d8c4a82e69d87d9e5a2cc5fad5e47854104df2d6989efc6685c348c3128fa061

Analysis

max time kernel
153s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2023 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c0f5afba06355ef242cd0ecc1e880c1.exe
Size

97KB
MD5

1c0f5afba06355ef242cd0ecc1e880c1
SHA1

6149d9f7cbbeecf65a5a83bb474a8b5ee28efb52
SHA256

d8c4a82e69d87d9e5a2cc5fad5e47854104df2d6989efc6685c348c3128fa061
SHA512

c98fe4f714279452785ffda24956b19e99dc006cf5ba537ff8b125bfb6957765dd9cfac5156d4589220ddb09286985a1260c898683eb6bd7ff8cfa2e6394e3f9
SSDEEP

1536:KC0OMcamTaWf1zwQVgv6I83yDIjU6J8UlrmfvttU5Hn:JnamTa+1zwLv65CWLnJmXjU5H

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
3040	userinit.exe
4760	system.exe
1272	system.exe
4024	system.exe
4564	system.exe
4572	system.exe
3116	system.exe
2700	system.exe
4156	system.exe
1064	system.exe
212	system.exe
4216	system.exe
560	system.exe
4480	system.exe
4784	system.exe
4564	system.exe
1092	system.exe
1624	system.exe
3328	system.exe
4048	system.exe
4092	system.exe
1916	system.exe
1180	system.exe
3680	system.exe
2012	system.exe
3540	system.exe
1508	system.exe
1028	system.exe
4584	system.exe
3728	system.exe
5116	system.exe
3156	system.exe
1168	system.exe
4844	system.exe
1660	system.exe
1536	system.exe
4620	system.exe
1400	system.exe
4424	system.exe
4920	system.exe
4452	system.exe
3696	system.exe
3980	system.exe
376	system.exe
644	system.exe
1488	system.exe
4024	system.exe
956	system.exe
4924	system.exe
3452	system.exe
3248	system.exe
4836	system.exe
3156	system.exe
552	system.exe
1816	system.exe
4136	system.exe
4744	system.exe
1736	system.exe
3328	system.exe
3200	system.exe
3872	system.exe
4020	system.exe
848	system.exe
3124	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	1c0f5afba06355ef242cd0ecc1e880c1.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	1c0f5afba06355ef242cd0ecc1e880c1.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2180	1c0f5afba06355ef242cd0ecc1e880c1.exe
2180	1c0f5afba06355ef242cd0ecc1e880c1.exe
3040	userinit.exe
3040	userinit.exe
3040	userinit.exe
3040	userinit.exe
4760	system.exe
4760	system.exe
3040	userinit.exe
3040	userinit.exe
1272	system.exe
1272	system.exe
3040	userinit.exe
3040	userinit.exe
4024	system.exe
4024	system.exe
3040	userinit.exe
3040	userinit.exe
4564	system.exe
4564	system.exe
3040	userinit.exe
3040	userinit.exe
4572	system.exe
4572	system.exe
3040	userinit.exe
3040	userinit.exe
3116	system.exe
3116	system.exe
3040	userinit.exe
3040	userinit.exe
2700	system.exe
2700	system.exe
3040	userinit.exe
3040	userinit.exe
4156	system.exe
4156	system.exe
3040	userinit.exe
3040	userinit.exe
1064	system.exe
1064	system.exe
3040	userinit.exe
3040	userinit.exe
212	system.exe
212	system.exe
3040	userinit.exe
3040	userinit.exe
4216	system.exe
4216	system.exe
3040	userinit.exe
3040	userinit.exe
560	system.exe
560	system.exe
3040	userinit.exe
3040	userinit.exe
4480	system.exe
4480	system.exe
3040	userinit.exe
3040	userinit.exe
4784	system.exe
4784	system.exe
3040	userinit.exe
3040	userinit.exe
4564	system.exe
4564	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3040	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2180	1c0f5afba06355ef242cd0ecc1e880c1.exe
2180	1c0f5afba06355ef242cd0ecc1e880c1.exe
3040	userinit.exe
3040	userinit.exe
4760	system.exe
4760	system.exe
1272	system.exe
1272	system.exe
4024	system.exe
4024	system.exe
4564	system.exe
4564	system.exe
4572	system.exe
4572	system.exe
3116	system.exe
3116	system.exe
2700	system.exe
2700	system.exe
4156	system.exe
4156	system.exe
1064	system.exe
1064	system.exe
212	system.exe
212	system.exe
4216	system.exe
4216	system.exe
560	system.exe
560	system.exe
4480	system.exe
4480	system.exe
4784	system.exe
4784	system.exe
4564	system.exe
4564	system.exe
1092	system.exe
1092	system.exe
1624	system.exe
1624	system.exe
3328	system.exe
3328	system.exe
4048	system.exe
4048	system.exe
4092	system.exe
4092	system.exe
1916	system.exe
1916	system.exe
1180	system.exe
1180	system.exe
3680	system.exe
3680	system.exe
2012	system.exe
2012	system.exe
3540	system.exe
3540	system.exe
1508	system.exe
1508	system.exe
1028	system.exe
1028	system.exe
4584	system.exe
4584	system.exe
3728	system.exe
3728	system.exe
5116	system.exe
5116	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 3040	2180	1c0f5afba06355ef242cd0ecc1e880c1.exe	91
PID 2180 wrote to memory of 3040	2180	1c0f5afba06355ef242cd0ecc1e880c1.exe	91
PID 2180 wrote to memory of 3040	2180	1c0f5afba06355ef242cd0ecc1e880c1.exe	91
PID 3040 wrote to memory of 4760	3040	userinit.exe	92
PID 3040 wrote to memory of 4760	3040	userinit.exe	92
PID 3040 wrote to memory of 4760	3040	userinit.exe	92
PID 3040 wrote to memory of 1272	3040	userinit.exe	94
PID 3040 wrote to memory of 1272	3040	userinit.exe	94
PID 3040 wrote to memory of 1272	3040	userinit.exe	94
PID 3040 wrote to memory of 4024	3040	userinit.exe	95
PID 3040 wrote to memory of 4024	3040	userinit.exe	95
PID 3040 wrote to memory of 4024	3040	userinit.exe	95
PID 3040 wrote to memory of 4564	3040	userinit.exe	96
PID 3040 wrote to memory of 4564	3040	userinit.exe	96
PID 3040 wrote to memory of 4564	3040	userinit.exe	96
PID 3040 wrote to memory of 4572	3040	userinit.exe	97
PID 3040 wrote to memory of 4572	3040	userinit.exe	97
PID 3040 wrote to memory of 4572	3040	userinit.exe	97
PID 3040 wrote to memory of 3116	3040	userinit.exe	98
PID 3040 wrote to memory of 3116	3040	userinit.exe	98
PID 3040 wrote to memory of 3116	3040	userinit.exe	98
PID 3040 wrote to memory of 2700	3040	userinit.exe	99
PID 3040 wrote to memory of 2700	3040	userinit.exe	99
PID 3040 wrote to memory of 2700	3040	userinit.exe	99
PID 3040 wrote to memory of 4156	3040	userinit.exe	101
PID 3040 wrote to memory of 4156	3040	userinit.exe	101
PID 3040 wrote to memory of 4156	3040	userinit.exe	101
PID 3040 wrote to memory of 1064	3040	userinit.exe	103
PID 3040 wrote to memory of 1064	3040	userinit.exe	103
PID 3040 wrote to memory of 1064	3040	userinit.exe	103
PID 3040 wrote to memory of 212	3040	userinit.exe	104
PID 3040 wrote to memory of 212	3040	userinit.exe	104
PID 3040 wrote to memory of 212	3040	userinit.exe	104
PID 3040 wrote to memory of 4216	3040	userinit.exe	109
PID 3040 wrote to memory of 4216	3040	userinit.exe	109
PID 3040 wrote to memory of 4216	3040	userinit.exe	109
PID 3040 wrote to memory of 560	3040	userinit.exe	112
PID 3040 wrote to memory of 560	3040	userinit.exe	112
PID 3040 wrote to memory of 560	3040	userinit.exe	112
PID 3040 wrote to memory of 4480	3040	userinit.exe	113
PID 3040 wrote to memory of 4480	3040	userinit.exe	113
PID 3040 wrote to memory of 4480	3040	userinit.exe	113
PID 3040 wrote to memory of 4784	3040	userinit.exe	115
PID 3040 wrote to memory of 4784	3040	userinit.exe	115
PID 3040 wrote to memory of 4784	3040	userinit.exe	115
PID 3040 wrote to memory of 4564	3040	userinit.exe	117
PID 3040 wrote to memory of 4564	3040	userinit.exe	117
PID 3040 wrote to memory of 4564	3040	userinit.exe	117
PID 3040 wrote to memory of 1092	3040	userinit.exe	119
PID 3040 wrote to memory of 1092	3040	userinit.exe	119
PID 3040 wrote to memory of 1092	3040	userinit.exe	119
PID 3040 wrote to memory of 1624	3040	userinit.exe	122
PID 3040 wrote to memory of 1624	3040	userinit.exe	122
PID 3040 wrote to memory of 1624	3040	userinit.exe	122
PID 3040 wrote to memory of 3328	3040	userinit.exe	123
PID 3040 wrote to memory of 3328	3040	userinit.exe	123
PID 3040 wrote to memory of 3328	3040	userinit.exe	123
PID 3040 wrote to memory of 4048	3040	userinit.exe	124
PID 3040 wrote to memory of 4048	3040	userinit.exe	124
PID 3040 wrote to memory of 4048	3040	userinit.exe	124
PID 3040 wrote to memory of 4092	3040	userinit.exe	125
PID 3040 wrote to memory of 4092	3040	userinit.exe	125
PID 3040 wrote to memory of 4092	3040	userinit.exe	125
PID 3040 wrote to memory of 1916	3040	userinit.exe	126

C:\Users\Admin\AppData\Local\Temp\1c0f5afba06355ef242cd0ecc1e880c1.exe
"C:\Users\Admin\AppData\Local\Temp\1c0f5afba06355ef242cd0ecc1e880c1.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
97KB

MD5
1c0f5afba06355ef242cd0ecc1e880c1

SHA1
6149d9f7cbbeecf65a5a83bb474a8b5ee28efb52

SHA256
d8c4a82e69d87d9e5a2cc5fad5e47854104df2d6989efc6685c348c3128fa061

SHA512
c98fe4f714279452785ffda24956b19e99dc006cf5ba537ff8b125bfb6957765dd9cfac5156d4589220ddb09286985a1260c898683eb6bd7ff8cfa2e6394e3f9

Download Submit
memory/212-86-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/212-90-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/244-436-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/376-274-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/552-329-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/560-101-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/644-279-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/756-462-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/848-383-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/956-295-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/956-291-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1028-180-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1028-184-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1028-185-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1064-83-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1064-82-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1092-124-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1092-120-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1168-212-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1180-157-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1272-35-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1272-31-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1272-36-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1376-447-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1376-442-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1400-242-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1400-236-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1400-241-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1464-430-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1488-284-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1508-178-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1536-229-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1624-129-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1632-415-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1660-224-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1736-352-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1816-335-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1916-151-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/1916-152-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2012-168-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2180-0-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2180-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2180-16-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2180-17-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2432-452-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2700-67-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/2700-71-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3032-420-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3040-196-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3040-66-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3040-113-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3040-314-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3040-11-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3040-164-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3040-265-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3040-85-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3040-48-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/3040-213-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3040-45-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3040-239-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3116-64-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3116-59-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3116-60-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3124-388-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3156-324-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3156-207-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3200-365-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3248-312-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3328-134-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3328-358-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3452-302-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3452-441-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3452-307-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3452-303-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3540-173-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3680-162-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3696-263-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3728-197-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3872-372-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3872-367-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3908-404-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3980-269-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/3980-409-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4020-378-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4024-43-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4024-289-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4024-42-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4024-38-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4048-140-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4048-136-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4092-146-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4092-142-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4136-341-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4156-76-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4156-77-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4216-96-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4216-95-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4424-244-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4424-248-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4452-258-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4480-106-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4516-399-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4528-389-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4528-394-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4564-51-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4564-46-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4564-467-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4564-114-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4564-118-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4572-56-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4572-57-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4584-190-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4620-234-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4760-29-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4760-25-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4760-24-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4784-111-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4836-315-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4836-319-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4844-219-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4844-215-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/4848-457-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4920-253-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/4924-300-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5016-473-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5044-425-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5116-201-0x0000000000400000-0x0000000000451000-memory.dmp

Filesize
324KB

Download
memory/5116-202-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download