ca808d092ab91b9003b32560941a1a30f3c76cc427512ab3c4fb70efb62d4ba3

Analysis

max time kernel
7s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
26/12/2023, 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

763ef796ee1af7d3217013c25a48f7fd.exe
Size

216KB
MD5

763ef796ee1af7d3217013c25a48f7fd
SHA1

5c7b2eac202d1642ac58a840f5de3b47c10012fa
SHA256

ca808d092ab91b9003b32560941a1a30f3c76cc427512ab3c4fb70efb62d4ba3
SHA512

b8750482fd3514a14377fdf71c902e5a774ceb2f97381a74414e1b520516ce2a63e6a8710345d416420b7b16c87fc5495a22f218f3465621eb30aeeabadd9310
SSDEEP

1536:Dkf1zwQVg/8WuREUlOQnF7TkkYSDY6ep5f1zwQVgvXg6Y+:I1zwL/8WuREcnFEkYSYpJ1zwLvX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 8 IoCs

pid	Process
228	userinit.exe
3284	system.exe
1776	system.exe
3332	system.exe
4160	system.exe
3520	system.exe
1800	system.exe
1864	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	763ef796ee1af7d3217013c25a48f7fd.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	763ef796ee1af7d3217013c25a48f7fd.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
4680	763ef796ee1af7d3217013c25a48f7fd.exe
4680	763ef796ee1af7d3217013c25a48f7fd.exe
228	userinit.exe
228	userinit.exe
228	userinit.exe
228	userinit.exe
3284	system.exe
3284	system.exe
228	userinit.exe
228	userinit.exe
1776	system.exe
1776	system.exe
228	userinit.exe
228	userinit.exe
3332	system.exe
3332	system.exe
228	userinit.exe
228	userinit.exe
4160	system.exe
4160	system.exe
228	userinit.exe
228	userinit.exe
3520	system.exe
3520	system.exe
228	userinit.exe
228	userinit.exe
1800	system.exe
1800	system.exe
228	userinit.exe
228	userinit.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
4680	763ef796ee1af7d3217013c25a48f7fd.exe
4680	763ef796ee1af7d3217013c25a48f7fd.exe
228	userinit.exe
228	userinit.exe
3284	system.exe
3284	system.exe
1776	system.exe
1776	system.exe
3332	system.exe
3332	system.exe
4160	system.exe
4160	system.exe
3520	system.exe
3520	system.exe
1800	system.exe
1800	system.exe
1864	system.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 228	4680	763ef796ee1af7d3217013c25a48f7fd.exe	17
PID 4680 wrote to memory of 228	4680	763ef796ee1af7d3217013c25a48f7fd.exe	17
PID 4680 wrote to memory of 228	4680	763ef796ee1af7d3217013c25a48f7fd.exe	17
PID 228 wrote to memory of 3284	228	userinit.exe	33
PID 228 wrote to memory of 3284	228	userinit.exe	33
PID 228 wrote to memory of 3284	228	userinit.exe	33
PID 228 wrote to memory of 1776	228	userinit.exe	51
PID 228 wrote to memory of 1776	228	userinit.exe	51
PID 228 wrote to memory of 1776	228	userinit.exe	51
PID 228 wrote to memory of 3332	228	userinit.exe	70
PID 228 wrote to memory of 3332	228	userinit.exe	70
PID 228 wrote to memory of 3332	228	userinit.exe	70
PID 228 wrote to memory of 4160	228	userinit.exe	89
PID 228 wrote to memory of 4160	228	userinit.exe	89
PID 228 wrote to memory of 4160	228	userinit.exe	89
PID 228 wrote to memory of 3520	228	userinit.exe	97
PID 228 wrote to memory of 3520	228	userinit.exe	97
PID 228 wrote to memory of 3520	228	userinit.exe	97
PID 228 wrote to memory of 1800	228	userinit.exe	98
PID 228 wrote to memory of 1800	228	userinit.exe	98
PID 228 wrote to memory of 1800	228	userinit.exe	98
PID 228 wrote to memory of 1864	228	userinit.exe	99
PID 228 wrote to memory of 1864	228	userinit.exe	99
PID 228 wrote to memory of 1864	228	userinit.exe	99

C:\Users\Admin\AppData\Local\Temp\763ef796ee1af7d3217013c25a48f7fd.exe
"C:\Users\Admin\AppData\Local\Temp\763ef796ee1af7d3217013c25a48f7fd.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
216KB

MD5
763ef796ee1af7d3217013c25a48f7fd

SHA1
5c7b2eac202d1642ac58a840f5de3b47c10012fa

SHA256
ca808d092ab91b9003b32560941a1a30f3c76cc427512ab3c4fb70efb62d4ba3

SHA512
b8750482fd3514a14377fdf71c902e5a774ceb2f97381a74414e1b520516ce2a63e6a8710345d416420b7b16c87fc5495a22f218f3465621eb30aeeabadd9310

Download Submit
C:\Windows\userinit.exe

Filesize
92KB

MD5
741b0fafcf886897b7e6ed854bddbca8

SHA1
7e14995dd86b267c7a01b84d06ce88b1e3fd0a4c

SHA256
d0330d55fde4d122944a86c83ed2324330f3bdf5b93c3d80949a636a2eacad58

SHA512
8747efdee4dbacce4b1bae924cf32a2bd3b930567e544fcad3511aefffee42a896fd723783191cc262b1fc37a77c523e360d95fa69e2d7bfabeb1f9e18eee962

Download Submit
memory/228-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/408-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/524-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/544-229-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/660-234-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1028-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1068-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1104-324-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1384-224-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1432-85-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1436-278-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1588-130-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1688-110-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1776-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1800-50-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1820-342-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1864-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1872-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1924-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1952-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2100-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2220-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2260-346-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2836-195-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2892-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2952-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-200-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3016-249-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3044-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3076-273-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3156-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3272-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3276-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3284-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3332-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3468-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3520-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3656-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3700-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3708-254-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3732-264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4016-190-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4028-185-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4160-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4272-259-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4288-239-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4292-150-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4464-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4560-320-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4656-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4672-214-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4680-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4680-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4680-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4764-165-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4768-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4808-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4816-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5004-219-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5004-75-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5088-310-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download