62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5

Analysis

max time kernel
154s
max time network
185s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 19:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Size

367KB
MD5

16ad11121500f818aadd8db88fb42df0
SHA1

6c616dd2bbe199418dfc6535755c511087498a88
SHA256

62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5
SHA512

2a9f8d8b634e25acd16998f971306d1901a3ee5488a2315e277b26b8dc941dd40386e308a3d831daf513548a0e9a8873ef893d7f47ef3d1c3c0c4f156bb0556e
SSDEEP

6144:TO/DVuhywMptQmZp2DyPCA02HsQ2KZj93cDDj7LAP+:a/DohTMSePCA04+KZhw/e+

Score

8^/10

persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\EseNtUtl = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\esentutl.exe"	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DCOM = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\dllhost.exe"	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\rsvp.exe	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
File opened for modification	C:\Windows\SysWOW64\drivers\RCXFA06.tmp	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe

Executes dropped EXE 18 IoCs

pid	Process
432	esentutl.exe
4016	dllhost.exe
1280	dllhost.exe
4544	winlogon.exe
3332	wininit.exe
3476	lsm.exe
1604	rsvp.exe
4960	winlogon.exe
1616	esentutl.exe
3944	esentutl.exe
4216	esentutl.exe
2672	dllhost.exe
4348	dllhost.exe
2140	winlogon.exe
4584	wininit.exe
1148	lsm.exe
900	rsvp.exe
4720	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DCOM = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\Windows\\dllhost.exe"	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinLogon = "C:\\Users\\Admin\\Local Settings\\Application Data\\Microsoft\\winlogon.exe"	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe

Modifies data under HKEY_USERS 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Key created	\REGISTRY\USER\.DEFAULT	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Microsoft RSVP = "C:\\Windows\\System32\\drivers\\rsvp.exe"	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\WinLogon = "C:\\Users\\Admin\\AppData\\Roaming\\MICROS~1\\winlogon.exe"	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 432	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	85
PID 2572 wrote to memory of 432	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	85
PID 2572 wrote to memory of 432	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	85
PID 2572 wrote to memory of 4016	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	86
PID 2572 wrote to memory of 4016	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	86
PID 2572 wrote to memory of 4016	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	86
PID 2572 wrote to memory of 1280	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	87
PID 2572 wrote to memory of 1280	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	87
PID 2572 wrote to memory of 1280	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	87
PID 2572 wrote to memory of 4544	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	88
PID 2572 wrote to memory of 4544	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	88
PID 2572 wrote to memory of 4544	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	88
PID 2572 wrote to memory of 3332	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	89
PID 2572 wrote to memory of 3332	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	89
PID 2572 wrote to memory of 3332	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	89
PID 2572 wrote to memory of 3476	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	90
PID 2572 wrote to memory of 3476	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	90
PID 2572 wrote to memory of 3476	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	90
PID 2572 wrote to memory of 1604	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	91
PID 2572 wrote to memory of 1604	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	91
PID 2572 wrote to memory of 1604	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	91
PID 2572 wrote to memory of 4960	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	93
PID 2572 wrote to memory of 4960	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	93
PID 2572 wrote to memory of 4960	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	93
PID 2572 wrote to memory of 1616	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	94
PID 2572 wrote to memory of 1616	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	94
PID 2572 wrote to memory of 1616	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	94
PID 2572 wrote to memory of 3944	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	95
PID 2572 wrote to memory of 3944	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	95
PID 2572 wrote to memory of 3944	2572	62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe	95
PID 3944 wrote to memory of 4216	3944	esentutl.exe	96
PID 3944 wrote to memory of 4216	3944	esentutl.exe	96
PID 3944 wrote to memory of 4216	3944	esentutl.exe	96
PID 3944 wrote to memory of 2672	3944	esentutl.exe	97
PID 3944 wrote to memory of 2672	3944	esentutl.exe	97
PID 3944 wrote to memory of 2672	3944	esentutl.exe	97
PID 3944 wrote to memory of 4348	3944	esentutl.exe	98
PID 3944 wrote to memory of 4348	3944	esentutl.exe	98
PID 3944 wrote to memory of 4348	3944	esentutl.exe	98
PID 3944 wrote to memory of 2140	3944	esentutl.exe	99
PID 3944 wrote to memory of 2140	3944	esentutl.exe	99
PID 3944 wrote to memory of 2140	3944	esentutl.exe	99
PID 3944 wrote to memory of 4584	3944	esentutl.exe	100
PID 3944 wrote to memory of 4584	3944	esentutl.exe	100
PID 3944 wrote to memory of 4584	3944	esentutl.exe	100
PID 3944 wrote to memory of 1148	3944	esentutl.exe	101
PID 3944 wrote to memory of 1148	3944	esentutl.exe	101
PID 3944 wrote to memory of 1148	3944	esentutl.exe	101
PID 3944 wrote to memory of 900	3944	esentutl.exe	102
PID 3944 wrote to memory of 900	3944	esentutl.exe	102
PID 3944 wrote to memory of 900	3944	esentutl.exe	102
PID 3944 wrote to memory of 4720	3944	esentutl.exe	103
PID 3944 wrote to memory of 4720	3944	esentutl.exe	103
PID 3944 wrote to memory of 4720	3944	esentutl.exe	103

C:\Users\Admin\AppData\Local\Temp\62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe
"C:\Users\Admin\AppData\Local\Temp\62431dd6946a4b9718827d6a35dd4cfee853462223f97efb89fe19f6daa165f5.exe"
1⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Adds Run key to start application
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Users\Admin\Local Settings\Application Data\Microsoft\esentutl.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\esentutl.exe" /c 80
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhost.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhost.exe" /c 45
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhost.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhost.exe" /c 20
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\Users\Admin\Local Settings\Application Data\Microsoft\winlogon.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\winlogon.exe" /c 19
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Users\Admin\AppData\Roaming\wininit.exe
  C:\Users\Admin\AppData\Roaming\wininit.exe /c 80
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Users\Admin\AppData\Roaming\MICROS~1\lsm.exe
  C:\Users\Admin\AppData\Roaming\MICROS~1\lsm.exe /c 13
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\SysWOW64\drivers\rsvp.exe
  C:\Windows\System32\drivers\rsvp.exe /c 25
  2⤵
  - Executes dropped EXE
  PID:1604
- C:\Users\Admin\AppData\Roaming\MICROS~1\winlogon.exe
  C:\Users\Admin\AppData\Roaming\MICROS~1\winlogon.exe /c 49
  2⤵
  - Executes dropped EXE
  PID:4960
- C:\Users\Admin\Local Settings\Application Data\Microsoft\esentutl.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\esentutl.exe" /c 5
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\Users\Admin\Local Settings\Application Data\Microsoft\esentutl.exe
  "C:\Users\Admin\Local Settings\Application Data\Microsoft\esentutl.exe" /r
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\esentutl.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\esentutl.exe" /c 92
    3⤵
    - Executes dropped EXE
    PID:4216
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhost.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhost.exe" /c 91
    3⤵
    - Executes dropped EXE
    PID:2672
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhost.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhost.exe" /c 15
    3⤵
    - Executes dropped EXE
    PID:4348
- - C:\Users\Admin\Local Settings\Application Data\Microsoft\winlogon.exe
    "C:\Users\Admin\Local Settings\Application Data\Microsoft\winlogon.exe" /c 3
    3⤵
    - Executes dropped EXE
    PID:2140
- - C:\Users\Admin\AppData\Roaming\wininit.exe
    C:\Users\Admin\AppData\Roaming\wininit.exe /c 85
    3⤵
    - Executes dropped EXE
    PID:4584
- - C:\Users\Admin\AppData\Roaming\MICROS~1\lsm.exe
    C:\Users\Admin\AppData\Roaming\MICROS~1\lsm.exe /c 38
    3⤵
    - Executes dropped EXE
    PID:1148
- - C:\Windows\SysWOW64\drivers\rsvp.exe
    C:\Windows\System32\drivers\rsvp.exe /c 62
    3⤵
    - Executes dropped EXE
    PID:900
- - C:\Users\Admin\AppData\Roaming\MICROS~1\winlogon.exe
    C:\Users\Admin\AppData\Roaming\MICROS~1\winlogon.exe /c 51
    3⤵
    - Executes dropped EXE
    PID:4720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\dllhost.exe

Filesize
367KB

MD5
c18294b33da697a2bbb2e2ba6619b054

SHA1
492b050be5386e4999f87db762ecd533bf67a4ee

SHA256
d7813bfeb559c5ab3ff64c7c48cd7367323699d522479fe41adf893d02a740c4

SHA512
1ef192d663961d1c42433c691e4114cee6e3aeadecec1109397988291ea2c2cf8933b2ec9a2dbefefeaf2df4cbdc1cc5a17c3c73434b2624d92cf8cb06dbacf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\dllhost.exe

Filesize
367KB

MD5
c18294b33da697a2bbb2e2ba6619b054

SHA1
492b050be5386e4999f87db762ecd533bf67a4ee

SHA256
d7813bfeb559c5ab3ff64c7c48cd7367323699d522479fe41adf893d02a740c4

SHA512
1ef192d663961d1c42433c691e4114cee6e3aeadecec1109397988291ea2c2cf8933b2ec9a2dbefefeaf2df4cbdc1cc5a17c3c73434b2624d92cf8cb06dbacf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\dllhost.exe

Filesize
367KB

MD5
c18294b33da697a2bbb2e2ba6619b054

SHA1
492b050be5386e4999f87db762ecd533bf67a4ee

SHA256
d7813bfeb559c5ab3ff64c7c48cd7367323699d522479fe41adf893d02a740c4

SHA512
1ef192d663961d1c42433c691e4114cee6e3aeadecec1109397988291ea2c2cf8933b2ec9a2dbefefeaf2df4cbdc1cc5a17c3c73434b2624d92cf8cb06dbacf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\dllhost.exe

Filesize
367KB

MD5
c18294b33da697a2bbb2e2ba6619b054

SHA1
492b050be5386e4999f87db762ecd533bf67a4ee

SHA256
d7813bfeb559c5ab3ff64c7c48cd7367323699d522479fe41adf893d02a740c4

SHA512
1ef192d663961d1c42433c691e4114cee6e3aeadecec1109397988291ea2c2cf8933b2ec9a2dbefefeaf2df4cbdc1cc5a17c3c73434b2624d92cf8cb06dbacf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\esentutl.exe

Filesize
367KB

MD5
17ccfa1f9e990df523930adfcf0364b7

SHA1
6970b5a7172d6424720c696ba4f7989dd197db25

SHA256
f7692e729380dbde1c0a8baf9fb613dcf1bc4f1a41cb7875867ce1ebaa37f40f

SHA512
5a053008e589aad7c94a9c157a0aef1a04245bcc143655224d154bdd90957d1e2bd0f438da46d4932d04b15a0a2231af7baaa4f69274a7b975fd75ce7f4b63af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\esentutl.exe

Filesize
367KB

MD5
17ccfa1f9e990df523930adfcf0364b7

SHA1
6970b5a7172d6424720c696ba4f7989dd197db25

SHA256
f7692e729380dbde1c0a8baf9fb613dcf1bc4f1a41cb7875867ce1ebaa37f40f

SHA512
5a053008e589aad7c94a9c157a0aef1a04245bcc143655224d154bdd90957d1e2bd0f438da46d4932d04b15a0a2231af7baaa4f69274a7b975fd75ce7f4b63af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\esentutl.exe

Filesize
367KB

MD5
17ccfa1f9e990df523930adfcf0364b7

SHA1
6970b5a7172d6424720c696ba4f7989dd197db25

SHA256
f7692e729380dbde1c0a8baf9fb613dcf1bc4f1a41cb7875867ce1ebaa37f40f

SHA512
5a053008e589aad7c94a9c157a0aef1a04245bcc143655224d154bdd90957d1e2bd0f438da46d4932d04b15a0a2231af7baaa4f69274a7b975fd75ce7f4b63af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\esentutl.exe

Filesize
367KB

MD5
17ccfa1f9e990df523930adfcf0364b7

SHA1
6970b5a7172d6424720c696ba4f7989dd197db25

SHA256
f7692e729380dbde1c0a8baf9fb613dcf1bc4f1a41cb7875867ce1ebaa37f40f

SHA512
5a053008e589aad7c94a9c157a0aef1a04245bcc143655224d154bdd90957d1e2bd0f438da46d4932d04b15a0a2231af7baaa4f69274a7b975fd75ce7f4b63af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\winlogon.exe

Filesize
367KB

MD5
3a893b542786c9cdfd907fd7861d12d1

SHA1
bd4ab2d335de3a364391fa9def107f011cfafc4e

SHA256
21ed79a0351878b74a45ad55f10fdb5e87fb6e78d14fdcf6addeed73586ad703

SHA512
cb4ae51dcf160f2e4e9cace12f8994b970c3e1b591910528519b88be9a33dd530c94ac6930341085dfbb86082820dd37f58b2883ec68d3f6e1ca35e7fe2b538d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\winlogon.exe

Filesize
367KB

MD5
3a893b542786c9cdfd907fd7861d12d1

SHA1
bd4ab2d335de3a364391fa9def107f011cfafc4e

SHA256
21ed79a0351878b74a45ad55f10fdb5e87fb6e78d14fdcf6addeed73586ad703

SHA512
cb4ae51dcf160f2e4e9cace12f8994b970c3e1b591910528519b88be9a33dd530c94ac6930341085dfbb86082820dd37f58b2883ec68d3f6e1ca35e7fe2b538d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain002.Mtx

Filesize
10B

MD5
7a64dce85bc109dfbd4062a72694c16a

SHA1
eadc9ff84ad3f54e63d532c304c05582374efa51

SHA256
bcfdf4e8beec8a5cf45a9528f49b814c712ac6167a4447bb4bebc68a9f2e1f50

SHA512
975d378e9b292b0079c86a27ad818bf1e379a32dfe7b1f563d2fefc745e41c2e288e423ce2af2ba9c00fc0318eb1b0f81ba861db070e6a2df47902718cf634bf

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\lsm.exe

Filesize
367KB

MD5
264f7a52c6c80d5187818e0f6c31de88

SHA1
0fa96b4e0e5fbf816d7bd613d79484e9c8bcf034

SHA256
d1f8135388fcc65c4d22dba7c638a0e2ef093f70eda63a507aed41c543913454

SHA512
42f0ec0c2e480a56746516d2ec04129749158eda40c19d64b65fd26cedbdf100fd39709b2122ad87721927717fb1544984ef2d9d184eaf190450e635f2a6a19e

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\winlogon.exe

Filesize
367KB

MD5
3a893b542786c9cdfd907fd7861d12d1

SHA1
bd4ab2d335de3a364391fa9def107f011cfafc4e

SHA256
21ed79a0351878b74a45ad55f10fdb5e87fb6e78d14fdcf6addeed73586ad703

SHA512
cb4ae51dcf160f2e4e9cace12f8994b970c3e1b591910528519b88be9a33dd530c94ac6930341085dfbb86082820dd37f58b2883ec68d3f6e1ca35e7fe2b538d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\lsm.exe

Filesize
367KB

MD5
264f7a52c6c80d5187818e0f6c31de88

SHA1
0fa96b4e0e5fbf816d7bd613d79484e9c8bcf034

SHA256
d1f8135388fcc65c4d22dba7c638a0e2ef093f70eda63a507aed41c543913454

SHA512
42f0ec0c2e480a56746516d2ec04129749158eda40c19d64b65fd26cedbdf100fd39709b2122ad87721927717fb1544984ef2d9d184eaf190450e635f2a6a19e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\lsm.exe

Filesize
367KB

MD5
264f7a52c6c80d5187818e0f6c31de88

SHA1
0fa96b4e0e5fbf816d7bd613d79484e9c8bcf034

SHA256
d1f8135388fcc65c4d22dba7c638a0e2ef093f70eda63a507aed41c543913454

SHA512
42f0ec0c2e480a56746516d2ec04129749158eda40c19d64b65fd26cedbdf100fd39709b2122ad87721927717fb1544984ef2d9d184eaf190450e635f2a6a19e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe

Filesize
367KB

MD5
3a893b542786c9cdfd907fd7861d12d1

SHA1
bd4ab2d335de3a364391fa9def107f011cfafc4e

SHA256
21ed79a0351878b74a45ad55f10fdb5e87fb6e78d14fdcf6addeed73586ad703

SHA512
cb4ae51dcf160f2e4e9cace12f8994b970c3e1b591910528519b88be9a33dd530c94ac6930341085dfbb86082820dd37f58b2883ec68d3f6e1ca35e7fe2b538d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\winlogon.exe

Filesize
367KB

MD5
3a893b542786c9cdfd907fd7861d12d1

SHA1
bd4ab2d335de3a364391fa9def107f011cfafc4e

SHA256
21ed79a0351878b74a45ad55f10fdb5e87fb6e78d14fdcf6addeed73586ad703

SHA512
cb4ae51dcf160f2e4e9cace12f8994b970c3e1b591910528519b88be9a33dd530c94ac6930341085dfbb86082820dd37f58b2883ec68d3f6e1ca35e7fe2b538d

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe

Filesize
367KB

MD5
e9e70badcf6ee3d69a1cc6def5352724

SHA1
91ca95d36d792b0d84c03f47ae5af8b7a5894612

SHA256
6fccaabc1112f06376e5c5525b4078bfdadf4f85f823a235695caf9627bf15f1

SHA512
84cc76c013744c1f74a8301ee0daa6de4b5ecf5f522b7e89f54fbbfbedf0d455f43f5f0e636981617ee9506f591665b33cd2ccf18848bfa371721c97258bb0d0

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe

Filesize
367KB

MD5
e9e70badcf6ee3d69a1cc6def5352724

SHA1
91ca95d36d792b0d84c03f47ae5af8b7a5894612

SHA256
6fccaabc1112f06376e5c5525b4078bfdadf4f85f823a235695caf9627bf15f1

SHA512
84cc76c013744c1f74a8301ee0daa6de4b5ecf5f522b7e89f54fbbfbedf0d455f43f5f0e636981617ee9506f591665b33cd2ccf18848bfa371721c97258bb0d0

Download Submit
C:\Users\Admin\AppData\Roaming\wininit.exe

Filesize
367KB

MD5
e9e70badcf6ee3d69a1cc6def5352724

SHA1
91ca95d36d792b0d84c03f47ae5af8b7a5894612

SHA256
6fccaabc1112f06376e5c5525b4078bfdadf4f85f823a235695caf9627bf15f1

SHA512
84cc76c013744c1f74a8301ee0daa6de4b5ecf5f522b7e89f54fbbfbedf0d455f43f5f0e636981617ee9506f591665b33cd2ccf18848bfa371721c97258bb0d0

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\Windows\dllhost.exe

Filesize
367KB

MD5
c18294b33da697a2bbb2e2ba6619b054

SHA1
492b050be5386e4999f87db762ecd533bf67a4ee

SHA256
d7813bfeb559c5ab3ff64c7c48cd7367323699d522479fe41adf893d02a740c4

SHA512
1ef192d663961d1c42433c691e4114cee6e3aeadecec1109397988291ea2c2cf8933b2ec9a2dbefefeaf2df4cbdc1cc5a17c3c73434b2624d92cf8cb06dbacf0

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\esentutl.exe

Filesize
367KB

MD5
17ccfa1f9e990df523930adfcf0364b7

SHA1
6970b5a7172d6424720c696ba4f7989dd197db25

SHA256
f7692e729380dbde1c0a8baf9fb613dcf1bc4f1a41cb7875867ce1ebaa37f40f

SHA512
5a053008e589aad7c94a9c157a0aef1a04245bcc143655224d154bdd90957d1e2bd0f438da46d4932d04b15a0a2231af7baaa4f69274a7b975fd75ce7f4b63af

Download Submit
C:\Users\Admin\Local Settings\Application Data\Microsoft\winlogon.exe

Filesize
367KB

MD5
3a893b542786c9cdfd907fd7861d12d1

SHA1
bd4ab2d335de3a364391fa9def107f011cfafc4e

SHA256
21ed79a0351878b74a45ad55f10fdb5e87fb6e78d14fdcf6addeed73586ad703

SHA512
cb4ae51dcf160f2e4e9cace12f8994b970c3e1b591910528519b88be9a33dd530c94ac6930341085dfbb86082820dd37f58b2883ec68d3f6e1ca35e7fe2b538d

Download Submit
C:\Windows\SysWOW64\drivers\rsvp.exe

Filesize
367KB

MD5
9a1bf2631682609fd9dd85cb858a0a19

SHA1
064823b3998b54f16330ec9ea06cfe8d307fe718

SHA256
043df2667f2b5db42529c40e0536a93de18c5dfbafe081e4d1a613cb91a56e71

SHA512
7f28b2e405ee4b58396fe6cdbcddda4a655cda91761542240da7986fe3e932df776e1e66e71e9b0667cead94922759c482254a61973ff40f74507475543dce1e

Download Submit
C:\Windows\SysWOW64\drivers\rsvp.exe

Filesize
367KB

MD5
9a1bf2631682609fd9dd85cb858a0a19

SHA1
064823b3998b54f16330ec9ea06cfe8d307fe718

SHA256
043df2667f2b5db42529c40e0536a93de18c5dfbafe081e4d1a613cb91a56e71

SHA512
7f28b2e405ee4b58396fe6cdbcddda4a655cda91761542240da7986fe3e932df776e1e66e71e9b0667cead94922759c482254a61973ff40f74507475543dce1e

Download Submit
C:\Windows\SysWOW64\drivers\rsvp.exe

Filesize
367KB

MD5
9a1bf2631682609fd9dd85cb858a0a19

SHA1
064823b3998b54f16330ec9ea06cfe8d307fe718

SHA256
043df2667f2b5db42529c40e0536a93de18c5dfbafe081e4d1a613cb91a56e71

SHA512
7f28b2e405ee4b58396fe6cdbcddda4a655cda91761542240da7986fe3e932df776e1e66e71e9b0667cead94922759c482254a61973ff40f74507475543dce1e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads