b5c42bf68946de94cb58bb9e74baa78c5e10f9b3e39545bac75f4ed0ff4fd081

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5905dc411bf712fc10533d5cd28c8f91.exe
Size

80KB
MD5

5905dc411bf712fc10533d5cd28c8f91
SHA1

2ae1d5245f719a442c37e56e10e221eb2b451c48
SHA256

b5c42bf68946de94cb58bb9e74baa78c5e10f9b3e39545bac75f4ed0ff4fd081
SHA512

52f1fde1f4730caf1cba81e116360ef2585952dca433427ef6ce149adbfec4994c03843d919244263561b99d8d7ea7c8e78a1c0d33e02af1f8159ccf664d4db0
SSDEEP

1536:sdBwRl7XqChS8Kr8Pypmr1zvaRhdsRJp7:sdGRJfHKA6pKDajip7

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
3488	userinit.exe
2808	system.exe
1872	system.exe
2444	system.exe
2084	system.exe
1044	system.exe
3208	system.exe
1476	system.exe
3484	system.exe
1556	system.exe
2132	system.exe
2352	system.exe
2416	system.exe
2420	system.exe
2808	system.exe
1612	system.exe
1548	system.exe
1316	system.exe
2152	system.exe
4132	system.exe
3416	system.exe
3968	system.exe
1228	system.exe
3576	system.exe
3628	system.exe
3876	system.exe
2116	system.exe
1984	system.exe
2148	system.exe
1316	system.exe
5104	system.exe
1668	system.exe
2784	system.exe
3648	system.exe
436	system.exe
3352	system.exe
3092	system.exe
1228	system.exe
2964	system.exe
4408	system.exe
2796	system.exe
2260	system.exe
2116	system.exe
5036	system.exe
1020	system.exe
4012	system.exe
4460	system.exe
1244	system.exe
2412	system.exe
4832	system.exe
372	system.exe
3880	system.exe
2796	system.exe
4888	system.exe
5064	system.exe
5036	system.exe
2348	system.exe
4612	system.exe
2304	system.exe
2308	system.exe
4428	system.exe
4832	system.exe
2964	system.exe
4992	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	5905dc411bf712fc10533d5cd28c8f91.exe
File opened for modification	C:\Windows\userinit.exe	5905dc411bf712fc10533d5cd28c8f91.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	5905dc411bf712fc10533d5cd28c8f91.exe
2132	5905dc411bf712fc10533d5cd28c8f91.exe
3488	userinit.exe
3488	userinit.exe
3488	userinit.exe
3488	userinit.exe
2808	system.exe
2808	system.exe
3488	userinit.exe
3488	userinit.exe
1872	system.exe
1872	system.exe
3488	userinit.exe
3488	userinit.exe
2444	system.exe
2444	system.exe
3488	userinit.exe
3488	userinit.exe
2084	system.exe
2084	system.exe
3488	userinit.exe
3488	userinit.exe
1044	system.exe
1044	system.exe
3488	userinit.exe
3488	userinit.exe
3208	system.exe
3208	system.exe
3488	userinit.exe
3488	userinit.exe
1476	system.exe
1476	system.exe
3488	userinit.exe
3488	userinit.exe
3484	system.exe
3484	system.exe
3488	userinit.exe
3488	userinit.exe
1556	system.exe
1556	system.exe
3488	userinit.exe
3488	userinit.exe
2132	system.exe
2132	system.exe
3488	userinit.exe
3488	userinit.exe
2352	system.exe
2352	system.exe
3488	userinit.exe
3488	userinit.exe
2416	system.exe
2416	system.exe
3488	userinit.exe
3488	userinit.exe
2420	system.exe
2420	system.exe
3488	userinit.exe
3488	userinit.exe
2808	system.exe
2808	system.exe
3488	userinit.exe
3488	userinit.exe
1612	system.exe
1612	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3488	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2132	5905dc411bf712fc10533d5cd28c8f91.exe
2132	5905dc411bf712fc10533d5cd28c8f91.exe
3488	userinit.exe
3488	userinit.exe
2808	system.exe
2808	system.exe
1872	system.exe
1872	system.exe
2444	system.exe
2444	system.exe
2084	system.exe
2084	system.exe
1044	system.exe
1044	system.exe
3208	system.exe
3208	system.exe
1476	system.exe
1476	system.exe
3484	system.exe
3484	system.exe
1556	system.exe
1556	system.exe
2132	system.exe
2132	system.exe
2352	system.exe
2352	system.exe
2416	system.exe
2416	system.exe
2420	system.exe
2420	system.exe
2808	system.exe
2808	system.exe
1612	system.exe
1612	system.exe
1548	system.exe
1548	system.exe
1316	system.exe
1316	system.exe
2152	system.exe
2152	system.exe
4132	system.exe
4132	system.exe
3416	system.exe
3416	system.exe
3968	system.exe
3968	system.exe
1228	system.exe
1228	system.exe
3576	system.exe
3576	system.exe
3628	system.exe
3628	system.exe
3876	system.exe
3876	system.exe
2116	system.exe
2116	system.exe
1984	system.exe
1984	system.exe
2148	system.exe
2148	system.exe
1316	system.exe
1316	system.exe
5104	system.exe
5104	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 3488	2132	5905dc411bf712fc10533d5cd28c8f91.exe	90
PID 2132 wrote to memory of 3488	2132	5905dc411bf712fc10533d5cd28c8f91.exe	90
PID 2132 wrote to memory of 3488	2132	5905dc411bf712fc10533d5cd28c8f91.exe	90
PID 3488 wrote to memory of 2808	3488	userinit.exe	94
PID 3488 wrote to memory of 2808	3488	userinit.exe	94
PID 3488 wrote to memory of 2808	3488	userinit.exe	94
PID 3488 wrote to memory of 1872	3488	userinit.exe	95
PID 3488 wrote to memory of 1872	3488	userinit.exe	95
PID 3488 wrote to memory of 1872	3488	userinit.exe	95
PID 3488 wrote to memory of 2444	3488	userinit.exe	98
PID 3488 wrote to memory of 2444	3488	userinit.exe	98
PID 3488 wrote to memory of 2444	3488	userinit.exe	98
PID 3488 wrote to memory of 2084	3488	userinit.exe	101
PID 3488 wrote to memory of 2084	3488	userinit.exe	101
PID 3488 wrote to memory of 2084	3488	userinit.exe	101
PID 3488 wrote to memory of 1044	3488	userinit.exe	102
PID 3488 wrote to memory of 1044	3488	userinit.exe	102
PID 3488 wrote to memory of 1044	3488	userinit.exe	102
PID 3488 wrote to memory of 3208	3488	userinit.exe	103
PID 3488 wrote to memory of 3208	3488	userinit.exe	103
PID 3488 wrote to memory of 3208	3488	userinit.exe	103
PID 3488 wrote to memory of 1476	3488	userinit.exe	105
PID 3488 wrote to memory of 1476	3488	userinit.exe	105
PID 3488 wrote to memory of 1476	3488	userinit.exe	105
PID 3488 wrote to memory of 3484	3488	userinit.exe	106
PID 3488 wrote to memory of 3484	3488	userinit.exe	106
PID 3488 wrote to memory of 3484	3488	userinit.exe	106
PID 3488 wrote to memory of 1556	3488	userinit.exe	108
PID 3488 wrote to memory of 1556	3488	userinit.exe	108
PID 3488 wrote to memory of 1556	3488	userinit.exe	108
PID 3488 wrote to memory of 2132	3488	userinit.exe	110
PID 3488 wrote to memory of 2132	3488	userinit.exe	110
PID 3488 wrote to memory of 2132	3488	userinit.exe	110
PID 3488 wrote to memory of 2352	3488	userinit.exe	111
PID 3488 wrote to memory of 2352	3488	userinit.exe	111
PID 3488 wrote to memory of 2352	3488	userinit.exe	111
PID 3488 wrote to memory of 2416	3488	userinit.exe	112
PID 3488 wrote to memory of 2416	3488	userinit.exe	112
PID 3488 wrote to memory of 2416	3488	userinit.exe	112
PID 3488 wrote to memory of 2420	3488	userinit.exe	113
PID 3488 wrote to memory of 2420	3488	userinit.exe	113
PID 3488 wrote to memory of 2420	3488	userinit.exe	113
PID 3488 wrote to memory of 2808	3488	userinit.exe	114
PID 3488 wrote to memory of 2808	3488	userinit.exe	114
PID 3488 wrote to memory of 2808	3488	userinit.exe	114
PID 3488 wrote to memory of 1612	3488	userinit.exe	115
PID 3488 wrote to memory of 1612	3488	userinit.exe	115
PID 3488 wrote to memory of 1612	3488	userinit.exe	115
PID 3488 wrote to memory of 1548	3488	userinit.exe	116
PID 3488 wrote to memory of 1548	3488	userinit.exe	116
PID 3488 wrote to memory of 1548	3488	userinit.exe	116
PID 3488 wrote to memory of 1316	3488	userinit.exe	117
PID 3488 wrote to memory of 1316	3488	userinit.exe	117
PID 3488 wrote to memory of 1316	3488	userinit.exe	117
PID 3488 wrote to memory of 2152	3488	userinit.exe	118
PID 3488 wrote to memory of 2152	3488	userinit.exe	118
PID 3488 wrote to memory of 2152	3488	userinit.exe	118
PID 3488 wrote to memory of 4132	3488	userinit.exe	119
PID 3488 wrote to memory of 4132	3488	userinit.exe	119
PID 3488 wrote to memory of 4132	3488	userinit.exe	119
PID 3488 wrote to memory of 3416	3488	userinit.exe	120
PID 3488 wrote to memory of 3416	3488	userinit.exe	120
PID 3488 wrote to memory of 3416	3488	userinit.exe	120
PID 3488 wrote to memory of 3968	3488	userinit.exe	121

C:\Users\Admin\AppData\Local\Temp\5905dc411bf712fc10533d5cd28c8f91.exe
"C:\Users\Admin\AppData\Local\Temp\5905dc411bf712fc10533d5cd28c8f91.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
80KB

MD5
5905dc411bf712fc10533d5cd28c8f91

SHA1
2ae1d5245f719a442c37e56e10e221eb2b451c48

SHA256
b5c42bf68946de94cb58bb9e74baa78c5e10f9b3e39545bac75f4ed0ff4fd081

SHA512
52f1fde1f4730caf1cba81e116360ef2585952dca433427ef6ce149adbfec4994c03843d919244263561b99d8d7ea7c8e78a1c0d33e02af1f8159ccf664d4db0

Download Submit
memory/372-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/384-459-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/436-217-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1020-270-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1020-274-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1040-442-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1044-47-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1044-51-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1228-235-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1228-152-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1228-148-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1244-290-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1308-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1308-419-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1316-190-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1316-121-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1316-117-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1352-392-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1352-387-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1476-59-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1476-63-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-115-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1548-111-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1548-110-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-76-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1556-71-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1556-70-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1612-104-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1612-108-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1668-201-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1872-28-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1872-29-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1872-33-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1972-431-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1972-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1984-180-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2084-45-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2084-41-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2116-175-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2116-262-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2132-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2132-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2132-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2132-81-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2148-185-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2152-125-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2152-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2152-124-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2260-257-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2304-352-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2308-354-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2308-359-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-407-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-413-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2344-408-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2348-337-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2348-341-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2348-336-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2352-86-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2412-295-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2416-91-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2420-96-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2444-35-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2444-39-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2784-203-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2784-207-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-318-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-314-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2796-252-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-22-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2808-98-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2808-102-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2808-26-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-375-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2964-240-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3008-460-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3088-385-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3092-226-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3092-230-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3208-57-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3328-447-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3352-219-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3352-220-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3416-140-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3484-68-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3488-53-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/3488-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3576-157-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3628-159-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3628-163-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3648-212-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3876-170-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3876-167-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-312-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-307-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3880-308-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3968-142-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4012-279-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4132-131-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4132-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4228-406-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4328-418-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-247-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4408-243-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4600-401-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-370-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4832-300-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-449-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4848-448-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4848-454-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4888-323-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/4992-380-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5036-264-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/5036-333-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5036-268-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5064-328-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-430-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-425-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/5104-196-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download