37b9281aec1b35f30624b93b22e6b1a3a46f539bf53f8e7a0aa5da8ff1a421f7

Analysis

max time kernel
147s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d84217b92f3ec80f65373a7242401ef.exe
Size

236KB
MD5

5d84217b92f3ec80f65373a7242401ef
SHA1

a074395ef948582f93aab6f3612c6f364e3669f9
SHA256

37b9281aec1b35f30624b93b22e6b1a3a46f539bf53f8e7a0aa5da8ff1a421f7
SHA512

69a8e7ed70421ea62e468894c557e843200757ef212c71136fa4326c074b518b4c3fb45f63a5aaf10e05fd436aeea509d424c8dd349fbb1d5ac19628bcef3981
SSDEEP

1536:drf1zwQVg5buCEUlYevnjy3kk+oef6bpPf1zwQVgvraD+:x1zwL5buCE+njbk+o9pH1zwLvr

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 8 IoCs

pid	Process
2020	userinit.exe
1904	system.exe
3172	system.exe
4532	system.exe
1236	system.exe
4436	system.exe
1064	system.exe
4244	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	5d84217b92f3ec80f65373a7242401ef.exe
File opened for modification	C:\Windows\userinit.exe	5d84217b92f3ec80f65373a7242401ef.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2524	5d84217b92f3ec80f65373a7242401ef.exe
2524	5d84217b92f3ec80f65373a7242401ef.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
2020	userinit.exe
1904	system.exe
1904	system.exe
2020	userinit.exe
2020	userinit.exe
3172	system.exe
3172	system.exe
2020	userinit.exe
2020	userinit.exe
4532	system.exe
4532	system.exe
2020	userinit.exe
2020	userinit.exe
1236	system.exe
1236	system.exe
2020	userinit.exe
2020	userinit.exe
4436	system.exe
4436	system.exe
2020	userinit.exe
2020	userinit.exe
1064	system.exe
1064	system.exe
2020	userinit.exe
2020	userinit.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2524	5d84217b92f3ec80f65373a7242401ef.exe
2524	5d84217b92f3ec80f65373a7242401ef.exe
2020	userinit.exe
2020	userinit.exe
1904	system.exe
1904	system.exe
3172	system.exe
3172	system.exe
4532	system.exe
4532	system.exe
1236	system.exe
1236	system.exe
4436	system.exe
4436	system.exe
1064	system.exe
1064	system.exe
4244	system.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2020	2524	5d84217b92f3ec80f65373a7242401ef.exe	20
PID 2524 wrote to memory of 2020	2524	5d84217b92f3ec80f65373a7242401ef.exe	20
PID 2524 wrote to memory of 2020	2524	5d84217b92f3ec80f65373a7242401ef.exe	20
PID 2020 wrote to memory of 1904	2020	userinit.exe	36
PID 2020 wrote to memory of 1904	2020	userinit.exe	36
PID 2020 wrote to memory of 1904	2020	userinit.exe	36
PID 2020 wrote to memory of 3172	2020	userinit.exe	52
PID 2020 wrote to memory of 3172	2020	userinit.exe	52
PID 2020 wrote to memory of 3172	2020	userinit.exe	52
PID 2020 wrote to memory of 4532	2020	userinit.exe	119
PID 2020 wrote to memory of 4532	2020	userinit.exe	119
PID 2020 wrote to memory of 4532	2020	userinit.exe	119
PID 2020 wrote to memory of 1236	2020	userinit.exe	120
PID 2020 wrote to memory of 1236	2020	userinit.exe	120
PID 2020 wrote to memory of 1236	2020	userinit.exe	120
PID 2020 wrote to memory of 4436	2020	userinit.exe	102
PID 2020 wrote to memory of 4436	2020	userinit.exe	102
PID 2020 wrote to memory of 4436	2020	userinit.exe	102
PID 2020 wrote to memory of 1064	2020	userinit.exe	103
PID 2020 wrote to memory of 1064	2020	userinit.exe	103
PID 2020 wrote to memory of 1064	2020	userinit.exe	103
PID 2020 wrote to memory of 4244	2020	userinit.exe	104
PID 2020 wrote to memory of 4244	2020	userinit.exe	104
PID 2020 wrote to memory of 4244	2020	userinit.exe	104

C:\Users\Admin\AppData\Local\Temp\5d84217b92f3ec80f65373a7242401ef.exe
"C:\Users\Admin\AppData\Local\Temp\5d84217b92f3ec80f65373a7242401ef.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-241-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/448-305-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/456-211-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/540-140-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/564-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/940-256-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/956-226-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1064-50-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1236-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1236-120-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1308-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1316-276-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1332-266-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1440-100-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1488-156-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1488-155-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1552-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1804-320-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1896-310-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1904-25-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2020-11-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2132-206-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2168-251-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2188-75-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2284-290-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2324-261-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2524-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2524-15-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2660-231-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2700-176-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2740-70-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2740-150-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2928-246-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2928-196-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2948-201-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2960-85-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2984-191-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3096-95-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3112-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3132-166-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3172-30-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3204-65-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3216-300-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3216-181-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3216-105-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3424-110-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3660-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3664-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3740-221-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4064-236-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4132-271-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4244-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4436-45-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4532-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4532-35-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4568-315-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4576-295-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4680-216-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4820-161-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4836-325-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4880-171-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4900-186-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4992-281-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5064-130-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download