7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

Analysis

max time kernel
40s
max time network
63s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Size

460KB
MD5

cd3c9b2d5a0583a12af5fa2db7bd2e02
SHA1

7f09c6eddd4a8e585bba0be0170c195f2b57f9f8
SHA256

7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4
SHA512

9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2
SSDEEP

12288:ppLCnVtGQ6vRSDB4fkCmHQrBecfKZI+yN:8ofHQaVfKZI9N

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Sessmgr = "C:\\PROGRA~3\\sessmgr.exe"	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\MessageService = "C:\\Windows\\System32\\drivers\\mqtgsvc.exe"	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\mqtgsvc.exe	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe

Executes dropped EXE 18 IoCs

pid	Process
384	sessmgr.exe
1148	sessmgr.exe
940	mqtgsvc.exe
1916	dllhst3g.exe
812	cisvc.exe
2024	dllhst3g.exe
2036	wininit.exe
1768	cmstp.exe
988	sessmgr.exe
816	sessmgr.exe
1564	sessmgr.exe
316	sessmgr.exe
536	mqtgsvc.exe
1996	dllhst3g.exe
1980	cisvc.exe
1976	dllhst3g.exe
748	wininit.exe
564	cmstp.exe

Loads dropped DLL 37 IoCs

pid	Process
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
816	sessmgr.exe
816	sessmgr.exe
816	sessmgr.exe
816	sessmgr.exe
816	sessmgr.exe
816	sessmgr.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe
908	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Sessmgr = "C:\\PROGRA~3\\MICROS~1\\sessmgr.exe"	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\DllHost3g = "C:\\Users\\Admin\\AppData\\Roaming\\dllhst3g.exe"	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\PROGRA~3\MICROS~1\sessmgr.exe	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
File created	C:\PROGRA~3\MICROS~1\dllhst3g.exe	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
File opened for modification	C:\PROGRA~3\MICROS~1\RCX5815.tmp	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
File opened for modification	C:\PROGRA~3\sessmgr.exe	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
File opened for modification	C:\PROGRA~3\RCX5311.tmp	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
File opened for modification	C:\PROGRA~3\MICROS~1\RCX5459.tmp	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
File created	C:\PROGRA~3\MICROS~1\cisvc.exe	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
File opened for modification	C:\PROGRA~3\MICROS~1\RCX572A.tmp	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
File created	C:\PROGRA~3\wininit.exe	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
File created	C:\PROGRA~3\sessmgr.exe	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System\cmstp.exe	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
908	816	WerFault.exe	36

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Connection Manager = "C:\\Windows\\System\\cmstp.exe"	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WinInit = "C:\\PROGRA~3\\wininit.exe"	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 384	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	27
PID 1508 wrote to memory of 384	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	27
PID 1508 wrote to memory of 384	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	27
PID 1508 wrote to memory of 384	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	27
PID 1508 wrote to memory of 1148	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	28
PID 1508 wrote to memory of 1148	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	28
PID 1508 wrote to memory of 1148	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	28
PID 1508 wrote to memory of 1148	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	28
PID 1508 wrote to memory of 940	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	29
PID 1508 wrote to memory of 940	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	29
PID 1508 wrote to memory of 940	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	29
PID 1508 wrote to memory of 940	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	29
PID 1508 wrote to memory of 1916	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	30
PID 1508 wrote to memory of 1916	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	30
PID 1508 wrote to memory of 1916	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	30
PID 1508 wrote to memory of 1916	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	30
PID 1508 wrote to memory of 812	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	31
PID 1508 wrote to memory of 812	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	31
PID 1508 wrote to memory of 812	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	31
PID 1508 wrote to memory of 812	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	31
PID 1508 wrote to memory of 2024	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	32
PID 1508 wrote to memory of 2024	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	32
PID 1508 wrote to memory of 2024	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	32
PID 1508 wrote to memory of 2024	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	32
PID 1508 wrote to memory of 2036	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	33
PID 1508 wrote to memory of 2036	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	33
PID 1508 wrote to memory of 2036	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	33
PID 1508 wrote to memory of 2036	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	33
PID 1508 wrote to memory of 1768	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	34
PID 1508 wrote to memory of 1768	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	34
PID 1508 wrote to memory of 1768	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	34
PID 1508 wrote to memory of 1768	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	34
PID 1508 wrote to memory of 988	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	35
PID 1508 wrote to memory of 988	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	35
PID 1508 wrote to memory of 988	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	35
PID 1508 wrote to memory of 988	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	35
PID 1508 wrote to memory of 816	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	36
PID 1508 wrote to memory of 816	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	36
PID 1508 wrote to memory of 816	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	36
PID 1508 wrote to memory of 816	1508	7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe	36
PID 816 wrote to memory of 1564	816	sessmgr.exe	37
PID 816 wrote to memory of 1564	816	sessmgr.exe	37
PID 816 wrote to memory of 1564	816	sessmgr.exe	37
PID 816 wrote to memory of 1564	816	sessmgr.exe	37
PID 816 wrote to memory of 316	816	sessmgr.exe	38
PID 816 wrote to memory of 316	816	sessmgr.exe	38
PID 816 wrote to memory of 316	816	sessmgr.exe	38
PID 816 wrote to memory of 316	816	sessmgr.exe	38
PID 816 wrote to memory of 536	816	sessmgr.exe	39
PID 816 wrote to memory of 536	816	sessmgr.exe	39
PID 816 wrote to memory of 536	816	sessmgr.exe	39
PID 816 wrote to memory of 536	816	sessmgr.exe	39
PID 816 wrote to memory of 1996	816	sessmgr.exe	40
PID 816 wrote to memory of 1996	816	sessmgr.exe	40
PID 816 wrote to memory of 1996	816	sessmgr.exe	40
PID 816 wrote to memory of 1996	816	sessmgr.exe	40
PID 816 wrote to memory of 1980	816	sessmgr.exe	41
PID 816 wrote to memory of 1980	816	sessmgr.exe	41
PID 816 wrote to memory of 1980	816	sessmgr.exe	41
PID 816 wrote to memory of 1980	816	sessmgr.exe	41
PID 816 wrote to memory of 1976	816	sessmgr.exe	42
PID 816 wrote to memory of 1976	816	sessmgr.exe	42
PID 816 wrote to memory of 1976	816	sessmgr.exe	42
PID 816 wrote to memory of 1976	816	sessmgr.exe	42

C:\Users\Admin\AppData\Local\Temp\7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe
"C:\Users\Admin\AppData\Local\Temp\7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1508
- C:\PROGRA~3\sessmgr.exe
  C:\PROGRA~3\sessmgr.exe /c 61
  2⤵
  - Executes dropped EXE
  PID:384
- C:\PROGRA~3\MICROS~1\sessmgr.exe
  C:\PROGRA~3\MICROS~1\sessmgr.exe /c 87
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\SysWOW64\drivers\mqtgsvc.exe
  C:\Windows\System32\drivers\mqtgsvc.exe /c 94
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Users\Admin\AppData\Roaming\dllhst3g.exe
  C:\Users\Admin\AppData\Roaming\dllhst3g.exe /c 78
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\PROGRA~3\MICROS~1\cisvc.exe
  C:\PROGRA~3\MICROS~1\cisvc.exe /c 63
  2⤵
  - Executes dropped EXE
  PID:812
- C:\PROGRA~3\MICROS~1\dllhst3g.exe
  C:\PROGRA~3\MICROS~1\dllhst3g.exe /c 77
  2⤵
  - Executes dropped EXE
  PID:2024
- C:\PROGRA~3\wininit.exe
  C:\PROGRA~3\wininit.exe /c 8
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\cmstp.exe
  C:\Windows\System\cmstp.exe /c 28
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\PROGRA~3\sessmgr.exe
  C:\PROGRA~3\sessmgr.exe /c 79
  2⤵
  - Executes dropped EXE
  PID:988
- C:\PROGRA~3\sessmgr.exe
  C:\PROGRA~3\sessmgr.exe /r
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\PROGRA~3\sessmgr.exe
    C:\PROGRA~3\sessmgr.exe /c 10
    3⤵
    - Executes dropped EXE
    PID:1564
- - C:\PROGRA~3\MICROS~1\sessmgr.exe
    C:\PROGRA~3\MICROS~1\sessmgr.exe /c 8
    3⤵
    - Executes dropped EXE
    PID:316
- - C:\Windows\SysWOW64\drivers\mqtgsvc.exe
    C:\Windows\System32\drivers\mqtgsvc.exe /c 47
    3⤵
    - Executes dropped EXE
    PID:536
- - C:\Users\Admin\AppData\Roaming\dllhst3g.exe
    C:\Users\Admin\AppData\Roaming\dllhst3g.exe /c 45
    3⤵
    - Executes dropped EXE
    PID:1996
- - C:\PROGRA~3\MICROS~1\cisvc.exe
    C:\PROGRA~3\MICROS~1\cisvc.exe /c 36
    3⤵
    - Executes dropped EXE
    PID:1980
- - C:\PROGRA~3\MICROS~1\dllhst3g.exe
    C:\PROGRA~3\MICROS~1\dllhst3g.exe /c 26
    3⤵
    - Executes dropped EXE
    PID:1976
- - C:\PROGRA~3\wininit.exe
    C:\PROGRA~3\wininit.exe /c 90
    3⤵
    - Executes dropped EXE
    PID:748
- - C:\Windows\System\cmstp.exe
    C:\Windows\System\cmstp.exe /c 12
    3⤵
    - Executes dropped EXE
    PID:564
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 816 -s 732
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\MICROS~1\cisvc.exe

Filesize
460KB

MD5
996f2e33ee70435b7f7d840908bdab36

SHA1
96b5657d1435b13101353bd45b9e7b5f444bcec7

SHA256
540e9121cb3bb9fa37f8d7b940407a4be35982dee79b8ab95d3c41dec813897e

SHA512
77aab6ad898e4ed7566d3e38a038bea3a4bed1f80280d1c29f22feee12856ea1bc4b2b47f320d97d3174e4206e26f472c19c246fd4dba7a08ae9aaa0b9252602

Download Submit
C:\PROGRA~3\MICROS~1\cisvc.exe

Filesize
460KB

MD5
996f2e33ee70435b7f7d840908bdab36

SHA1
96b5657d1435b13101353bd45b9e7b5f444bcec7

SHA256
540e9121cb3bb9fa37f8d7b940407a4be35982dee79b8ab95d3c41dec813897e

SHA512
77aab6ad898e4ed7566d3e38a038bea3a4bed1f80280d1c29f22feee12856ea1bc4b2b47f320d97d3174e4206e26f472c19c246fd4dba7a08ae9aaa0b9252602

Download Submit
C:\PROGRA~3\MICROS~1\cisvc.exe

Filesize
460KB

MD5
996f2e33ee70435b7f7d840908bdab36

SHA1
96b5657d1435b13101353bd45b9e7b5f444bcec7

SHA256
540e9121cb3bb9fa37f8d7b940407a4be35982dee79b8ab95d3c41dec813897e

SHA512
77aab6ad898e4ed7566d3e38a038bea3a4bed1f80280d1c29f22feee12856ea1bc4b2b47f320d97d3174e4206e26f472c19c246fd4dba7a08ae9aaa0b9252602

Download Submit
C:\PROGRA~3\MICROS~1\dllhst3g.exe

Filesize
460KB

MD5
849a01c8e1f231872317d2a6a8c74c1a

SHA1
e5e6c5c11e4e59cd0ae4468ffbb480df12dff510

SHA256
9e6a29acffc7a482c278ef54a9a50fd14659177f584854315c2275daabaa0feb

SHA512
c80d3d7bda38e591b60d874e23558f7b7592fa24eeee775fbc2a83ee950ad98a6417b1338456252ad9749bb80e72dac5d283348b650780361a5fa1f530b29275

Download Submit
C:\PROGRA~3\MICROS~1\dllhst3g.exe

Filesize
460KB

MD5
849a01c8e1f231872317d2a6a8c74c1a

SHA1
e5e6c5c11e4e59cd0ae4468ffbb480df12dff510

SHA256
9e6a29acffc7a482c278ef54a9a50fd14659177f584854315c2275daabaa0feb

SHA512
c80d3d7bda38e591b60d874e23558f7b7592fa24eeee775fbc2a83ee950ad98a6417b1338456252ad9749bb80e72dac5d283348b650780361a5fa1f530b29275

Download Submit
C:\PROGRA~3\MICROS~1\dllhst3g.exe

Filesize
460KB

MD5
849a01c8e1f231872317d2a6a8c74c1a

SHA1
e5e6c5c11e4e59cd0ae4468ffbb480df12dff510

SHA256
9e6a29acffc7a482c278ef54a9a50fd14659177f584854315c2275daabaa0feb

SHA512
c80d3d7bda38e591b60d874e23558f7b7592fa24eeee775fbc2a83ee950ad98a6417b1338456252ad9749bb80e72dac5d283348b650780361a5fa1f530b29275

Download Submit
C:\PROGRA~3\MICROS~1\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
C:\PROGRA~3\MICROS~1\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
C:\PROGRA~3\MICROS~1\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
C:\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
C:\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
C:\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
C:\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
C:\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
C:\PROGRA~3\wininit.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
C:\PROGRA~3\wininit.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
C:\PROGRA~3\wininit.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
10B

MD5
5de1fff42f063c25b5a582b26ed53894

SHA1
818560d5b5c9fc373e1623760c118b382df199a2

SHA256
531053140a878bb5123a091500182dc617bb07eede243879a133b00bec134a69

SHA512
5ae841cfd5b559d4af44f2a1277ec1a7cf968dc1fe7372edb4a25cd16394053ce429757cf4ed757e57e0ce13f70ebe76defe87bf2e4e3a666113b2ca3dff5e02

Download Submit
C:\Users\Admin\AppData\Roaming\dllhst3g.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
C:\Users\Admin\AppData\Roaming\dllhst3g.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
C:\Windows\SysWOW64\drivers\mqtgsvc.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
C:\Windows\SysWOW64\drivers\mqtgsvc.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
C:\Windows\SysWOW64\drivers\mqtgsvc.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
C:\Windows\system\cmstp.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
C:\Windows\system\cmstp.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\MICROS~1\cisvc.exe

Filesize
460KB

MD5
996f2e33ee70435b7f7d840908bdab36

SHA1
96b5657d1435b13101353bd45b9e7b5f444bcec7

SHA256
540e9121cb3bb9fa37f8d7b940407a4be35982dee79b8ab95d3c41dec813897e

SHA512
77aab6ad898e4ed7566d3e38a038bea3a4bed1f80280d1c29f22feee12856ea1bc4b2b47f320d97d3174e4206e26f472c19c246fd4dba7a08ae9aaa0b9252602

Download Submit
\PROGRA~3\MICROS~1\cisvc.exe

Filesize
460KB

MD5
996f2e33ee70435b7f7d840908bdab36

SHA1
96b5657d1435b13101353bd45b9e7b5f444bcec7

SHA256
540e9121cb3bb9fa37f8d7b940407a4be35982dee79b8ab95d3c41dec813897e

SHA512
77aab6ad898e4ed7566d3e38a038bea3a4bed1f80280d1c29f22feee12856ea1bc4b2b47f320d97d3174e4206e26f472c19c246fd4dba7a08ae9aaa0b9252602

Download Submit
\PROGRA~3\MICROS~1\cisvc.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\MICROS~1\cisvc.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\MICROS~1\dllhst3g.exe

Filesize
460KB

MD5
849a01c8e1f231872317d2a6a8c74c1a

SHA1
e5e6c5c11e4e59cd0ae4468ffbb480df12dff510

SHA256
9e6a29acffc7a482c278ef54a9a50fd14659177f584854315c2275daabaa0feb

SHA512
c80d3d7bda38e591b60d874e23558f7b7592fa24eeee775fbc2a83ee950ad98a6417b1338456252ad9749bb80e72dac5d283348b650780361a5fa1f530b29275

Download Submit
\PROGRA~3\MICROS~1\dllhst3g.exe

Filesize
460KB

MD5
849a01c8e1f231872317d2a6a8c74c1a

SHA1
e5e6c5c11e4e59cd0ae4468ffbb480df12dff510

SHA256
9e6a29acffc7a482c278ef54a9a50fd14659177f584854315c2275daabaa0feb

SHA512
c80d3d7bda38e591b60d874e23558f7b7592fa24eeee775fbc2a83ee950ad98a6417b1338456252ad9749bb80e72dac5d283348b650780361a5fa1f530b29275

Download Submit
\PROGRA~3\MICROS~1\dllhst3g.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\MICROS~1\dllhst3g.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\MICROS~1\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
\PROGRA~3\MICROS~1\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
\PROGRA~3\MICROS~1\sessmgr.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\MICROS~1\sessmgr.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
8211b5c90ca86390c0e17b2f504cbce2

SHA1
d1168cfb0ccf31de9782dd29f0588f7c7174fe5c

SHA256
3c6d9f060f756de00e6a70f27b7818da04f6048df11735c93b1722c33e9fcc65

SHA512
fe915f71282201ce1b0b61a1081da43f67d7c8a97c5c03c7ba341d44b04f01519bfc9a73a2fc1cdc25d9b0baa6cde54667260532c5f37ddb2bdc7e9628966de4

Download Submit
\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\sessmgr.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\wininit.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\wininit.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\wininit.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\PROGRA~3\wininit.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\Users\Admin\AppData\Roaming\dllhst3g.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\Users\Admin\AppData\Roaming\dllhst3g.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\Users\Admin\AppData\Roaming\dllhst3g.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\Windows\SysWOW64\drivers\mqtgsvc.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\Windows\SysWOW64\drivers\mqtgsvc.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\Windows\SysWOW64\drivers\mqtgsvc.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\Windows\SysWOW64\drivers\mqtgsvc.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\Windows\system\cmstp.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\Windows\system\cmstp.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
\Windows\system\cmstp.exe

Filesize
460KB

MD5
cd3c9b2d5a0583a12af5fa2db7bd2e02

SHA1
7f09c6eddd4a8e585bba0be0170c195f2b57f9f8

SHA256
7b1e838428e1c6b66dc54cb9662fc97c8fabfe751ee31728d9b6d604b91a66c4

SHA512
9f609708ad30e92e21d1cd4691fb7295f7ee0e4dc4e58af92e7c9a54b6f61b9812477e44cda275445a820983cce5760bfa292439e17352d2408b0bb950e99db2

Download Submit
memory/816-129-0x0000000074C91000-0x0000000074C93000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads