37b9281aec1b35f30624b93b22e6b1a3a46f539bf53f8e7a0aa5da8ff1a421f7

Analysis

max time kernel
11s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d84217b92f3ec80f65373a7242401ef.exe
Size

236KB
MD5

5d84217b92f3ec80f65373a7242401ef
SHA1

a074395ef948582f93aab6f3612c6f364e3669f9
SHA256

37b9281aec1b35f30624b93b22e6b1a3a46f539bf53f8e7a0aa5da8ff1a421f7
SHA512

69a8e7ed70421ea62e468894c557e843200757ef212c71136fa4326c074b518b4c3fb45f63a5aaf10e05fd436aeea509d424c8dd349fbb1d5ac19628bcef3981
SSDEEP

1536:drf1zwQVg5buCEUlYevnjy3kk+oef6bpPf1zwQVgvraD+:x1zwL5buCE+njbk+o9pH1zwLvr

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 11 IoCs

pid	Process
2724	userinit.exe
2708	system.exe
2768	system.exe
2628	system.exe
2656	system.exe
1644	system.exe
2896	system.exe
2888	system.exe
1564	system.exe
1828	system.exe
1908	system.exe

Loads dropped DLL 20 IoCs

pid	Process
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe
2724	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	5d84217b92f3ec80f65373a7242401ef.exe
File opened for modification	C:\Windows\userinit.exe	5d84217b92f3ec80f65373a7242401ef.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2504	5d84217b92f3ec80f65373a7242401ef.exe
2724	userinit.exe
2724	userinit.exe
2708	system.exe
2724	userinit.exe
2768	system.exe
2724	userinit.exe
2628	system.exe
2724	userinit.exe
2656	system.exe
2724	userinit.exe
1644	system.exe
2724	userinit.exe
2896	system.exe
2724	userinit.exe
2888	system.exe
2724	userinit.exe
1564	system.exe
2724	userinit.exe
1828	system.exe
2724	userinit.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2504	5d84217b92f3ec80f65373a7242401ef.exe
2504	5d84217b92f3ec80f65373a7242401ef.exe
2724	userinit.exe
2724	userinit.exe
2708	system.exe
2708	system.exe
2768	system.exe
2768	system.exe
2628	system.exe
2628	system.exe
2656	system.exe
2656	system.exe
1644	system.exe
1644	system.exe
2896	system.exe
2896	system.exe
2888	system.exe
2888	system.exe
1564	system.exe
1564	system.exe
1828	system.exe
1828	system.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2724	2504	5d84217b92f3ec80f65373a7242401ef.exe	17
PID 2504 wrote to memory of 2724	2504	5d84217b92f3ec80f65373a7242401ef.exe	17
PID 2504 wrote to memory of 2724	2504	5d84217b92f3ec80f65373a7242401ef.exe	17
PID 2504 wrote to memory of 2724	2504	5d84217b92f3ec80f65373a7242401ef.exe	17
PID 2724 wrote to memory of 2708	2724	userinit.exe	29
PID 2724 wrote to memory of 2708	2724	userinit.exe	29
PID 2724 wrote to memory of 2708	2724	userinit.exe	29
PID 2724 wrote to memory of 2708	2724	userinit.exe	29
PID 2724 wrote to memory of 2768	2724	userinit.exe	58
PID 2724 wrote to memory of 2768	2724	userinit.exe	58
PID 2724 wrote to memory of 2768	2724	userinit.exe	58
PID 2724 wrote to memory of 2768	2724	userinit.exe	58
PID 2724 wrote to memory of 2628	2724	userinit.exe	82
PID 2724 wrote to memory of 2628	2724	userinit.exe	82
PID 2724 wrote to memory of 2628	2724	userinit.exe	82
PID 2724 wrote to memory of 2628	2724	userinit.exe	82
PID 2724 wrote to memory of 2656	2724	userinit.exe	32
PID 2724 wrote to memory of 2656	2724	userinit.exe	32
PID 2724 wrote to memory of 2656	2724	userinit.exe	32
PID 2724 wrote to memory of 2656	2724	userinit.exe	32
PID 2724 wrote to memory of 1644	2724	userinit.exe	33
PID 2724 wrote to memory of 1644	2724	userinit.exe	33
PID 2724 wrote to memory of 1644	2724	userinit.exe	33
PID 2724 wrote to memory of 1644	2724	userinit.exe	33
PID 2724 wrote to memory of 2896	2724	userinit.exe	34
PID 2724 wrote to memory of 2896	2724	userinit.exe	34
PID 2724 wrote to memory of 2896	2724	userinit.exe	34
PID 2724 wrote to memory of 2896	2724	userinit.exe	34
PID 2724 wrote to memory of 2888	2724	userinit.exe	109
PID 2724 wrote to memory of 2888	2724	userinit.exe	109
PID 2724 wrote to memory of 2888	2724	userinit.exe	109
PID 2724 wrote to memory of 2888	2724	userinit.exe	109
PID 2724 wrote to memory of 1564	2724	userinit.exe	36
PID 2724 wrote to memory of 1564	2724	userinit.exe	36
PID 2724 wrote to memory of 1564	2724	userinit.exe	36
PID 2724 wrote to memory of 1564	2724	userinit.exe	36
PID 2724 wrote to memory of 1828	2724	userinit.exe	37
PID 2724 wrote to memory of 1828	2724	userinit.exe	37
PID 2724 wrote to memory of 1828	2724	userinit.exe	37
PID 2724 wrote to memory of 1828	2724	userinit.exe	37
PID 2724 wrote to memory of 1908	2724	userinit.exe	38
PID 2724 wrote to memory of 1908	2724	userinit.exe	38
PID 2724 wrote to memory of 1908	2724	userinit.exe	38
PID 2724 wrote to memory of 1908	2724	userinit.exe	38

C:\Users\Admin\AppData\Local\Temp\5d84217b92f3ec80f65373a7242401ef.exe
"C:\Users\Admin\AppData\Local\Temp\5d84217b92f3ec80f65373a7242401ef.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-147-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/628-192-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/944-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/988-216-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1564-113-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1600-255-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1644-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1668-180-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1684-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1828-124-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1908-136-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1948-228-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2228-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2228-295-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2232-325-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2480-242-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2504-18-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2504-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2504-12-0x0000000000320000-0x000000000035B000-memory.dmp

Filesize
236KB

Download
memory/2524-313-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2524-315-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2628-58-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2656-69-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2708-34-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2724-237-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-290-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-200-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-348-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-225-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-188-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-227-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-154-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-238-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-131-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-93-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-252-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-249-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-262-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-272-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-350-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-270-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-281-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-280-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-339-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-48-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-54-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-291-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-301-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-300-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-309-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-311-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-340-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-30-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-320-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-14-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2724-321-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-330-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2724-332-0x0000000000350000-0x000000000038B000-memory.dmp

Filesize
236KB

Download
memory/2768-45-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2768-354-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2768-352-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2888-102-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2916-205-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2916-203-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download