4833ceaa1bf82dde9757312b26f0ad596873e2361de203e2cf5d20ef4ef870e0

Analysis

max time kernel
140s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
02/01/2024, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e1686574d7d218527e8990c8c474a64.exe
Size

244KB
MD5

7e1686574d7d218527e8990c8c474a64
SHA1

07fa7d34653172e6c6b00c038f57c038abd6c6ff
SHA256

4833ceaa1bf82dde9757312b26f0ad596873e2361de203e2cf5d20ef4ef870e0
SHA512

63afbc023869da1c3b3b988f3b5e972bb25c2038dd9ce3e54efb335dd71c517e0e6555edc7c3b4987b28890cf415b19d1d8308daf18aa80f338b0663bab850a2
SSDEEP

1536:wvf1zwQVgdYYuAXyeHl0BTFXEqkEgOUXhQp1of1zwQVgvKa60+:wn1zwLyYuAXyeaTFbkEg1Qp1o1zwLvK

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
1444	userinit.exe
2832	system.exe
1588	system.exe
3952	system.exe
4904	system.exe
516	system.exe
2624	system.exe
2260	system.exe
2276	system.exe
5028	system.exe
2668	system.exe
384	system.exe
1424	system.exe
4988	system.exe
4784	system.exe
4344	system.exe
3804	system.exe
3976	system.exe
2956	system.exe
2584	system.exe
1032	system.exe
1600	system.exe
4568	system.exe
4660	system.exe
2260	system.exe
2276	system.exe
5028	system.exe
4424	system.exe
3556	system.exe
1456	system.exe
1008	system.exe
3028	system.exe
4896	system.exe
2688	system.exe
2316	system.exe
4848	system.exe
2588	system.exe
3164	system.exe
4148	system.exe
2984	system.exe
5028	system.exe
4476	system.exe
2212	system.exe
4020	system.exe
4652	system.exe
1200	system.exe
4876	system.exe
440	system.exe
3804	system.exe
2156	system.exe
1776	system.exe
2004	system.exe
2860	system.exe
3028	system.exe
1148	system.exe
1452	system.exe
2588	system.exe
2456	system.exe
2840	system.exe
2724	system.exe
3228	system.exe
2992	system.exe
2396	system.exe
3408	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	7e1686574d7d218527e8990c8c474a64.exe
File opened for modification	C:\Windows\userinit.exe	7e1686574d7d218527e8990c8c474a64.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4440	7e1686574d7d218527e8990c8c474a64.exe
4440	7e1686574d7d218527e8990c8c474a64.exe
1444	userinit.exe
1444	userinit.exe
1444	userinit.exe
1444	userinit.exe
2832	system.exe
2832	system.exe
1444	userinit.exe
1444	userinit.exe
1588	system.exe
1588	system.exe
1444	userinit.exe
1444	userinit.exe
3952	system.exe
3952	system.exe
1444	userinit.exe
1444	userinit.exe
4904	system.exe
4904	system.exe
1444	userinit.exe
1444	userinit.exe
516	system.exe
516	system.exe
1444	userinit.exe
1444	userinit.exe
2624	system.exe
2624	system.exe
1444	userinit.exe
1444	userinit.exe
2260	system.exe
2260	system.exe
1444	userinit.exe
1444	userinit.exe
2276	system.exe
2276	system.exe
1444	userinit.exe
1444	userinit.exe
5028	system.exe
5028	system.exe
1444	userinit.exe
1444	userinit.exe
2668	system.exe
2668	system.exe
1444	userinit.exe
1444	userinit.exe
384	system.exe
384	system.exe
1444	userinit.exe
1444	userinit.exe
1424	system.exe
1424	system.exe
1444	userinit.exe
1444	userinit.exe
4988	system.exe
4988	system.exe
1444	userinit.exe
1444	userinit.exe
4784	system.exe
4784	system.exe
1444	userinit.exe
1444	userinit.exe
4344	system.exe
4344	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1444	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4440	7e1686574d7d218527e8990c8c474a64.exe
4440	7e1686574d7d218527e8990c8c474a64.exe
1444	userinit.exe
1444	userinit.exe
2832	system.exe
2832	system.exe
1588	system.exe
1588	system.exe
3952	system.exe
3952	system.exe
4904	system.exe
4904	system.exe
516	system.exe
516	system.exe
2624	system.exe
2624	system.exe
2260	system.exe
2260	system.exe
2276	system.exe
2276	system.exe
5028	system.exe
5028	system.exe
2668	system.exe
2668	system.exe
384	system.exe
384	system.exe
1424	system.exe
1424	system.exe
4988	system.exe
4988	system.exe
4784	system.exe
4784	system.exe
4344	system.exe
4344	system.exe
3804	system.exe
3804	system.exe
3976	system.exe
3976	system.exe
2956	system.exe
2956	system.exe
2584	system.exe
2584	system.exe
1032	system.exe
1032	system.exe
1600	system.exe
1600	system.exe
4568	system.exe
4568	system.exe
4660	system.exe
4660	system.exe
2260	system.exe
2260	system.exe
2276	system.exe
2276	system.exe
5028	system.exe
5028	system.exe
4424	system.exe
4424	system.exe
3556	system.exe
3556	system.exe
1456	system.exe
1456	system.exe
1008	system.exe
1008	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 1444	4440	7e1686574d7d218527e8990c8c474a64.exe	22
PID 4440 wrote to memory of 1444	4440	7e1686574d7d218527e8990c8c474a64.exe	22
PID 4440 wrote to memory of 1444	4440	7e1686574d7d218527e8990c8c474a64.exe	22
PID 1444 wrote to memory of 2832	1444	userinit.exe	40
PID 1444 wrote to memory of 2832	1444	userinit.exe	40
PID 1444 wrote to memory of 2832	1444	userinit.exe	40
PID 1444 wrote to memory of 1588	1444	userinit.exe	60
PID 1444 wrote to memory of 1588	1444	userinit.exe	60
PID 1444 wrote to memory of 1588	1444	userinit.exe	60
PID 1444 wrote to memory of 3952	1444	userinit.exe	80
PID 1444 wrote to memory of 3952	1444	userinit.exe	80
PID 1444 wrote to memory of 3952	1444	userinit.exe	80
PID 1444 wrote to memory of 4904	1444	userinit.exe	97
PID 1444 wrote to memory of 4904	1444	userinit.exe	97
PID 1444 wrote to memory of 4904	1444	userinit.exe	97
PID 1444 wrote to memory of 516	1444	userinit.exe	98
PID 1444 wrote to memory of 516	1444	userinit.exe	98
PID 1444 wrote to memory of 516	1444	userinit.exe	98
PID 1444 wrote to memory of 2624	1444	userinit.exe	99
PID 1444 wrote to memory of 2624	1444	userinit.exe	99
PID 1444 wrote to memory of 2624	1444	userinit.exe	99
PID 1444 wrote to memory of 2260	1444	userinit.exe	101
PID 1444 wrote to memory of 2260	1444	userinit.exe	101
PID 1444 wrote to memory of 2260	1444	userinit.exe	101
PID 1444 wrote to memory of 2276	1444	userinit.exe	102
PID 1444 wrote to memory of 2276	1444	userinit.exe	102
PID 1444 wrote to memory of 2276	1444	userinit.exe	102
PID 1444 wrote to memory of 5028	1444	userinit.exe	103
PID 1444 wrote to memory of 5028	1444	userinit.exe	103
PID 1444 wrote to memory of 5028	1444	userinit.exe	103
PID 1444 wrote to memory of 2668	1444	userinit.exe	104
PID 1444 wrote to memory of 2668	1444	userinit.exe	104
PID 1444 wrote to memory of 2668	1444	userinit.exe	104
PID 1444 wrote to memory of 384	1444	userinit.exe	105
PID 1444 wrote to memory of 384	1444	userinit.exe	105
PID 1444 wrote to memory of 384	1444	userinit.exe	105
PID 1444 wrote to memory of 1424	1444	userinit.exe	106
PID 1444 wrote to memory of 1424	1444	userinit.exe	106
PID 1444 wrote to memory of 1424	1444	userinit.exe	106
PID 1444 wrote to memory of 4988	1444	userinit.exe	107
PID 1444 wrote to memory of 4988	1444	userinit.exe	107
PID 1444 wrote to memory of 4988	1444	userinit.exe	107
PID 1444 wrote to memory of 4784	1444	userinit.exe	110
PID 1444 wrote to memory of 4784	1444	userinit.exe	110
PID 1444 wrote to memory of 4784	1444	userinit.exe	110
PID 1444 wrote to memory of 4344	1444	userinit.exe	113
PID 1444 wrote to memory of 4344	1444	userinit.exe	113
PID 1444 wrote to memory of 4344	1444	userinit.exe	113
PID 1444 wrote to memory of 3804	1444	userinit.exe	114
PID 1444 wrote to memory of 3804	1444	userinit.exe	114
PID 1444 wrote to memory of 3804	1444	userinit.exe	114
PID 1444 wrote to memory of 3976	1444	userinit.exe	115
PID 1444 wrote to memory of 3976	1444	userinit.exe	115
PID 1444 wrote to memory of 3976	1444	userinit.exe	115
PID 1444 wrote to memory of 2956	1444	userinit.exe	117
PID 1444 wrote to memory of 2956	1444	userinit.exe	117
PID 1444 wrote to memory of 2956	1444	userinit.exe	117
PID 1444 wrote to memory of 2584	1444	userinit.exe	118
PID 1444 wrote to memory of 2584	1444	userinit.exe	118
PID 1444 wrote to memory of 2584	1444	userinit.exe	118
PID 1444 wrote to memory of 1032	1444	userinit.exe	119
PID 1444 wrote to memory of 1032	1444	userinit.exe	119
PID 1444 wrote to memory of 1032	1444	userinit.exe	119
PID 1444 wrote to memory of 1600	1444	userinit.exe	121

C:\Users\Admin\AppData\Local\Temp\7e1686574d7d218527e8990c8c474a64.exe
"C:\Users\Admin\AppData\Local\Temp\7e1686574d7d218527e8990c8c474a64.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:60
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
69KB

MD5
194130e79bdbf797bd983ffb644215b5

SHA1
5896d2e8c5fd67aceebabedb35950e3d0685474f

SHA256
47186b6b2c6b48b51c26eb9889acecc38f8f8ed19252e3537db3f3610b8bcae6

SHA512
cfcf90253315b55a19fcd25ed9b1267b535573e15868678847ca4a498f638382639f810a4bcab16205f26185254720bbe4e622dddb52431afd0b192e53c0ae9a

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
62KB

MD5
e23d77023c6bd1af59be89fcdb781a57

SHA1
34f153fbb5ef59e7d0d2b876cdad8e8cf5a8ff36

SHA256
e040551dc4821924fe2a7d007e0fd69c338f643a20717bbb1588bee5c955b2a8

SHA512
c8dbb99295327d337ade74599e708e39eb1a4a6751875c5d25134087e720a8f090debf261a1b122b64373e6a788b971f3ec9493c7b3d0188bcb29c5ea93b871d

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
57KB

MD5
c4644c0e226888afa2af5ec780699bab

SHA1
5dfb5ce8f90d4f9e95cc9e10a8f0e278de6e169f

SHA256
9748ed794324ff7f48ff806a8dd25de97ca6427b98dfb708e11ac8cae39398e6

SHA512
f34c2d14b8ebc5c28ec8d627dca6e853a0b4c1c1e39564fd1138922c41c433e030ede15a41d50efb0a08531da3abedc54731b2203b543d31612320d30ee1f16b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
65KB

MD5
a29415eeb17d1cbf67cfdff01f0d6629

SHA1
c1ba3ca9b2c80ee4da9c2a0a9ddbb7f114845d75

SHA256
b71c9124bbde67354c1d04a53564453b0ad0a39cc7f7f098c970631e5e646ab6

SHA512
9a877579d76b35b84d3bcb8c8d1670d1f76b56dad3a056de6f902426640bcccb38ee23a4da55651f5e2c3fb499ec428021da73db55dc34c0c1cb5cd3baed7d6a

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
98KB

MD5
6726748cabaeda6035f0020ced78e774

SHA1
d6875178a2c1d25f646df5f1448697f3569d1d35

SHA256
39bcc4ddd647cdf28fc15c11a56c32b3e279e61e68d6359cc1ec50b8da046b6f

SHA512
7418844af154a26831621512d2967e046b00bbecc8b70079faacfcfeb1279292c949baf14cbd3df48092b41246959be78095dba6725123aa7aa52257246154ee

Download Submit
C:\Windows\userinit.exe

Filesize
244KB

MD5
7e1686574d7d218527e8990c8c474a64

SHA1
07fa7d34653172e6c6b00c038f57c038abd6c6ff

SHA256
4833ceaa1bf82dde9757312b26f0ad596873e2361de203e2cf5d20ef4ef870e0

SHA512
63afbc023869da1c3b3b988f3b5e972bb25c2038dd9ce3e54efb335dd71c517e0e6555edc7c3b4987b28890cf415b19d1d8308daf18aa80f338b0663bab850a2

Download Submit
memory/384-74-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/516-45-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1008-169-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1032-119-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1148-288-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1200-244-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1424-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1452-293-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-164-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1588-30-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1600-124-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1776-268-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2004-273-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2156-263-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2212-229-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2260-139-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2260-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2276-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2316-189-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2396-327-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2456-303-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2584-114-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2588-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2588-199-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2624-50-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2668-69-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2688-184-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-313-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2832-25-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2832-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-308-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2860-278-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2956-109-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2984-214-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-323-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3028-174-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3028-283-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3164-204-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3228-318-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3408-331-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3556-159-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3804-258-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3804-99-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3952-35-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3976-104-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4020-234-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4148-209-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4344-94-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4424-154-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4440-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4440-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4476-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4568-129-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4652-239-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4660-134-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4784-89-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4848-194-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4876-249-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4896-179-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4904-40-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4988-84-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5028-219-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5028-64-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5028-149-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download