d5d43bca79f32fa7fec623.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\clipsrv.exe
  C:\Windows\clipsrv.exe /c 88
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\ProgramData\Microsoft\mstinit.exe
  C:\ProgramData\Microsoft\mstinit.exe /c 84
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\SysWOW64\drivers\csrss.exe
  C:\Windows\System32\drivers\csrss.exe /c 89
  2⤵
  - Executes dropped EXE
  PID:2776
- C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe" /c 55
  2⤵
  - Executes dropped EXE
  PID:4864
- C:\Windows\rsvp.exe
  C:\Windows\rsvp.exe /c 42
  2⤵
  - Executes dropped EXE
  PID:4148
- C:\Users\Admin\AppData\Roaming\csrss.exe
  C:\Users\Admin\AppData\Roaming\csrss.exe /c 90
  2⤵
  - Executes dropped EXE
  PID:204
- C:\Windows\System\dllhst3g.exe
  C:\Windows\System\dllhst3g.exe /c 10
  2⤵
  - Executes dropped EXE
  PID:3380
- C:\Users\Admin\AppData\Roaming\Microsoft\ieudinit.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\ieudinit.exe /c 49
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\clipsrv.exe
  C:\Windows\clipsrv.exe /c 68
  2⤵
  - Executes dropped EXE
  PID:3468
- C:\Windows\clipsrv.exe
  C:\Windows\clipsrv.exe /r
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\clipsrv.exe
    C:\Windows\clipsrv.exe /c 18
    3⤵
    - Executes dropped EXE
    PID:3160
- - C:\ProgramData\Microsoft\mstinit.exe
    C:\ProgramData\Microsoft\mstinit.exe /c 41
    3⤵
    - Executes dropped EXE
    PID:4276
- - C:\Windows\SysWOW64\drivers\csrss.exe
    C:\Windows\System32\drivers\csrss.exe /c 71
    3⤵
    - Executes dropped EXE
    PID:5068
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe" /c 66
    3⤵
    - Executes dropped EXE
    PID:3856
- - C:\Windows\rsvp.exe
    C:\Windows\rsvp.exe /c 95
    3⤵
    - Executes dropped EXE
    PID:4196
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    C:\Users\Admin\AppData\Roaming\csrss.exe /c 15
    3⤵
    - Executes dropped EXE
    PID:1680
- - C:\Windows\System\dllhst3g.exe
    C:\Windows\System\dllhst3g.exe /c 9
    3⤵
    - Executes dropped EXE
    PID:3444
- - C:\Users\Admin\AppData\Roaming\Microsoft\ieudinit.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\ieudinit.exe /c 41
    3⤵
    - Executes dropped EXE
    PID:4324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\mstinit.exe

Filesize
460KB

MD5
2bca096883d21b70b823df63559c2523

SHA1
52480ecb56e250bc688bd454762dd6ab590a632a

SHA256
19ef50a821b778c52318d4cda35ef329d8dab03f28c52491c065d7389e0e7c90

SHA512
d35a4aa6856fdccd02c0add29685ce7bf89cb3991cf311e617c8313ef58158c8337e3eb961100b0b23c860a8e5313cb8fd3cabd035a4c4e71d38c66ce2c88e9d

Download Submit
C:\ProgramData\Microsoft\mstinit.exe

Filesize
460KB

MD5
2bca096883d21b70b823df63559c2523

SHA1
52480ecb56e250bc688bd454762dd6ab590a632a

SHA256
19ef50a821b778c52318d4cda35ef329d8dab03f28c52491c065d7389e0e7c90

SHA512
d35a4aa6856fdccd02c0add29685ce7bf89cb3991cf311e617c8313ef58158c8337e3eb961100b0b23c860a8e5313cb8fd3cabd035a4c4e71d38c66ce2c88e9d

Download Submit
C:\ProgramData\Microsoft\mstinit.exe

Filesize
460KB

MD5
2bca096883d21b70b823df63559c2523

SHA1
52480ecb56e250bc688bd454762dd6ab590a632a

SHA256
19ef50a821b778c52318d4cda35ef329d8dab03f28c52491c065d7389e0e7c90

SHA512
d35a4aa6856fdccd02c0add29685ce7bf89cb3991cf311e617c8313ef58158c8337e3eb961100b0b23c860a8e5313cb8fd3cabd035a4c4e71d38c66ce2c88e9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\clipsrv.exe

Filesize
460KB

MD5
8f4abf801042246268c147bd7ac0c076

SHA1
a6ed160543266ea9b327ab483592b569dbdbe240

SHA256
853c93fe19385192f39c004ef86be123fcb225dc1937b879891bdc4a373aef8c

SHA512
9881e3c03a526afdc2753c41cab12473ff4cf8b02e2bb964a6135f850592e45b1ec92e3498236a6030e399ab6dabae95f735eb1f2a5e096cd75c32420a4a5dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\clipsrv.exe

Filesize
460KB

MD5
8f4abf801042246268c147bd7ac0c076

SHA1
a6ed160543266ea9b327ab483592b569dbdbe240

SHA256
853c93fe19385192f39c004ef86be123fcb225dc1937b879891bdc4a373aef8c

SHA512
9881e3c03a526afdc2753c41cab12473ff4cf8b02e2bb964a6135f850592e45b1ec92e3498236a6030e399ab6dabae95f735eb1f2a5e096cd75c32420a4a5dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
10B

MD5
3648f1e496a9794de7c11a369cd2d1a0

SHA1
1c49cecc926eab8ebaaf661eb15c9879e14387c2

SHA256
8e95a3cb61d13b8938d7f95b69d8d980d4313a393852ad588434a10078c2aeb7

SHA512
389a8885cdcf8c8019e783b114faded574c7ff7cbb908278bead710822e57d09ad301d2cab1dbca5acbd90498aa5c05a6fb4f9db65b1a5d82208bff1a8256006

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ieudinit.exe

Filesize
460KB

MD5
60c5b2c3e491287b5b7b89a4c0e98866

SHA1
34a58db99ad7378e10368d4e5d96caba7d471244

SHA256
4ae33bdf52274199b59320dc91501e7cf96063a580ea5d9d70a90ae30e997631

SHA512
0c8a4c41f8f50ae9a1be464a41157dd1867cde526ecf353b42c093507fdd36d1c4ef25ceae7b24ffefe7eec36732312f405f241d866261c9ede7a8f2029f73ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ieudinit.exe

Filesize
460KB

MD5
60c5b2c3e491287b5b7b89a4c0e98866

SHA1
34a58db99ad7378e10368d4e5d96caba7d471244

SHA256
4ae33bdf52274199b59320dc91501e7cf96063a580ea5d9d70a90ae30e997631

SHA512
0c8a4c41f8f50ae9a1be464a41157dd1867cde526ecf353b42c093507fdd36d1c4ef25ceae7b24ffefe7eec36732312f405f241d866261c9ede7a8f2029f73ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\ieudinit.exe

Filesize
460KB

MD5
60c5b2c3e491287b5b7b89a4c0e98866

SHA1
34a58db99ad7378e10368d4e5d96caba7d471244

SHA256
4ae33bdf52274199b59320dc91501e7cf96063a580ea5d9d70a90ae30e997631

SHA512
0c8a4c41f8f50ae9a1be464a41157dd1867cde526ecf353b42c093507fdd36d1c4ef25ceae7b24ffefe7eec36732312f405f241d866261c9ede7a8f2029f73ad

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
460KB

MD5
8b95e69809b524659f8c7a88d134731d

SHA1
8b7265f6f52871ee725276fe2d77848263612401

SHA256
0782361e402bea1f43d554ba05b7f490d1047cf6c1f4172f9832275e685ecfd0

SHA512
fb675993c78664a6380c9dda29510e532b74165f1e3650145994bd42ab2f1ee2f4be1119ab37d5afb0eb3de10b3870f8f2825fde8ecb865c8593aed4726ce8cc

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
460KB

MD5
8b95e69809b524659f8c7a88d134731d

SHA1
8b7265f6f52871ee725276fe2d77848263612401

SHA256
0782361e402bea1f43d554ba05b7f490d1047cf6c1f4172f9832275e685ecfd0

SHA512
fb675993c78664a6380c9dda29510e532b74165f1e3650145994bd42ab2f1ee2f4be1119ab37d5afb0eb3de10b3870f8f2825fde8ecb865c8593aed4726ce8cc

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
460KB

MD5
8b95e69809b524659f8c7a88d134731d

SHA1
8b7265f6f52871ee725276fe2d77848263612401

SHA256
0782361e402bea1f43d554ba05b7f490d1047cf6c1f4172f9832275e685ecfd0

SHA512
fb675993c78664a6380c9dda29510e532b74165f1e3650145994bd42ab2f1ee2f4be1119ab37d5afb0eb3de10b3870f8f2825fde8ecb865c8593aed4726ce8cc

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe

Filesize
460KB

MD5
8f4abf801042246268c147bd7ac0c076

SHA1
a6ed160543266ea9b327ab483592b569dbdbe240

SHA256
853c93fe19385192f39c004ef86be123fcb225dc1937b879891bdc4a373aef8c

SHA512
9881e3c03a526afdc2753c41cab12473ff4cf8b02e2bb964a6135f850592e45b1ec92e3498236a6030e399ab6dabae95f735eb1f2a5e096cd75c32420a4a5dcc

Download Submit
C:\Windows\SysWOW64\drivers\csrss.exe

Filesize
460KB

MD5
8b95e69809b524659f8c7a88d134731d

SHA1
8b7265f6f52871ee725276fe2d77848263612401

SHA256
0782361e402bea1f43d554ba05b7f490d1047cf6c1f4172f9832275e685ecfd0

SHA512
fb675993c78664a6380c9dda29510e532b74165f1e3650145994bd42ab2f1ee2f4be1119ab37d5afb0eb3de10b3870f8f2825fde8ecb865c8593aed4726ce8cc

Download Submit
C:\Windows\SysWOW64\drivers\csrss.exe

Filesize
460KB

MD5
8b95e69809b524659f8c7a88d134731d

SHA1
8b7265f6f52871ee725276fe2d77848263612401

SHA256
0782361e402bea1f43d554ba05b7f490d1047cf6c1f4172f9832275e685ecfd0

SHA512
fb675993c78664a6380c9dda29510e532b74165f1e3650145994bd42ab2f1ee2f4be1119ab37d5afb0eb3de10b3870f8f2825fde8ecb865c8593aed4726ce8cc

Download Submit
C:\Windows\SysWOW64\drivers\csrss.exe

Filesize
460KB

MD5
8b95e69809b524659f8c7a88d134731d

SHA1
8b7265f6f52871ee725276fe2d77848263612401

SHA256
0782361e402bea1f43d554ba05b7f490d1047cf6c1f4172f9832275e685ecfd0

SHA512
fb675993c78664a6380c9dda29510e532b74165f1e3650145994bd42ab2f1ee2f4be1119ab37d5afb0eb3de10b3870f8f2825fde8ecb865c8593aed4726ce8cc

Download Submit
C:\Windows\System\dllhst3g.exe

Filesize
460KB

MD5
849a01c8e1f231872317d2a6a8c74c1a

SHA1
e5e6c5c11e4e59cd0ae4468ffbb480df12dff510

SHA256
9e6a29acffc7a482c278ef54a9a50fd14659177f584854315c2275daabaa0feb

SHA512
c80d3d7bda38e591b60d874e23558f7b7592fa24eeee775fbc2a83ee950ad98a6417b1338456252ad9749bb80e72dac5d283348b650780361a5fa1f530b29275

Download Submit
C:\Windows\System\dllhst3g.exe

Filesize
460KB

MD5
849a01c8e1f231872317d2a6a8c74c1a

SHA1
e5e6c5c11e4e59cd0ae4468ffbb480df12dff510

SHA256
9e6a29acffc7a482c278ef54a9a50fd14659177f584854315c2275daabaa0feb

SHA512
c80d3d7bda38e591b60d874e23558f7b7592fa24eeee775fbc2a83ee950ad98a6417b1338456252ad9749bb80e72dac5d283348b650780361a5fa1f530b29275

Download Submit
C:\Windows\System\dllhst3g.exe

Filesize
460KB

MD5
849a01c8e1f231872317d2a6a8c74c1a

SHA1
e5e6c5c11e4e59cd0ae4468ffbb480df12dff510

SHA256
9e6a29acffc7a482c278ef54a9a50fd14659177f584854315c2275daabaa0feb

SHA512
c80d3d7bda38e591b60d874e23558f7b7592fa24eeee775fbc2a83ee950ad98a6417b1338456252ad9749bb80e72dac5d283348b650780361a5fa1f530b29275

Download Submit
C:\Windows\clipsrv.exe

Filesize
460KB

MD5
8f4abf801042246268c147bd7ac0c076

SHA1
a6ed160543266ea9b327ab483592b569dbdbe240

SHA256
853c93fe19385192f39c004ef86be123fcb225dc1937b879891bdc4a373aef8c

SHA512
9881e3c03a526afdc2753c41cab12473ff4cf8b02e2bb964a6135f850592e45b1ec92e3498236a6030e399ab6dabae95f735eb1f2a5e096cd75c32420a4a5dcc

Download Submit
C:\Windows\clipsrv.exe

Filesize
460KB

MD5
8f4abf801042246268c147bd7ac0c076

SHA1
a6ed160543266ea9b327ab483592b569dbdbe240

SHA256
853c93fe19385192f39c004ef86be123fcb225dc1937b879891bdc4a373aef8c

SHA512
9881e3c03a526afdc2753c41cab12473ff4cf8b02e2bb964a6135f850592e45b1ec92e3498236a6030e399ab6dabae95f735eb1f2a5e096cd75c32420a4a5dcc

Download Submit
C:\Windows\clipsrv.exe

Filesize
460KB

MD5
8f4abf801042246268c147bd7ac0c076

SHA1
a6ed160543266ea9b327ab483592b569dbdbe240

SHA256
853c93fe19385192f39c004ef86be123fcb225dc1937b879891bdc4a373aef8c

SHA512
9881e3c03a526afdc2753c41cab12473ff4cf8b02e2bb964a6135f850592e45b1ec92e3498236a6030e399ab6dabae95f735eb1f2a5e096cd75c32420a4a5dcc

Download Submit
C:\Windows\clipsrv.exe

Filesize
460KB

MD5
8f4abf801042246268c147bd7ac0c076

SHA1
a6ed160543266ea9b327ab483592b569dbdbe240

SHA256
853c93fe19385192f39c004ef86be123fcb225dc1937b879891bdc4a373aef8c

SHA512
9881e3c03a526afdc2753c41cab12473ff4cf8b02e2bb964a6135f850592e45b1ec92e3498236a6030e399ab6dabae95f735eb1f2a5e096cd75c32420a4a5dcc

Download Submit
C:\Windows\clipsrv.exe

Filesize
460KB

MD5
8f4abf801042246268c147bd7ac0c076

SHA1
a6ed160543266ea9b327ab483592b569dbdbe240

SHA256
853c93fe19385192f39c004ef86be123fcb225dc1937b879891bdc4a373aef8c

SHA512
9881e3c03a526afdc2753c41cab12473ff4cf8b02e2bb964a6135f850592e45b1ec92e3498236a6030e399ab6dabae95f735eb1f2a5e096cd75c32420a4a5dcc

Download Submit
C:\Windows\rsvp.exe

Filesize
460KB

MD5
371f71467278a24648bc5821181d7a17

SHA1
eba0d13351f631f2e18847f7da9faf4a7ef9b48e

SHA256
5f24dbc80833db2ea09c686c95399175505026ac87796b292073a2c0504001e1

SHA512
d3a9f155375487ee24f0dc14cc112cf8aec3f24f1cbdca1d7852a95fffb3b7e9898246f8cade9d0d114abfd29c4c877eb5eeea159f232a3717afcf2297be857a

Download Submit
C:\Windows\rsvp.exe

Filesize
460KB

MD5
371f71467278a24648bc5821181d7a17

SHA1
eba0d13351f631f2e18847f7da9faf4a7ef9b48e

SHA256
5f24dbc80833db2ea09c686c95399175505026ac87796b292073a2c0504001e1

SHA512
d3a9f155375487ee24f0dc14cc112cf8aec3f24f1cbdca1d7852a95fffb3b7e9898246f8cade9d0d114abfd29c4c877eb5eeea159f232a3717afcf2297be857a

Download Submit
C:\Windows\rsvp.exe

Filesize
460KB

MD5
371f71467278a24648bc5821181d7a17

SHA1
eba0d13351f631f2e18847f7da9faf4a7ef9b48e

SHA256
5f24dbc80833db2ea09c686c95399175505026ac87796b292073a2c0504001e1

SHA512
d3a9f155375487ee24f0dc14cc112cf8aec3f24f1cbdca1d7852a95fffb3b7e9898246f8cade9d0d114abfd29c4c877eb5eeea159f232a3717afcf2297be857a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads