ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d

Analysis

max time kernel
150s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2022, 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Size

646KB
MD5

ff3d72a75b865d7e772db333cf9a1253
SHA1

159c9ebd8abfb7aa10d4c6e1b34606604383f934
SHA256

ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d
SHA512

79415be7bf10838d7467ab9ec736c02a2e3eea6e7e8efa9bccc1dda6350a95ea2c3af653560bf5916f304b6e37dd869f5640d67d3beadfe08bae5496f9f8ec1e
SSDEEP

12288:p0Qu4P7XBCAjPWQREZzek3FteiXUJMBk1XmZf/qBe7iTFNpgrMCoyE14RYj/TSx7:p99FsGTFNpgrMCoyE14RO/D8a6XTTFNk

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Logman = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\logman.exe"	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\WinInit = "C:\\Users\\Admin\\AppData\\Roaming\\wininit.exe"	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\sessmgr.exe	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RCXB0.tmp	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe

Executes dropped EXE 18 IoCs

pid	Process
3852	logman.exe
4792	sessmgr.exe
1596	wininit.exe
1412	wininit.exe
2576	sessmgr.exe
908	smss.exe
4112	cisvc.exe
64	csrss.exe
3808	logman.exe
1764	logman.exe
1756	logman.exe
4652	sessmgr.exe
4852	wininit.exe
4544	wininit.exe
368	sessmgr.exe
5084	smss.exe
4616	cisvc.exe
204	csrss.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Sessmgr = "C:\\Windows\\sessmgr.exe"	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinInit = "C:\\PROGRA~3\\MICROS~1\\wininit.exe"	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\MICROS~1\wininit.exe	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
File opened for modification	C:\PROGRA~3\MICROS~1\RCXFF57.tmp	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\sessmgr.exe	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
File opened for modification	C:\Windows\RCXFB0F.tmp	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
File created	C:\Windows\smss.exe	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
File opened for modification	C:\Windows\RCX14D.tmp	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "C:\\Users\\Admin\\AppData\\Roaming\\csrss.exe"	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Key created	\REGISTRY\USER\.DEFAULT	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cisvc = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\cisvc.exe"	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 3852	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	79
PID 4872 wrote to memory of 3852	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	79
PID 4872 wrote to memory of 3852	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	79
PID 4872 wrote to memory of 4792	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	81
PID 4872 wrote to memory of 4792	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	81
PID 4872 wrote to memory of 4792	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	81
PID 4872 wrote to memory of 1596	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	82
PID 4872 wrote to memory of 1596	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	82
PID 4872 wrote to memory of 1596	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	82
PID 4872 wrote to memory of 1412	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	83
PID 4872 wrote to memory of 1412	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	83
PID 4872 wrote to memory of 1412	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	83
PID 4872 wrote to memory of 2576	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	84
PID 4872 wrote to memory of 2576	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	84
PID 4872 wrote to memory of 2576	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	84
PID 4872 wrote to memory of 908	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	85
PID 4872 wrote to memory of 908	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	85
PID 4872 wrote to memory of 908	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	85
PID 4872 wrote to memory of 4112	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	86
PID 4872 wrote to memory of 4112	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	86
PID 4872 wrote to memory of 4112	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	86
PID 4872 wrote to memory of 64	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	87
PID 4872 wrote to memory of 64	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	87
PID 4872 wrote to memory of 64	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	87
PID 4872 wrote to memory of 3808	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	88
PID 4872 wrote to memory of 3808	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	88
PID 4872 wrote to memory of 3808	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	88
PID 4872 wrote to memory of 1764	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	89
PID 4872 wrote to memory of 1764	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	89
PID 4872 wrote to memory of 1764	4872	ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe	89
PID 1764 wrote to memory of 1756	1764	logman.exe	90
PID 1764 wrote to memory of 1756	1764	logman.exe	90
PID 1764 wrote to memory of 1756	1764	logman.exe	90
PID 1764 wrote to memory of 4652	1764	logman.exe	91
PID 1764 wrote to memory of 4652	1764	logman.exe	91
PID 1764 wrote to memory of 4652	1764	logman.exe	91
PID 1764 wrote to memory of 4852	1764	logman.exe	92
PID 1764 wrote to memory of 4852	1764	logman.exe	92
PID 1764 wrote to memory of 4852	1764	logman.exe	92
PID 1764 wrote to memory of 4544	1764	logman.exe	93
PID 1764 wrote to memory of 4544	1764	logman.exe	93
PID 1764 wrote to memory of 4544	1764	logman.exe	93
PID 1764 wrote to memory of 368	1764	logman.exe	94
PID 1764 wrote to memory of 368	1764	logman.exe	94
PID 1764 wrote to memory of 368	1764	logman.exe	94
PID 1764 wrote to memory of 5084	1764	logman.exe	95
PID 1764 wrote to memory of 5084	1764	logman.exe	95
PID 1764 wrote to memory of 5084	1764	logman.exe	95
PID 1764 wrote to memory of 4616	1764	logman.exe	96
PID 1764 wrote to memory of 4616	1764	logman.exe	96
PID 1764 wrote to memory of 4616	1764	logman.exe	96
PID 1764 wrote to memory of 204	1764	logman.exe	97
PID 1764 wrote to memory of 204	1764	logman.exe	97
PID 1764 wrote to memory of 204	1764	logman.exe	97

C:\Users\Admin\AppData\Local\Temp\ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe
"C:\Users\Admin\AppData\Local\Temp\ac23713327d1f9a25e44c89665b4fb09a42ff0c8f9b77ea8a97869b127570e4d.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\logman.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\logman.exe" /c 54
  2⤵
  - Executes dropped EXE
  PID:3852
- C:\Windows\sessmgr.exe
  C:\Windows\sessmgr.exe /c 34
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Users\Admin\AppData\Roaming\wininit.exe
  C:\Users\Admin\AppData\Roaming\wininit.exe /c 27
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\PROGRA~3\MICROS~1\wininit.exe
  C:\PROGRA~3\MICROS~1\wininit.exe /c 30
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\SysWOW64\drivers\sessmgr.exe
  C:\Windows\System32\drivers\sessmgr.exe /c 16
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\smss.exe
  C:\Windows\smss.exe /c 91
  2⤵
  - Executes dropped EXE
  PID:908
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\cisvc.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\cisvc.exe" /c 90
  2⤵
  - Executes dropped EXE
  PID:4112
- C:\Users\Admin\AppData\Roaming\csrss.exe
  C:\Users\Admin\AppData\Roaming\csrss.exe /c 65
  2⤵
  - Executes dropped EXE
  PID:64
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\logman.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\logman.exe" /c 27
  2⤵
  - Executes dropped EXE
  PID:3808
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\logman.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\logman.exe" /r
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\logman.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\logman.exe" /c 36
    3⤵
    - Executes dropped EXE
    PID:1756
- - C:\Windows\sessmgr.exe
    C:\Windows\sessmgr.exe /c 79
    3⤵
    - Executes dropped EXE
    PID:4652
- - C:\Users\Admin\AppData\Roaming\wininit.exe
    C:\Users\Admin\AppData\Roaming\wininit.exe /c 34
    3⤵
    - Executes dropped EXE
    PID:4852
- - C:\PROGRA~3\MICROS~1\wininit.exe
    C:\PROGRA~3\MICROS~1\wininit.exe /c 74
    3⤵
    - Executes dropped EXE
    PID:4544
- - C:\Windows\SysWOW64\drivers\sessmgr.exe
    C:\Windows\System32\drivers\sessmgr.exe /c 62
    3⤵
    - Executes dropped EXE
    PID:368
- - C:\Windows\smss.exe
    C:\Windows\smss.exe /c 72
    3⤵
    - Executes dropped EXE
    PID:5084
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\cisvc.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\cisvc.exe" /c 42
    3⤵
    - Executes dropped EXE
    PID:4616
- - C:\Users\Admin\AppData\Roaming\csrss.exe
    C:\Users\Admin\AppData\Roaming\csrss.exe /c 69
    3⤵
    - Executes dropped EXE
    PID:204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\MICROS~1\wininit.exe

Filesize
428KB

MD5
08a5c8702dd18e9fc0618184b3467ef1

SHA1
7e8a3ebdc5f0275c7b6a38998fd7159c50ba03ea

SHA256
b33d8425214129b03eb2db2c28a7bd4d8e20b21382b6c2f8ffc2c846608e937a

SHA512
8d33744ec91ebd52247ed01745e38cac4365bb36b5772a22841b5ead6a5606a9633cfe0063cbc70dde713497079bead39faa0dc241848c50fa66301004215512

Download Submit
C:\ProgramData\Microsoft\wininit.exe

Filesize
428KB

MD5
08a5c8702dd18e9fc0618184b3467ef1

SHA1
7e8a3ebdc5f0275c7b6a38998fd7159c50ba03ea

SHA256
b33d8425214129b03eb2db2c28a7bd4d8e20b21382b6c2f8ffc2c846608e937a

SHA512
8d33744ec91ebd52247ed01745e38cac4365bb36b5772a22841b5ead6a5606a9633cfe0063cbc70dde713497079bead39faa0dc241848c50fa66301004215512

Download Submit
C:\ProgramData\Microsoft\wininit.exe

Filesize
428KB

MD5
08a5c8702dd18e9fc0618184b3467ef1

SHA1
7e8a3ebdc5f0275c7b6a38998fd7159c50ba03ea

SHA256
b33d8425214129b03eb2db2c28a7bd4d8e20b21382b6c2f8ffc2c846608e937a

SHA512
8d33744ec91ebd52247ed01745e38cac4365bb36b5772a22841b5ead6a5606a9633cfe0063cbc70dde713497079bead39faa0dc241848c50fa66301004215512

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\cisvc.exe

Filesize
428KB

MD5
604ebc9243c6d6c6d7ea5bf652129f7b

SHA1
40edad1a0472be129337006f365e575ebec787c6

SHA256
985138d5ac7557dc1132e134ce8c1273e0cd64912244ecc1c9347d1c67a029fb

SHA512
81a9ab15a8e00b711dcbccd6fd3c0fd91496f2349c4cade5c8d2ff6c6b44580e323156ef80a6652abc879bbc234f4b74a844b572055c65e1b300697a699fe3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\cisvc.exe

Filesize
428KB

MD5
604ebc9243c6d6c6d7ea5bf652129f7b

SHA1
40edad1a0472be129337006f365e575ebec787c6

SHA256
985138d5ac7557dc1132e134ce8c1273e0cd64912244ecc1c9347d1c67a029fb

SHA512
81a9ab15a8e00b711dcbccd6fd3c0fd91496f2349c4cade5c8d2ff6c6b44580e323156ef80a6652abc879bbc234f4b74a844b572055c65e1b300697a699fe3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\logman.exe

Filesize
428KB

MD5
8ab95f24691ca94072ae4b269ae07a67

SHA1
701efd00c2714a42ef7543908c21a4405163d814

SHA256
0373c25918acec8283123f5f087e55d4529f9dd9e763c8eec975d22f85cfc563

SHA512
62c190508e963c2fbe094e8b56d5c42742704812bd6ab8cf0469ddd0e6df75eddb639937f13dc602998ad155439be2cac3f7d5be8efdc13a497022b2f35ec195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\logman.exe

Filesize
428KB

MD5
8ab95f24691ca94072ae4b269ae07a67

SHA1
701efd00c2714a42ef7543908c21a4405163d814

SHA256
0373c25918acec8283123f5f087e55d4529f9dd9e763c8eec975d22f85cfc563

SHA512
62c190508e963c2fbe094e8b56d5c42742704812bd6ab8cf0469ddd0e6df75eddb639937f13dc602998ad155439be2cac3f7d5be8efdc13a497022b2f35ec195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\logman.exe

Filesize
428KB

MD5
8ab95f24691ca94072ae4b269ae07a67

SHA1
701efd00c2714a42ef7543908c21a4405163d814

SHA256
0373c25918acec8283123f5f087e55d4529f9dd9e763c8eec975d22f85cfc563

SHA512
62c190508e963c2fbe094e8b56d5c42742704812bd6ab8cf0469ddd0e6df75eddb639937f13dc602998ad155439be2cac3f7d5be8efdc13a497022b2f35ec195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\logman.exe

Filesize
428KB

MD5
8ab95f24691ca94072ae4b269ae07a67

SHA1
701efd00c2714a42ef7543908c21a4405163d814

SHA256
0373c25918acec8283123f5f087e55d4529f9dd9e763c8eec975d22f85cfc563

SHA512
62c190508e963c2fbe094e8b56d5c42742704812bd6ab8cf0469ddd0e6df75eddb639937f13dc602998ad155439be2cac3f7d5be8efdc13a497022b2f35ec195

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
10B

MD5
07aa8555e4a7d8880fe48279cf4f1542

SHA1
99510ac46f9761dbeb8d51877bd5814819bc22c9

SHA256
fd6c8d84d58ec354116a7e64b4ebe084ca3e438631744d0672c8fd86aa9049b0

SHA512
315af391c005f20ff9ae0e652c7910616f14e074d76e5ec0a45bdfdcfc6e015d7f33cdbb32e2e843f6fdceded4d4136ca2ad844610749622bda933017969d07c

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
428KB

MD5
32bd81ddba4419e26f5a681afadf2003

SHA1
a596f84ae955883e24e65156ac8c73e2bf7d45aa

SHA256
aac8026419b57ef0f17610aca1cad8e42f8f5dbac87dcbc664cf30eea44a349a

SHA512
6a958bee35f4e51d541369647b2af51755c7f3e4e70f8424ca1b87e89601d05d1cb16ad545988625c33c5af97bf841db0966b2a4a4e3c14a4548d08ca176998b

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
428KB

MD5
32bd81ddba4419e26f5a681afadf2003

SHA1
a596f84ae955883e24e65156ac8c73e2bf7d45aa

SHA256
aac8026419b57ef0f17610aca1cad8e42f8f5dbac87dcbc664cf30eea44a349a

SHA512
6a958bee35f4e51d541369647b2af51755c7f3e4e70f8424ca1b87e89601d05d1cb16ad545988625c33c5af97bf841db0966b2a4a4e3c14a4548d08ca176998b

Download Submit
C:\Users\Admin\AppData\Roaming\csrss.exe

Filesize
428KB

MD5
32bd81ddba4419e26f5a681afadf2003

SHA1
a596f84ae955883e24e65156ac8c73e2bf7d45aa

SHA256
aac8026419b57ef0f17610aca1cad8e42f8f5dbac87dcbc664cf30eea44a349a

SHA512
6a958bee35f4e51d541369647b2af51755c7f3e4e70f8424ca1b87e89601d05d1cb16ad545988625c33c5af97bf841db0966b2a4a4e3c14a4548d08ca176998b

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe

Filesize
428KB

MD5
08a5c8702dd18e9fc0618184b3467ef1

SHA1
7e8a3ebdc5f0275c7b6a38998fd7159c50ba03ea

SHA256
b33d8425214129b03eb2db2c28a7bd4d8e20b21382b6c2f8ffc2c846608e937a

SHA512
8d33744ec91ebd52247ed01745e38cac4365bb36b5772a22841b5ead6a5606a9633cfe0063cbc70dde713497079bead39faa0dc241848c50fa66301004215512

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe

Filesize
428KB

MD5
08a5c8702dd18e9fc0618184b3467ef1

SHA1
7e8a3ebdc5f0275c7b6a38998fd7159c50ba03ea

SHA256
b33d8425214129b03eb2db2c28a7bd4d8e20b21382b6c2f8ffc2c846608e937a

SHA512
8d33744ec91ebd52247ed01745e38cac4365bb36b5772a22841b5ead6a5606a9633cfe0063cbc70dde713497079bead39faa0dc241848c50fa66301004215512

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe

Filesize
428KB

MD5
08a5c8702dd18e9fc0618184b3467ef1

SHA1
7e8a3ebdc5f0275c7b6a38998fd7159c50ba03ea

SHA256
b33d8425214129b03eb2db2c28a7bd4d8e20b21382b6c2f8ffc2c846608e937a

SHA512
8d33744ec91ebd52247ed01745e38cac4365bb36b5772a22841b5ead6a5606a9633cfe0063cbc70dde713497079bead39faa0dc241848c50fa66301004215512

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\cisvc.exe

Filesize
428KB

MD5
604ebc9243c6d6c6d7ea5bf652129f7b

SHA1
40edad1a0472be129337006f365e575ebec787c6

SHA256
985138d5ac7557dc1132e134ce8c1273e0cd64912244ecc1c9347d1c67a029fb

SHA512
81a9ab15a8e00b711dcbccd6fd3c0fd91496f2349c4cade5c8d2ff6c6b44580e323156ef80a6652abc879bbc234f4b74a844b572055c65e1b300697a699fe3a5

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\logman.exe

Filesize
428KB

MD5
8ab95f24691ca94072ae4b269ae07a67

SHA1
701efd00c2714a42ef7543908c21a4405163d814

SHA256
0373c25918acec8283123f5f087e55d4529f9dd9e763c8eec975d22f85cfc563

SHA512
62c190508e963c2fbe094e8b56d5c42742704812bd6ab8cf0469ddd0e6df75eddb639937f13dc602998ad155439be2cac3f7d5be8efdc13a497022b2f35ec195

Download Submit
C:\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
428KB

MD5
5bfa8f5434319b7e7edf603a7415a508

SHA1
9000cff2a59f5d79b72d17d0ce3e7a3c3f70759e

SHA256
d7ba8a552b015a88231aa27e0d32498df85175ce705c2cebf560c40e7b149bb1

SHA512
3b592bbce8187ffab7640573642be45f3b150d62b0723b3fec516126b5a1a42cddc923fe05978985e647213fe064d2b3dfd2a8d89df101aa4eadc0962153476f

Download Submit
C:\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
428KB

MD5
5bfa8f5434319b7e7edf603a7415a508

SHA1
9000cff2a59f5d79b72d17d0ce3e7a3c3f70759e

SHA256
d7ba8a552b015a88231aa27e0d32498df85175ce705c2cebf560c40e7b149bb1

SHA512
3b592bbce8187ffab7640573642be45f3b150d62b0723b3fec516126b5a1a42cddc923fe05978985e647213fe064d2b3dfd2a8d89df101aa4eadc0962153476f

Download Submit
C:\Windows\SysWOW64\drivers\sessmgr.exe

Filesize
428KB

MD5
5bfa8f5434319b7e7edf603a7415a508

SHA1
9000cff2a59f5d79b72d17d0ce3e7a3c3f70759e

SHA256
d7ba8a552b015a88231aa27e0d32498df85175ce705c2cebf560c40e7b149bb1

SHA512
3b592bbce8187ffab7640573642be45f3b150d62b0723b3fec516126b5a1a42cddc923fe05978985e647213fe064d2b3dfd2a8d89df101aa4eadc0962153476f

Download Submit
C:\Windows\sessmgr.exe

Filesize
428KB

MD5
5bfa8f5434319b7e7edf603a7415a508

SHA1
9000cff2a59f5d79b72d17d0ce3e7a3c3f70759e

SHA256
d7ba8a552b015a88231aa27e0d32498df85175ce705c2cebf560c40e7b149bb1

SHA512
3b592bbce8187ffab7640573642be45f3b150d62b0723b3fec516126b5a1a42cddc923fe05978985e647213fe064d2b3dfd2a8d89df101aa4eadc0962153476f

Download Submit
C:\Windows\sessmgr.exe

Filesize
428KB

MD5
5bfa8f5434319b7e7edf603a7415a508

SHA1
9000cff2a59f5d79b72d17d0ce3e7a3c3f70759e

SHA256
d7ba8a552b015a88231aa27e0d32498df85175ce705c2cebf560c40e7b149bb1

SHA512
3b592bbce8187ffab7640573642be45f3b150d62b0723b3fec516126b5a1a42cddc923fe05978985e647213fe064d2b3dfd2a8d89df101aa4eadc0962153476f

Download Submit
C:\Windows\sessmgr.exe

Filesize
428KB

MD5
5bfa8f5434319b7e7edf603a7415a508

SHA1
9000cff2a59f5d79b72d17d0ce3e7a3c3f70759e

SHA256
d7ba8a552b015a88231aa27e0d32498df85175ce705c2cebf560c40e7b149bb1

SHA512
3b592bbce8187ffab7640573642be45f3b150d62b0723b3fec516126b5a1a42cddc923fe05978985e647213fe064d2b3dfd2a8d89df101aa4eadc0962153476f

Download Submit
C:\Windows\smss.exe

Filesize
428KB

MD5
bd49d6bfec1aecffef1c00b9806340ab

SHA1
b39deb7559b4f03585de237f54efc15f963d035a

SHA256
447c10caf505c6bca39ba917601a4440880a0dbc328f67d92c1cc08987927f69

SHA512
22768f9177bbe271180f5b90be0e69ca7f14c1cae2f414c1fa6f65945b65eaa628fe4ec5774d877c9c34cceb0da7d12960e06c8058e028424d87d21dd204406b

Download Submit
C:\Windows\smss.exe

Filesize
428KB

MD5
bd49d6bfec1aecffef1c00b9806340ab

SHA1
b39deb7559b4f03585de237f54efc15f963d035a

SHA256
447c10caf505c6bca39ba917601a4440880a0dbc328f67d92c1cc08987927f69

SHA512
22768f9177bbe271180f5b90be0e69ca7f14c1cae2f414c1fa6f65945b65eaa628fe4ec5774d877c9c34cceb0da7d12960e06c8058e028424d87d21dd204406b

Download Submit
C:\Windows\smss.exe

Filesize
428KB

MD5
bd49d6bfec1aecffef1c00b9806340ab

SHA1
b39deb7559b4f03585de237f54efc15f963d035a

SHA256
447c10caf505c6bca39ba917601a4440880a0dbc328f67d92c1cc08987927f69

SHA512
22768f9177bbe271180f5b90be0e69ca7f14c1cae2f414c1fa6f65945b65eaa628fe4ec5774d877c9c34cceb0da7d12960e06c8058e028424d87d21dd204406b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads