29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

Analysis

max time kernel
186s
max time network
122s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Size

457KB
MD5

5345861a75c13995ab035f70dc865146
SHA1

39a6fbe443c946b480b7fdc078b451f29eae5ac5
SHA256

29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f
SHA512

ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8
SSDEEP

12288:7JCUThPbyIl03ykCLGtltjilZOrwNgluXU:fCFCaljilZOrwauXU

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Spooler = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\spoolsv.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Sessmgr = "C:\\Windows\\System32\\drivers\\sessmgr.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sessmgr.exe	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\sessmgr.exe	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe

Executes dropped EXE 18 IoCs

pid	Process
872	sessmgr.exe
584	clipsrv.exe
964	spoolsv.exe
1944	wininit.exe
1844	csrss.exe
328	smss.exe
920	logman.exe
1552	wininit.exe
556	sessmgr.exe
608	sessmgr.exe
1712	sessmgr.exe
1772	clipsrv.exe
1476	spoolsv.exe
1380	wininit.exe
1988	csrss.exe
2004	smss.exe
1732	logman.exe
876	wininit.exe

Loads dropped DLL 33 IoCs

pid	Process
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
608	sessmgr.exe
608	sessmgr.exe
608	sessmgr.exe
608	sessmgr.exe
608	sessmgr.exe
608	sessmgr.exe
608	sessmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ClipSrv = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\clipsrv.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinInit = "C:\\PROGRA~3\\MICROS~1\\wininit.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\PROGRA~3\MICROS~1\wininit.exe	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
File created	C:\PROGRA~3\csrss.exe	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
File opened for modification	C:\PROGRA~3\MICROS~1\wininit.exe	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System\smss.exe	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe

Modifies data under HKEY_USERS 12 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Logman = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\logman.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinInit = "C:\\PROGRA~3\\MICROS~1\\wininit.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1628 wrote to memory of 872	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	28
PID 1628 wrote to memory of 872	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	28
PID 1628 wrote to memory of 872	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	28
PID 1628 wrote to memory of 872	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	28
PID 1628 wrote to memory of 584	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	29
PID 1628 wrote to memory of 584	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	29
PID 1628 wrote to memory of 584	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	29
PID 1628 wrote to memory of 584	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	29
PID 1628 wrote to memory of 964	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	30
PID 1628 wrote to memory of 964	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	30
PID 1628 wrote to memory of 964	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	30
PID 1628 wrote to memory of 964	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	30
PID 1628 wrote to memory of 1944	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	31
PID 1628 wrote to memory of 1944	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	31
PID 1628 wrote to memory of 1944	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	31
PID 1628 wrote to memory of 1944	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	31
PID 1628 wrote to memory of 1844	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	32
PID 1628 wrote to memory of 1844	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	32
PID 1628 wrote to memory of 1844	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	32
PID 1628 wrote to memory of 1844	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	32
PID 1628 wrote to memory of 328	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	33
PID 1628 wrote to memory of 328	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	33
PID 1628 wrote to memory of 328	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	33
PID 1628 wrote to memory of 328	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	33
PID 1628 wrote to memory of 920	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	34
PID 1628 wrote to memory of 920	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	34
PID 1628 wrote to memory of 920	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	34
PID 1628 wrote to memory of 920	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	34
PID 1628 wrote to memory of 1552	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	35
PID 1628 wrote to memory of 1552	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	35
PID 1628 wrote to memory of 1552	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	35
PID 1628 wrote to memory of 1552	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	35
PID 1628 wrote to memory of 556	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	36
PID 1628 wrote to memory of 556	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	36
PID 1628 wrote to memory of 556	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	36
PID 1628 wrote to memory of 556	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	36
PID 1628 wrote to memory of 608	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	37
PID 1628 wrote to memory of 608	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	37
PID 1628 wrote to memory of 608	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	37
PID 1628 wrote to memory of 608	1628	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	37
PID 608 wrote to memory of 1712	608	sessmgr.exe	38
PID 608 wrote to memory of 1712	608	sessmgr.exe	38
PID 608 wrote to memory of 1712	608	sessmgr.exe	38
PID 608 wrote to memory of 1712	608	sessmgr.exe	38
PID 608 wrote to memory of 1772	608	sessmgr.exe	39
PID 608 wrote to memory of 1772	608	sessmgr.exe	39
PID 608 wrote to memory of 1772	608	sessmgr.exe	39
PID 608 wrote to memory of 1772	608	sessmgr.exe	39
PID 608 wrote to memory of 1476	608	sessmgr.exe	40
PID 608 wrote to memory of 1476	608	sessmgr.exe	40
PID 608 wrote to memory of 1476	608	sessmgr.exe	40
PID 608 wrote to memory of 1476	608	sessmgr.exe	40
PID 608 wrote to memory of 1380	608	sessmgr.exe	41
PID 608 wrote to memory of 1380	608	sessmgr.exe	41
PID 608 wrote to memory of 1380	608	sessmgr.exe	41
PID 608 wrote to memory of 1380	608	sessmgr.exe	41
PID 608 wrote to memory of 1988	608	sessmgr.exe	42
PID 608 wrote to memory of 1988	608	sessmgr.exe	42
PID 608 wrote to memory of 1988	608	sessmgr.exe	42
PID 608 wrote to memory of 1988	608	sessmgr.exe	42
PID 608 wrote to memory of 2004	608	sessmgr.exe	43
PID 608 wrote to memory of 2004	608	sessmgr.exe	43
PID 608 wrote to memory of 2004	608	sessmgr.exe	43
PID 608 wrote to memory of 2004	608	sessmgr.exe	43

C:\Users\Admin\AppData\Local\Temp\29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
"C:\Users\Admin\AppData\Local\Temp\29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1628
- C:\Windows\SysWOW64\drivers\sessmgr.exe
  C:\Windows\System32\drivers\sessmgr.exe /c 99
  2⤵
  - Executes dropped EXE
  PID:872
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\clipsrv.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\clipsrv.exe" /c 27
  2⤵
  - Executes dropped EXE
  PID:584
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\spoolsv.exe" /c 13
  2⤵
  - Executes dropped EXE
  PID:964
- C:\PROGRA~3\MICROS~1\wininit.exe
  C:\PROGRA~3\MICROS~1\wininit.exe /c 100
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\PROGRA~3\csrss.exe
  C:\PROGRA~3\csrss.exe /c 22
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\smss.exe
  C:\Windows\System\smss.exe /c 57
  2⤵
  - Executes dropped EXE
  PID:328
- C:\Users\Admin\AppData\Roaming\MICROS~1\logman.exe
  C:\Users\Admin\AppData\Roaming\MICROS~1\logman.exe /c 82
  2⤵
  - Executes dropped EXE
  PID:920
- C:\PROGRA~3\MICROS~1\wininit.exe
  C:\PROGRA~3\MICROS~1\wininit.exe /c 62
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Windows\SysWOW64\drivers\sessmgr.exe
  C:\Windows\System32\drivers\sessmgr.exe /c 100
  2⤵
  - Executes dropped EXE
  PID:556
- C:\Windows\SysWOW64\drivers\sessmgr.exe
  C:\Windows\System32\drivers\sessmgr.exe /r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\SysWOW64\drivers\sessmgr.exe
    C:\Windows\System32\drivers\sessmgr.exe /c 31
    3⤵
    - Executes dropped EXE
    PID:1712
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\clipsrv.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\clipsrv.exe" /c 34
    3⤵
    - Executes dropped EXE
    PID:1772
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\spoolsv.exe" /c 42
    3⤵
    - Executes dropped EXE
    PID:1476
- - C:\PROGRA~3\MICROS~1\wininit.exe
    C:\PROGRA~3\MICROS~1\wininit.exe /c 8
    3⤵
    - Executes dropped EXE
    PID:1380
- - C:\PROGRA~3\csrss.exe
    C:\PROGRA~3\csrss.exe /c 79
    3⤵
    - Executes dropped EXE
    PID:1988
- - C:\Windows\System\smss.exe
    C:\Windows\System\smss.exe /c 83
    3⤵
    - Executes dropped EXE
    PID:2004
- - C:\Users\Admin\AppData\Roaming\MICROS~1\logman.exe
    C:\Users\Admin\AppData\Roaming\MICROS~1\logman.exe /c 53
    3⤵
    - Executes dropped EXE
    PID:1732
- - C:\PROGRA~3\MICROS~1\wininit.exe
    C:\PROGRA~3\MICROS~1\wininit.exe /c 84
    3⤵
    - Executes dropped EXE
    PID:876

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\PROGRA~3\csrss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\PROGRA~3\csrss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\PROGRA~3\csrss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\clipsrv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\clipsrv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
10B

MD5
dae63fdf3ac386bc570bba6ef5b45ec3

SHA1
30448c887cc674f5162f43d113a349132bc641ac

SHA256
dcc44715c1d19d9c97f77b3315412b4b124ab6a4b678443bd3066f86ce232ad9

SHA512
a4ff8b38362ea17d00df58501ba17272ba750f08015c20e0bbd463bdde82d39b192ce6278e57890818f50d1022db125ad68888806ecc163b970dff2aae7d26b2

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\logman.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\logman.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\logman.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\clipsrv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\spoolsv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Windows\system\smss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
C:\Windows\system\smss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\MICROS~1\wininit.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\csrss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\csrss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\csrss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\PROGRA~3\csrss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\clipsrv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\clipsrv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\clipsrv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\clipsrv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\logman.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\logman.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\logman.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Users\Admin\AppData\Roaming\MICROS~1\logman.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Windows\system\smss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Windows\system\smss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
\Windows\system\smss.exe

Filesize
457KB

MD5
5345861a75c13995ab035f70dc865146

SHA1
39a6fbe443c946b480b7fdc078b451f29eae5ac5

SHA256
29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

SHA512
ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8

Download Submit
memory/328-82-0x0000000000000000-mapping.dmp

Download
memory/556-95-0x0000000000000000-mapping.dmp

Download
memory/584-62-0x0000000000000000-mapping.dmp

Download
memory/608-130-0x00000000754C1000-0x00000000754C3000-memory.dmp

Filesize
8KB

Download
memory/608-98-0x0000000000000000-mapping.dmp

Download
memory/872-57-0x0000000000000000-mapping.dmp

Download
memory/876-128-0x0000000000000000-mapping.dmp

Download
memory/920-87-0x0000000000000000-mapping.dmp

Download
memory/964-67-0x0000000000000000-mapping.dmp

Download
memory/1380-115-0x0000000000000000-mapping.dmp

Download
memory/1476-111-0x0000000000000000-mapping.dmp

Download
memory/1552-92-0x0000000000000000-mapping.dmp

Download
memory/1712-103-0x0000000000000000-mapping.dmp

Download
memory/1732-125-0x0000000000000000-mapping.dmp

Download
memory/1772-107-0x0000000000000000-mapping.dmp

Download
memory/1844-77-0x0000000000000000-mapping.dmp

Download
memory/1944-72-0x0000000000000000-mapping.dmp

Download
memory/1988-119-0x0000000000000000-mapping.dmp

Download
memory/2004-121-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads