29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f

Analysis

max time kernel
152s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 22:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Size

457KB
MD5

5345861a75c13995ab035f70dc865146
SHA1

39a6fbe443c946b480b7fdc078b451f29eae5ac5
SHA256

29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f
SHA512

ccfe2b88343541f60c1486910f17cfcf1319ce85573eb2d1145d5e63a8d12fda096d613b775ec0f664809a3cb5537c09f94fe11aa796c05430887e8591a279e8
SSDEEP

12288:7JCUThPbyIl03ykCLGtltjilZOrwNgluXU:fCFCaljilZOrwauXU

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Sessmgr = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\sessmgr.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cisvc = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\cisvc.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\winlogon.exe	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RCXB9C3.tmp	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
File created	C:\Windows\SysWOW64\drivers\dllhst3g.exe	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RCXBA80.tmp	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe

Executes dropped EXE 18 IoCs

pid	Process
4692	cisvc.exe
5016	spoolsv.exe
4932	sessmgr.exe
4992	dllhst3g.exe
4880	winlogon.exe
376	dllhst3g.exe
948	dllhst3g.exe
3156	mstinit.exe
4768	cisvc.exe
1440	cisvc.exe
1500	cisvc.exe
5104	spoolsv.exe
4384	sessmgr.exe
3968	dllhst3g.exe
2504	winlogon.exe
2452	dllhst3g.exe
4032	dllhst3g.exe
2560	mstinit.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Spooler = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\spoolsv.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DllHost3g = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\dllhst3g.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Task Scheduler = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\mstinit.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DllHost3g = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\dllhst3g.exe"	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1608 wrote to memory of 4692	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	81
PID 1608 wrote to memory of 4692	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	81
PID 1608 wrote to memory of 4692	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	81
PID 1608 wrote to memory of 5016	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	82
PID 1608 wrote to memory of 5016	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	82
PID 1608 wrote to memory of 5016	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	82
PID 1608 wrote to memory of 4932	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	83
PID 1608 wrote to memory of 4932	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	83
PID 1608 wrote to memory of 4932	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	83
PID 1608 wrote to memory of 4992	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	84
PID 1608 wrote to memory of 4992	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	84
PID 1608 wrote to memory of 4992	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	84
PID 1608 wrote to memory of 4880	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	85
PID 1608 wrote to memory of 4880	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	85
PID 1608 wrote to memory of 4880	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	85
PID 1608 wrote to memory of 376	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	86
PID 1608 wrote to memory of 376	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	86
PID 1608 wrote to memory of 376	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	86
PID 1608 wrote to memory of 948	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	87
PID 1608 wrote to memory of 948	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	87
PID 1608 wrote to memory of 948	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	87
PID 1608 wrote to memory of 3156	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	88
PID 1608 wrote to memory of 3156	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	88
PID 1608 wrote to memory of 3156	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	88
PID 1608 wrote to memory of 4768	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	89
PID 1608 wrote to memory of 4768	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	89
PID 1608 wrote to memory of 4768	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	89
PID 1608 wrote to memory of 1440	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	92
PID 1608 wrote to memory of 1440	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	92
PID 1608 wrote to memory of 1440	1608	29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe	92
PID 1440 wrote to memory of 1500	1440	cisvc.exe	93
PID 1440 wrote to memory of 1500	1440	cisvc.exe	93
PID 1440 wrote to memory of 1500	1440	cisvc.exe	93
PID 1440 wrote to memory of 5104	1440	cisvc.exe	94
PID 1440 wrote to memory of 5104	1440	cisvc.exe	94
PID 1440 wrote to memory of 5104	1440	cisvc.exe	94
PID 1440 wrote to memory of 4384	1440	cisvc.exe	95
PID 1440 wrote to memory of 4384	1440	cisvc.exe	95
PID 1440 wrote to memory of 4384	1440	cisvc.exe	95
PID 1440 wrote to memory of 3968	1440	cisvc.exe	97
PID 1440 wrote to memory of 3968	1440	cisvc.exe	97
PID 1440 wrote to memory of 3968	1440	cisvc.exe	97
PID 1440 wrote to memory of 2504	1440	cisvc.exe	98
PID 1440 wrote to memory of 2504	1440	cisvc.exe	98
PID 1440 wrote to memory of 2504	1440	cisvc.exe	98
PID 1440 wrote to memory of 2452	1440	cisvc.exe	99
PID 1440 wrote to memory of 2452	1440	cisvc.exe	99
PID 1440 wrote to memory of 2452	1440	cisvc.exe	99
PID 1440 wrote to memory of 4032	1440	cisvc.exe	100
PID 1440 wrote to memory of 4032	1440	cisvc.exe	100
PID 1440 wrote to memory of 4032	1440	cisvc.exe	100
PID 1440 wrote to memory of 2560	1440	cisvc.exe	101
PID 1440 wrote to memory of 2560	1440	cisvc.exe	101
PID 1440 wrote to memory of 2560	1440	cisvc.exe	101

C:\Users\Admin\AppData\Local\Temp\29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe
"C:\Users\Admin\AppData\Local\Temp\29d0fa6b5b76a6b7b29ed7fc535ebda13fcb029b8838f3276b0358e685b01d8f.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1608
- C:\Users\Admin\Local Settings\Application Data\Microsoft\cisvc.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\cisvc.exe" /c 32
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\spoolsv.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\spoolsv.exe" /c 98
  2⤵
  - Executes dropped EXE
  PID:5016
- C:\Users\Admin\Local Settings\Application Data\Microsoft\sessmgr.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\sessmgr.exe" /c 8
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhst3g.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhst3g.exe" /c 66
  2⤵
  - Executes dropped EXE
  PID:4992
- C:\Windows\SysWOW64\drivers\winlogon.exe
  C:\Windows\System32\drivers\winlogon.exe /c 67
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\SysWOW64\drivers\dllhst3g.exe
  C:\Windows\System32\drivers\dllhst3g.exe /c 18
  2⤵
  - Executes dropped EXE
  PID:376
- C:\Users\Admin\Local Settings\Application Data\Microsoft\dllhst3g.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\dllhst3g.exe" /c 62
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstinit.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstinit.exe" /c 23
  2⤵
  - Executes dropped EXE
  PID:3156
- C:\Users\Admin\Local Settings\Application Data\Microsoft\cisvc.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\cisvc.exe" /c 71
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Users\Admin\Local Settings\Application Data\Microsoft\cisvc.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\cisvc.exe" /r
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\cisvc.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\cisvc.exe" /c 31
    3⤵
    - Executes dropped EXE
    PID:1500
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\spoolsv.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\spoolsv.exe" /c 95
    3⤵
    - Executes dropped EXE
    PID:5104
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\sessmgr.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\sessmgr.exe" /c 17
    3⤵
    - Executes dropped EXE
    PID:4384
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhst3g.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhst3g.exe" /c 2
    3⤵
    - Executes dropped EXE
    PID:3968
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    C:\Windows\System32\drivers\winlogon.exe /c 70
    3⤵
    - Executes dropped EXE
    PID:2504
- - C:\Windows\SysWOW64\drivers\dllhst3g.exe
    C:\Windows\System32\drivers\dllhst3g.exe /c 63
    3⤵
    - Executes dropped EXE
    PID:2452
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\dllhst3g.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\dllhst3g.exe" /c 24
    3⤵
    - Executes dropped EXE
    PID:4032
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstinit.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstinit.exe" /c 37
    3⤵
    - Executes dropped EXE
    PID:2560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\dllhst3g.exe

Filesize
457KB

MD5
69e11fee32afff8b36789d32eb23f9af

SHA1
f7079892a5d356f42a4bfa742c6df7c5c969308a

SHA256
6cd49e77f58545d7516562c64ce5511e971676567453f1979276b3ca678f2841

SHA512
de24f695eeb5287b3c9d72a64ec357a8c34912551ad60828e8e9acd0efdcf1e1287403fb82794dc58cdbb8aa1c5fda462592813ec25c459fe7e3362b86f40ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\dllhst3g.exe

Filesize
457KB

MD5
69e11fee32afff8b36789d32eb23f9af

SHA1
f7079892a5d356f42a4bfa742c6df7c5c969308a

SHA256
6cd49e77f58545d7516562c64ce5511e971676567453f1979276b3ca678f2841

SHA512
de24f695eeb5287b3c9d72a64ec357a8c34912551ad60828e8e9acd0efdcf1e1287403fb82794dc58cdbb8aa1c5fda462592813ec25c459fe7e3362b86f40ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\mstinit.exe

Filesize
457KB

MD5
347f633bcd3a698df36dec971e467a2b

SHA1
1a9bdbd700bc2725802edecd0cdcc1ef0edcd35e

SHA256
0be996c947ac3a1d103caf2559fb591cf997f7286b34c008bd412089e0b000c1

SHA512
bcf9defb9a997dbe9e605f376ef27a6acc3e8bec9017507125552d26fb91743fcf048180728b4e2a1bb21afe7c9066b3b1daf01d02f3c3418e56886e1c642b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\mstinit.exe

Filesize
457KB

MD5
347f633bcd3a698df36dec971e467a2b

SHA1
1a9bdbd700bc2725802edecd0cdcc1ef0edcd35e

SHA256
0be996c947ac3a1d103caf2559fb591cf997f7286b34c008bd412089e0b000c1

SHA512
bcf9defb9a997dbe9e605f376ef27a6acc3e8bec9017507125552d26fb91743fcf048180728b4e2a1bb21afe7c9066b3b1daf01d02f3c3418e56886e1c642b5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exe

Filesize
457KB

MD5
f724a1e04c843673e4154c3d968ddaab

SHA1
947d9166ec802dcf98ce63f6a05e70c43fb153a9

SHA256
abc54d95e824d303ed2e57a3bbddbde96aaee4fdd1b36b21b8915221d996bf8f

SHA512
03692c03918a0c8d5cc503a5486302530578ae831a436ada1d86eb59e6beecf7f6aba728bd59a2a48579678861028a5f6ed61ce4140aca4ba079be9e3896aa92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\spoolsv.exe

Filesize
457KB

MD5
f724a1e04c843673e4154c3d968ddaab

SHA1
947d9166ec802dcf98ce63f6a05e70c43fb153a9

SHA256
abc54d95e824d303ed2e57a3bbddbde96aaee4fdd1b36b21b8915221d996bf8f

SHA512
03692c03918a0c8d5cc503a5486302530578ae831a436ada1d86eb59e6beecf7f6aba728bd59a2a48579678861028a5f6ed61ce4140aca4ba079be9e3896aa92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\cisvc.exe

Filesize
457KB

MD5
be0ab67cbbb20e8d0f0132a9e4d447f9

SHA1
a7008c26641ced42f1614d3e7a030c9481ff7d92

SHA256
ed277068dcab9afa98bb7c559f86963ecde716c5f7546463bcc6c9178ff6bd4e

SHA512
7f965a9e563296256392b9f83a874a83d3d1f168aa8ee1f3da3c1e429c8e204b18a653c82cbb69b34b4a011a5d08e28c8f193f38f0403898afeed819e372d440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\cisvc.exe

Filesize
457KB

MD5
be0ab67cbbb20e8d0f0132a9e4d447f9

SHA1
a7008c26641ced42f1614d3e7a030c9481ff7d92

SHA256
ed277068dcab9afa98bb7c559f86963ecde716c5f7546463bcc6c9178ff6bd4e

SHA512
7f965a9e563296256392b9f83a874a83d3d1f168aa8ee1f3da3c1e429c8e204b18a653c82cbb69b34b4a011a5d08e28c8f193f38f0403898afeed819e372d440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\cisvc.exe

Filesize
457KB

MD5
be0ab67cbbb20e8d0f0132a9e4d447f9

SHA1
a7008c26641ced42f1614d3e7a030c9481ff7d92

SHA256
ed277068dcab9afa98bb7c559f86963ecde716c5f7546463bcc6c9178ff6bd4e

SHA512
7f965a9e563296256392b9f83a874a83d3d1f168aa8ee1f3da3c1e429c8e204b18a653c82cbb69b34b4a011a5d08e28c8f193f38f0403898afeed819e372d440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\cisvc.exe

Filesize
457KB

MD5
be0ab67cbbb20e8d0f0132a9e4d447f9

SHA1
a7008c26641ced42f1614d3e7a030c9481ff7d92

SHA256
ed277068dcab9afa98bb7c559f86963ecde716c5f7546463bcc6c9178ff6bd4e

SHA512
7f965a9e563296256392b9f83a874a83d3d1f168aa8ee1f3da3c1e429c8e204b18a653c82cbb69b34b4a011a5d08e28c8f193f38f0403898afeed819e372d440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\dllhst3g.exe

Filesize
457KB

MD5
69e11fee32afff8b36789d32eb23f9af

SHA1
f7079892a5d356f42a4bfa742c6df7c5c969308a

SHA256
6cd49e77f58545d7516562c64ce5511e971676567453f1979276b3ca678f2841

SHA512
de24f695eeb5287b3c9d72a64ec357a8c34912551ad60828e8e9acd0efdcf1e1287403fb82794dc58cdbb8aa1c5fda462592813ec25c459fe7e3362b86f40ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\dllhst3g.exe

Filesize
457KB

MD5
69e11fee32afff8b36789d32eb23f9af

SHA1
f7079892a5d356f42a4bfa742c6df7c5c969308a

SHA256
6cd49e77f58545d7516562c64ce5511e971676567453f1979276b3ca678f2841

SHA512
de24f695eeb5287b3c9d72a64ec357a8c34912551ad60828e8e9acd0efdcf1e1287403fb82794dc58cdbb8aa1c5fda462592813ec25c459fe7e3362b86f40ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\sessmgr.exe

Filesize
457KB

MD5
48872844c8c7a92a4e4a3a24dabefb1f

SHA1
33fb11e8dfbe031dd121c21c205545367e7ceaac

SHA256
52421b1b1d88b87779cf6ba8129b2e49f57c19b15b7c39438edd54f75e682941

SHA512
3a29a7f3fec45f80574b426f441c21d66fd0f6d986ca2c8b8358b05f660c32331adbdec0ff9149b351bca5e876db33f5895f6364c0233f52f5c501e862d20a98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\sessmgr.exe

Filesize
457KB

MD5
48872844c8c7a92a4e4a3a24dabefb1f

SHA1
33fb11e8dfbe031dd121c21c205545367e7ceaac

SHA256
52421b1b1d88b87779cf6ba8129b2e49f57c19b15b7c39438edd54f75e682941

SHA512
3a29a7f3fec45f80574b426f441c21d66fd0f6d986ca2c8b8358b05f660c32331adbdec0ff9149b351bca5e876db33f5895f6364c0233f52f5c501e862d20a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
9B

MD5
7b310a03a5ac96fd5f329bad46d0c622

SHA1
eff750b98416ba54d584a97be2cedf4e244aa725

SHA256
7319e1073bfd622ff5e43d87459aed767e2382fe21e34f04517c048b23c844f4

SHA512
a09c746ea91b74bdf0d2614dd04790ebbb1fd03c032e7238db4a62c1a63565abb7b439ec122842f0bcb2967be7d305472db964415052597d5d3c1f413361420a

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhst3g.exe

Filesize
457KB

MD5
69e11fee32afff8b36789d32eb23f9af

SHA1
f7079892a5d356f42a4bfa742c6df7c5c969308a

SHA256
6cd49e77f58545d7516562c64ce5511e971676567453f1979276b3ca678f2841

SHA512
de24f695eeb5287b3c9d72a64ec357a8c34912551ad60828e8e9acd0efdcf1e1287403fb82794dc58cdbb8aa1c5fda462592813ec25c459fe7e3362b86f40ddc

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstinit.exe

Filesize
457KB

MD5
347f633bcd3a698df36dec971e467a2b

SHA1
1a9bdbd700bc2725802edecd0cdcc1ef0edcd35e

SHA256
0be996c947ac3a1d103caf2559fb591cf997f7286b34c008bd412089e0b000c1

SHA512
bcf9defb9a997dbe9e605f376ef27a6acc3e8bec9017507125552d26fb91743fcf048180728b4e2a1bb21afe7c9066b3b1daf01d02f3c3418e56886e1c642b5e

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\spoolsv.exe

Filesize
457KB

MD5
f724a1e04c843673e4154c3d968ddaab

SHA1
947d9166ec802dcf98ce63f6a05e70c43fb153a9

SHA256
abc54d95e824d303ed2e57a3bbddbde96aaee4fdd1b36b21b8915221d996bf8f

SHA512
03692c03918a0c8d5cc503a5486302530578ae831a436ada1d86eb59e6beecf7f6aba728bd59a2a48579678861028a5f6ed61ce4140aca4ba079be9e3896aa92

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\cisvc.exe

Filesize
457KB

MD5
be0ab67cbbb20e8d0f0132a9e4d447f9

SHA1
a7008c26641ced42f1614d3e7a030c9481ff7d92

SHA256
ed277068dcab9afa98bb7c559f86963ecde716c5f7546463bcc6c9178ff6bd4e

SHA512
7f965a9e563296256392b9f83a874a83d3d1f168aa8ee1f3da3c1e429c8e204b18a653c82cbb69b34b4a011a5d08e28c8f193f38f0403898afeed819e372d440

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\dllhst3g.exe

Filesize
457KB

MD5
69e11fee32afff8b36789d32eb23f9af

SHA1
f7079892a5d356f42a4bfa742c6df7c5c969308a

SHA256
6cd49e77f58545d7516562c64ce5511e971676567453f1979276b3ca678f2841

SHA512
de24f695eeb5287b3c9d72a64ec357a8c34912551ad60828e8e9acd0efdcf1e1287403fb82794dc58cdbb8aa1c5fda462592813ec25c459fe7e3362b86f40ddc

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\sessmgr.exe

Filesize
457KB

MD5
48872844c8c7a92a4e4a3a24dabefb1f

SHA1
33fb11e8dfbe031dd121c21c205545367e7ceaac

SHA256
52421b1b1d88b87779cf6ba8129b2e49f57c19b15b7c39438edd54f75e682941

SHA512
3a29a7f3fec45f80574b426f441c21d66fd0f6d986ca2c8b8358b05f660c32331adbdec0ff9149b351bca5e876db33f5895f6364c0233f52f5c501e862d20a98

Download Submit
C:\Windows\SysWOW64\drivers\dllhst3g.exe

Filesize
457KB

MD5
69e11fee32afff8b36789d32eb23f9af

SHA1
f7079892a5d356f42a4bfa742c6df7c5c969308a

SHA256
6cd49e77f58545d7516562c64ce5511e971676567453f1979276b3ca678f2841

SHA512
de24f695eeb5287b3c9d72a64ec357a8c34912551ad60828e8e9acd0efdcf1e1287403fb82794dc58cdbb8aa1c5fda462592813ec25c459fe7e3362b86f40ddc

Download Submit
C:\Windows\SysWOW64\drivers\dllhst3g.exe

Filesize
457KB

MD5
69e11fee32afff8b36789d32eb23f9af

SHA1
f7079892a5d356f42a4bfa742c6df7c5c969308a

SHA256
6cd49e77f58545d7516562c64ce5511e971676567453f1979276b3ca678f2841

SHA512
de24f695eeb5287b3c9d72a64ec357a8c34912551ad60828e8e9acd0efdcf1e1287403fb82794dc58cdbb8aa1c5fda462592813ec25c459fe7e3362b86f40ddc

Download Submit
C:\Windows\SysWOW64\drivers\dllhst3g.exe

Filesize
457KB

MD5
69e11fee32afff8b36789d32eb23f9af

SHA1
f7079892a5d356f42a4bfa742c6df7c5c969308a

SHA256
6cd49e77f58545d7516562c64ce5511e971676567453f1979276b3ca678f2841

SHA512
de24f695eeb5287b3c9d72a64ec357a8c34912551ad60828e8e9acd0efdcf1e1287403fb82794dc58cdbb8aa1c5fda462592813ec25c459fe7e3362b86f40ddc

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
457KB

MD5
cc77ae46082c350cdb0dcf08108c34c7

SHA1
494a6ee14b767cd03b4514d0878c057970c0410b

SHA256
7e509ce97c2e2c5b64567af0a20b5fa17703ccfaac8be7717d93bcddfbbc9eb5

SHA512
4a6c3f698b90f245d3328d97ddd30b5871f74cac934b1ad083379667fc9e66616f89495179ef21330ceaf96f3d91c7f7955b692f91309ae0a2b755345162b1b0

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
457KB

MD5
cc77ae46082c350cdb0dcf08108c34c7

SHA1
494a6ee14b767cd03b4514d0878c057970c0410b

SHA256
7e509ce97c2e2c5b64567af0a20b5fa17703ccfaac8be7717d93bcddfbbc9eb5

SHA512
4a6c3f698b90f245d3328d97ddd30b5871f74cac934b1ad083379667fc9e66616f89495179ef21330ceaf96f3d91c7f7955b692f91309ae0a2b755345162b1b0

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
457KB

MD5
cc77ae46082c350cdb0dcf08108c34c7

SHA1
494a6ee14b767cd03b4514d0878c057970c0410b

SHA256
7e509ce97c2e2c5b64567af0a20b5fa17703ccfaac8be7717d93bcddfbbc9eb5

SHA512
4a6c3f698b90f245d3328d97ddd30b5871f74cac934b1ad083379667fc9e66616f89495179ef21330ceaf96f3d91c7f7955b692f91309ae0a2b755345162b1b0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads