704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6

Analysis

max time kernel
187s
max time network
183s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 22:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Size

369KB
MD5

31d7aa98024b727c9918773992ca0635
SHA1

60c9ca301b6436b2ef06a54d9cefc0c544be948a
SHA256

704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6
SHA512

6f9af8e6add84d3350664724934fcc3d0d6f3801d16e1851f9ba8d85615274dc925fbe8271bf5dcefce80bca81040533ae098fa1bebaae5bfb986856681ac8eb
SSDEEP

6144:hYLE9vXzyRdsw3b3j5/pjWCg4ClHqsic0eeEHNZ0YH82AYkaN7uS64:OE9kriHqstTeEHNZBtkLSh

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ClipSrv = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\clipsrv.exe"	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Csrss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\csrss.exe"	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\rsvp.exe	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RCXC6B.tmp	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe

Executes dropped EXE 18 IoCs

pid	Process
5056	clipsrv.exe
3060	smss.exe
4728	csrss.exe
4596	esentutl.exe
4892	csrss.exe
4824	sessmgr.exe
4280	mstinit.exe
3160	rsvp.exe
1304	clipsrv.exe
1088	clipsrv.exe
4204	clipsrv.exe
3480	smss.exe
1844	csrss.exe
424	esentutl.exe
4108	csrss.exe
3840	sessmgr.exe
1232	mstinit.exe
3544	rsvp.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Session Manager = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\smss.exe"	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EseNtUtl = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\esentutl.exe"	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\sessmgr.exe	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
File opened for modification	C:\Windows\RCXB01.tmp	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Task Scheduler = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\mstinit.exe"	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft RSVP = "C:\\Windows\\System32\\drivers\\rsvp.exe"	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 5056	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	80
PID 1468 wrote to memory of 5056	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	80
PID 1468 wrote to memory of 5056	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	80
PID 1468 wrote to memory of 3060	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	81
PID 1468 wrote to memory of 3060	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	81
PID 1468 wrote to memory of 3060	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	81
PID 1468 wrote to memory of 4728	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	82
PID 1468 wrote to memory of 4728	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	82
PID 1468 wrote to memory of 4728	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	82
PID 1468 wrote to memory of 4596	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	83
PID 1468 wrote to memory of 4596	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	83
PID 1468 wrote to memory of 4596	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	83
PID 1468 wrote to memory of 4892	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	84
PID 1468 wrote to memory of 4892	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	84
PID 1468 wrote to memory of 4892	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	84
PID 1468 wrote to memory of 4824	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	85
PID 1468 wrote to memory of 4824	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	85
PID 1468 wrote to memory of 4824	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	85
PID 1468 wrote to memory of 4280	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	86
PID 1468 wrote to memory of 4280	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	86
PID 1468 wrote to memory of 4280	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	86
PID 1468 wrote to memory of 3160	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	87
PID 1468 wrote to memory of 3160	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	87
PID 1468 wrote to memory of 3160	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	87
PID 1468 wrote to memory of 1304	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	88
PID 1468 wrote to memory of 1304	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	88
PID 1468 wrote to memory of 1304	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	88
PID 1468 wrote to memory of 1088	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	89
PID 1468 wrote to memory of 1088	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	89
PID 1468 wrote to memory of 1088	1468	704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe	89
PID 1088 wrote to memory of 4204	1088	clipsrv.exe	90
PID 1088 wrote to memory of 4204	1088	clipsrv.exe	90
PID 1088 wrote to memory of 4204	1088	clipsrv.exe	90
PID 1088 wrote to memory of 3480	1088	clipsrv.exe	91
PID 1088 wrote to memory of 3480	1088	clipsrv.exe	91
PID 1088 wrote to memory of 3480	1088	clipsrv.exe	91
PID 1088 wrote to memory of 1844	1088	clipsrv.exe	92
PID 1088 wrote to memory of 1844	1088	clipsrv.exe	92
PID 1088 wrote to memory of 1844	1088	clipsrv.exe	92
PID 1088 wrote to memory of 424	1088	clipsrv.exe	93
PID 1088 wrote to memory of 424	1088	clipsrv.exe	93
PID 1088 wrote to memory of 424	1088	clipsrv.exe	93
PID 1088 wrote to memory of 4108	1088	clipsrv.exe	94
PID 1088 wrote to memory of 4108	1088	clipsrv.exe	94
PID 1088 wrote to memory of 4108	1088	clipsrv.exe	94
PID 1088 wrote to memory of 3840	1088	clipsrv.exe	95
PID 1088 wrote to memory of 3840	1088	clipsrv.exe	95
PID 1088 wrote to memory of 3840	1088	clipsrv.exe	95
PID 1088 wrote to memory of 1232	1088	clipsrv.exe	96
PID 1088 wrote to memory of 1232	1088	clipsrv.exe	96
PID 1088 wrote to memory of 1232	1088	clipsrv.exe	96
PID 1088 wrote to memory of 3544	1088	clipsrv.exe	97
PID 1088 wrote to memory of 3544	1088	clipsrv.exe	97
PID 1088 wrote to memory of 3544	1088	clipsrv.exe	97

C:\Users\Admin\AppData\Local\Temp\704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe
"C:\Users\Admin\AppData\Local\Temp\704ebf7460dfbf253ac7aa93773d8f40eac3e8b08b4a902353466f9e187555a6.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe" /c 15
  2⤵
  - Executes dropped EXE
  PID:5056
- C:\Users\Admin\AppData\Roaming\MICROS~1\smss.exe
  C:\Users\Admin\AppData\Roaming\MICROS~1\smss.exe /c 64
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe /c 23
  2⤵
  - Executes dropped EXE
  PID:4728
- C:\Users\Admin\AppData\Roaming\Microsoft\esentutl.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\esentutl.exe /c 30
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Users\Admin\AppData\Roaming\csrss.exe
  C:\Users\Admin\AppData\Roaming\csrss.exe /c 74
  2⤵
  - Executes dropped EXE
  PID:4892
- C:\Windows\sessmgr.exe
  C:\Windows\sessmgr.exe /c 9
  2⤵
  - Executes dropped EXE
  PID:4824
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstinit.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstinit.exe" /c 24
  2⤵
  - Executes dropped EXE
  PID:4280
- C:\Windows\SysWOW64\drivers\rsvp.exe
  C:\Windows\System32\drivers\rsvp.exe /c 33
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe" /c 38
  2⤵
  - Executes dropped EXE
  PID:1304
- C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe" /r
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe" /c 66
    3⤵
    - Executes dropped EXE
    PID:4204
- - C:\Users\Admin\AppData\Roaming\MICROS~1\smss.exe
    C:\Users\Admin\AppData\Roaming\MICROS~1\smss.exe /c 82
    3⤵
    - Executes dropped EXE
    PID:3480
- - C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe /c 39
    3⤵
    - Executes dropped EXE
    PID:1844
- - C:\Users\Admin\AppData\Roaming\Microsoft\esentutl.exe
    C:\Users\Admin\AppData\Roaming\Microsoft\esentutl.exe /c 100
    3⤵
    - Executes dropped EXE
    PID:424
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    C:\Users\Admin\AppData\Roaming\csrss.exe /c 77
    3⤵
    - Executes dropped EXE
    PID:4108
- - C:\Windows\sessmgr.exe
    C:\Windows\sessmgr.exe /c 92
    3⤵
    - Executes dropped EXE
    PID:3840
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstinit.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstinit.exe" /c 7
    3⤵
    - Executes dropped EXE
    PID:1232
- - C:\Windows\SysWOW64\drivers\rsvp.exe
    C:\Windows\System32\drivers\rsvp.exe /c 22
    3⤵
    - Executes dropped EXE
    PID:3544

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\mstinit.exe

Filesize
369KB

MD5
71bc893e0fc84b4e904f59ece4346800

SHA1
c31a64b740295a5ee7c749ab2eada4ac1ca068ec

SHA256
6400594881909dd4581416cbb3c3127bbe59c328779ebd7b73651904e25f3daf

SHA512
cefaeaa30f03721f842d8c3a92995df5ac9fc00b53c32df67e812b8a8b50242dc2aa7930a37812d78856d36bee7bba9fa2d5491bf8defb5563c13ba0693a05a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\mstinit.exe

Filesize
369KB

MD5
71bc893e0fc84b4e904f59ece4346800

SHA1
c31a64b740295a5ee7c749ab2eada4ac1ca068ec

SHA256
6400594881909dd4581416cbb3c3127bbe59c328779ebd7b73651904e25f3daf

SHA512
cefaeaa30f03721f842d8c3a92995df5ac9fc00b53c32df67e812b8a8b50242dc2aa7930a37812d78856d36bee7bba9fa2d5491bf8defb5563c13ba0693a05a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\clipsrv.exe

Filesize
369KB

MD5
203b680beaab17c12b1e60e35bce1886

SHA1
6b5517902cac0b3fe319db7173cdea058bbb1a0d

SHA256
b3824bb1ae1fb7cfae578529ae1a4751f5f82d721225b35aca47178096f1dc6f

SHA512
9ed6442f15883a25360e8be890130ed1650434802f0a82c5597ba4d18c871e699848f93e1e3d28ba9eff3638e4806a09d2f60a76b2739e19bc304f9270680a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\clipsrv.exe

Filesize
369KB

MD5
203b680beaab17c12b1e60e35bce1886

SHA1
6b5517902cac0b3fe319db7173cdea058bbb1a0d

SHA256
b3824bb1ae1fb7cfae578529ae1a4751f5f82d721225b35aca47178096f1dc6f

SHA512
9ed6442f15883a25360e8be890130ed1650434802f0a82c5597ba4d18c871e699848f93e1e3d28ba9eff3638e4806a09d2f60a76b2739e19bc304f9270680a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\clipsrv.exe

Filesize
369KB

MD5
203b680beaab17c12b1e60e35bce1886

SHA1
6b5517902cac0b3fe319db7173cdea058bbb1a0d

SHA256
b3824bb1ae1fb7cfae578529ae1a4751f5f82d721225b35aca47178096f1dc6f

SHA512
9ed6442f15883a25360e8be890130ed1650434802f0a82c5597ba4d18c871e699848f93e1e3d28ba9eff3638e4806a09d2f60a76b2739e19bc304f9270680a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\clipsrv.exe

Filesize
369KB

MD5
203b680beaab17c12b1e60e35bce1886

SHA1
6b5517902cac0b3fe319db7173cdea058bbb1a0d

SHA256
b3824bb1ae1fb7cfae578529ae1a4751f5f82d721225b35aca47178096f1dc6f

SHA512
9ed6442f15883a25360e8be890130ed1650434802f0a82c5597ba4d18c871e699848f93e1e3d28ba9eff3638e4806a09d2f60a76b2739e19bc304f9270680a9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
7B

MD5
6ab8a96c87d966b055239868362d577a

SHA1
63ffcfa700c7a2d1a59d4190c668e6a9a9d60c26

SHA256
b394cb70b8dd4aa0ec6548f1d9843aa6bc417e8b5454e9422f6d45ccb669eabe

SHA512
5e65af01f99b790fb2c8f16b41e35e894b76af75a565f88f0c7ffdd8eceae38cacadc0c4c3b388b52311b7bc0d2e5282753b0a29cb3b3452f1e3da05f3c8442b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\smss.exe

Filesize
369KB

MD5
d8e7a7e0d52a7c9a3fe5a56c203fe0a6

SHA1
85c4aa566256f5376e7933599ed6c500e37ecef6

SHA256
f2066e3107c56c8527e92906f4f49318a07ec8851b0c989d12bf45831a2a5f1b

SHA512
81cf8b6f2b2e895c005a7c99caeae62a3fafa332a05e3a03004a4b046dfcb62e097e3e19f97c783e5390c30390772c5407ba3db386bacc27c56d954a831fb23d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe

Filesize
369KB

MD5
18b1f367102d4d2a756362e97fa7706c

SHA1
4ae19777ced39ffabf949630d4a03b8300a204a2

SHA256
e9ba9a796376a0d81f1fd6354a5cd7f4680ed4344d1fe5bba9143bf92de0bc12

SHA512
aca24744585e9146760cdebddc1c12df5e56138ff815434c277a4ebe5d78699441d683329f9049b9b75b75982e86ca1060ee533da05034313246d96de4ecd84f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe

Filesize
369KB

MD5
18b1f367102d4d2a756362e97fa7706c

SHA1
4ae19777ced39ffabf949630d4a03b8300a204a2

SHA256
e9ba9a796376a0d81f1fd6354a5cd7f4680ed4344d1fe5bba9143bf92de0bc12

SHA512
aca24744585e9146760cdebddc1c12df5e56138ff815434c277a4ebe5d78699441d683329f9049b9b75b75982e86ca1060ee533da05034313246d96de4ecd84f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\csrss.exe

Filesize
369KB

MD5
18b1f367102d4d2a756362e97fa7706c

SHA1
4ae19777ced39ffabf949630d4a03b8300a204a2

SHA256
e9ba9a796376a0d81f1fd6354a5cd7f4680ed4344d1fe5bba9143bf92de0bc12

SHA512
aca24744585e9146760cdebddc1c12df5e56138ff815434c277a4ebe5d78699441d683329f9049b9b75b75982e86ca1060ee533da05034313246d96de4ecd84f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\esentutl.exe

Filesize
369KB

MD5
3d5d59a0646305deeb5de686703bf0f5

SHA1
20f04497f302e5b107b8a70655c3db22850282df

SHA256
c5099c9b3c78bd0c5d389b5be3d52be71a8ea2fbe754232e46e240131e937487

SHA512
aa318767e65024a958f69adfb952241ab7a68e20726048c692c926e24a095a2063c8756d67dda8e03700886734607c254ec297aafb7f937f56139ea4def36409

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\esentutl.exe

Filesize
369KB

MD5
3d5d59a0646305deeb5de686703bf0f5

SHA1
20f04497f302e5b107b8a70655c3db22850282df

SHA256
c5099c9b3c78bd0c5d389b5be3d52be71a8ea2fbe754232e46e240131e937487

SHA512
aa318767e65024a958f69adfb952241ab7a68e20726048c692c926e24a095a2063c8756d67dda8e03700886734607c254ec297aafb7f937f56139ea4def36409

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\esentutl.exe

Filesize
369KB

MD5
3d5d59a0646305deeb5de686703bf0f5

SHA1
20f04497f302e5b107b8a70655c3db22850282df

SHA256
c5099c9b3c78bd0c5d389b5be3d52be71a8ea2fbe754232e46e240131e937487

SHA512
aa318767e65024a958f69adfb952241ab7a68e20726048c692c926e24a095a2063c8756d67dda8e03700886734607c254ec297aafb7f937f56139ea4def36409

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\smss.exe

Filesize
369KB

MD5
d8e7a7e0d52a7c9a3fe5a56c203fe0a6

SHA1
85c4aa566256f5376e7933599ed6c500e37ecef6

SHA256
f2066e3107c56c8527e92906f4f49318a07ec8851b0c989d12bf45831a2a5f1b

SHA512
81cf8b6f2b2e895c005a7c99caeae62a3fafa332a05e3a03004a4b046dfcb62e097e3e19f97c783e5390c30390772c5407ba3db386bacc27c56d954a831fb23d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\smss.exe

Filesize
369KB

MD5
d8e7a7e0d52a7c9a3fe5a56c203fe0a6

SHA1
85c4aa566256f5376e7933599ed6c500e37ecef6

SHA256
f2066e3107c56c8527e92906f4f49318a07ec8851b0c989d12bf45831a2a5f1b

SHA512
81cf8b6f2b2e895c005a7c99caeae62a3fafa332a05e3a03004a4b046dfcb62e097e3e19f97c783e5390c30390772c5407ba3db386bacc27c56d954a831fb23d

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
369KB

MD5
18b1f367102d4d2a756362e97fa7706c

SHA1
4ae19777ced39ffabf949630d4a03b8300a204a2

SHA256
e9ba9a796376a0d81f1fd6354a5cd7f4680ed4344d1fe5bba9143bf92de0bc12

SHA512
aca24744585e9146760cdebddc1c12df5e56138ff815434c277a4ebe5d78699441d683329f9049b9b75b75982e86ca1060ee533da05034313246d96de4ecd84f

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
369KB

MD5
18b1f367102d4d2a756362e97fa7706c

SHA1
4ae19777ced39ffabf949630d4a03b8300a204a2

SHA256
e9ba9a796376a0d81f1fd6354a5cd7f4680ed4344d1fe5bba9143bf92de0bc12

SHA512
aca24744585e9146760cdebddc1c12df5e56138ff815434c277a4ebe5d78699441d683329f9049b9b75b75982e86ca1060ee533da05034313246d96de4ecd84f

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
369KB

MD5
18b1f367102d4d2a756362e97fa7706c

SHA1
4ae19777ced39ffabf949630d4a03b8300a204a2

SHA256
e9ba9a796376a0d81f1fd6354a5cd7f4680ed4344d1fe5bba9143bf92de0bc12

SHA512
aca24744585e9146760cdebddc1c12df5e56138ff815434c277a4ebe5d78699441d683329f9049b9b75b75982e86ca1060ee533da05034313246d96de4ecd84f

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\mstinit.exe

Filesize
369KB

MD5
71bc893e0fc84b4e904f59ece4346800

SHA1
c31a64b740295a5ee7c749ab2eada4ac1ca068ec

SHA256
6400594881909dd4581416cbb3c3127bbe59c328779ebd7b73651904e25f3daf

SHA512
cefaeaa30f03721f842d8c3a92995df5ac9fc00b53c32df67e812b8a8b50242dc2aa7930a37812d78856d36bee7bba9fa2d5491bf8defb5563c13ba0693a05a5

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\clipsrv.exe

Filesize
369KB

MD5
203b680beaab17c12b1e60e35bce1886

SHA1
6b5517902cac0b3fe319db7173cdea058bbb1a0d

SHA256
b3824bb1ae1fb7cfae578529ae1a4751f5f82d721225b35aca47178096f1dc6f

SHA512
9ed6442f15883a25360e8be890130ed1650434802f0a82c5597ba4d18c871e699848f93e1e3d28ba9eff3638e4806a09d2f60a76b2739e19bc304f9270680a9b

Download Submit
C:\Windows\SysWOW64\drivers\rsvp.exe

Filesize
369KB

MD5
ee1f86d390333419ce120ea6af7d90ca

SHA1
c4ff9eb2245bfe630a96723f1d78c6bd25cec4fa

SHA256
c34488e6e5b86fb4af1b4df7e3a3fb0495e08c2ededa3c216028a7eef22d1348

SHA512
aac3d2287ca952e687502d9179740fb197b0df2ed989dcb82fa02e07402046eccfe549d2a0656f2550e8b0d313caa5e645ed532731bd024b66040af041e9cbb5

Download Submit
C:\Windows\SysWOW64\drivers\rsvp.exe

Filesize
369KB

MD5
ee1f86d390333419ce120ea6af7d90ca

SHA1
c4ff9eb2245bfe630a96723f1d78c6bd25cec4fa

SHA256
c34488e6e5b86fb4af1b4df7e3a3fb0495e08c2ededa3c216028a7eef22d1348

SHA512
aac3d2287ca952e687502d9179740fb197b0df2ed989dcb82fa02e07402046eccfe549d2a0656f2550e8b0d313caa5e645ed532731bd024b66040af041e9cbb5

Download Submit
C:\Windows\SysWOW64\drivers\rsvp.exe

Filesize
369KB

MD5
ee1f86d390333419ce120ea6af7d90ca

SHA1
c4ff9eb2245bfe630a96723f1d78c6bd25cec4fa

SHA256
c34488e6e5b86fb4af1b4df7e3a3fb0495e08c2ededa3c216028a7eef22d1348

SHA512
aac3d2287ca952e687502d9179740fb197b0df2ed989dcb82fa02e07402046eccfe549d2a0656f2550e8b0d313caa5e645ed532731bd024b66040af041e9cbb5

Download Submit
C:\Windows\sessmgr.exe

Filesize
369KB

MD5
33704a279a246a30d29130df2b3e584c

SHA1
e2e492ca817378bff86c7c3deac8df4cbc92fdd3

SHA256
c927c5636c8ff3f9be3b084c13ba4e29b8b5384ca22edeba534d05fa9950a66e

SHA512
eabfc6a42ecff9f837bbb12e38c958b56cd19833d56709f45f76f8b609c6fa4955a3348fda4adbbbe2d3098c9a54d6d62369edccb2179728ce3b12a4c0959fd3

Download Submit
C:\Windows\sessmgr.exe

Filesize
369KB

MD5
33704a279a246a30d29130df2b3e584c

SHA1
e2e492ca817378bff86c7c3deac8df4cbc92fdd3

SHA256
c927c5636c8ff3f9be3b084c13ba4e29b8b5384ca22edeba534d05fa9950a66e

SHA512
eabfc6a42ecff9f837bbb12e38c958b56cd19833d56709f45f76f8b609c6fa4955a3348fda4adbbbe2d3098c9a54d6d62369edccb2179728ce3b12a4c0959fd3

Download Submit
C:\Windows\sessmgr.exe

Filesize
369KB

MD5
33704a279a246a30d29130df2b3e584c

SHA1
e2e492ca817378bff86c7c3deac8df4cbc92fdd3

SHA256
c927c5636c8ff3f9be3b084c13ba4e29b8b5384ca22edeba534d05fa9950a66e

SHA512
eabfc6a42ecff9f837bbb12e38c958b56cd19833d56709f45f76f8b609c6fa4955a3348fda4adbbbe2d3098c9a54d6d62369edccb2179728ce3b12a4c0959fd3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads