2cf0276f8e4c2d4fcc7478eb9e4b3736928d6cf0e902a7bacacd5d4649577b82

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/01/2024, 02:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

738919a12ecfe3b6eaae65a7d600fc9a.exe
Size

73KB
MD5

738919a12ecfe3b6eaae65a7d600fc9a
SHA1

04f8d380c2c1040429438ecd10b1fea3f3fcdb92
SHA256

2cf0276f8e4c2d4fcc7478eb9e4b3736928d6cf0e902a7bacacd5d4649577b82
SHA512

b9fa077caa7b1b198d71244cd6df5d5ec874af4f61297def58753d7fca3eb422654aec8c23684e1af94f10c5b429018f1974e705465f943026287654bb741717
SSDEEP

1536:k7Qx7w3JD+bXqE/LWJU0Uv+aRhdsR13l:hx7wZsxYU0Uv+ajm3l

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
4532	userinit.exe
1868	system.exe
4688	system.exe
1768	system.exe
3760	system.exe
572	system.exe
3504	system.exe
2452	system.exe
4620	system.exe
3524	system.exe
2112	system.exe
2272	system.exe
2876	system.exe
892	system.exe
4104	system.exe
1056	system.exe
1788	system.exe
4424	system.exe
3308	system.exe
4152	system.exe
1996	system.exe
3384	system.exe
5056	system.exe
3024	system.exe
4824	system.exe
2308	system.exe
444	system.exe
1840	system.exe
1684	system.exe
2548	system.exe
4416	system.exe
2428	system.exe
1368	system.exe
764	system.exe
3036	system.exe
1416	system.exe
3524	system.exe
492	system.exe
3696	system.exe
1452	system.exe
1220	system.exe
2876	system.exe
4072	system.exe
3076	system.exe
3996	system.exe
4252	system.exe
3108	system.exe
4472	system.exe
1008	system.exe
3476	system.exe
1620	system.exe
1060	system.exe
3084	system.exe
4996	system.exe
1044	system.exe
3268	system.exe
1680	system.exe
4028	system.exe
3760	system.exe
1464	system.exe
2104	system.exe
2016	system.exe
1744	system.exe
3296	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	738919a12ecfe3b6eaae65a7d600fc9a.exe
File opened for modification	C:\Windows\userinit.exe	738919a12ecfe3b6eaae65a7d600fc9a.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2836	738919a12ecfe3b6eaae65a7d600fc9a.exe
2836	738919a12ecfe3b6eaae65a7d600fc9a.exe
4532	userinit.exe
4532	userinit.exe
4532	userinit.exe
4532	userinit.exe
1868	system.exe
1868	system.exe
4532	userinit.exe
4532	userinit.exe
4688	system.exe
4688	system.exe
4532	userinit.exe
4532	userinit.exe
1768	system.exe
1768	system.exe
4532	userinit.exe
4532	userinit.exe
3760	system.exe
3760	system.exe
4532	userinit.exe
4532	userinit.exe
572	system.exe
572	system.exe
4532	userinit.exe
4532	userinit.exe
3504	system.exe
3504	system.exe
4532	userinit.exe
4532	userinit.exe
2452	system.exe
2452	system.exe
4532	userinit.exe
4532	userinit.exe
4620	system.exe
4620	system.exe
4532	userinit.exe
4532	userinit.exe
3524	system.exe
3524	system.exe
4532	userinit.exe
4532	userinit.exe
2112	system.exe
2112	system.exe
4532	userinit.exe
4532	userinit.exe
2272	system.exe
2272	system.exe
4532	userinit.exe
4532	userinit.exe
2876	system.exe
2876	system.exe
4532	userinit.exe
4532	userinit.exe
892	system.exe
892	system.exe
4532	userinit.exe
4532	userinit.exe
4104	system.exe
4104	system.exe
4532	userinit.exe
4532	userinit.exe
1056	system.exe
1056	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4532	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2836	738919a12ecfe3b6eaae65a7d600fc9a.exe
2836	738919a12ecfe3b6eaae65a7d600fc9a.exe
4532	userinit.exe
4532	userinit.exe
1868	system.exe
1868	system.exe
4688	system.exe
4688	system.exe
1768	system.exe
1768	system.exe
3760	system.exe
3760	system.exe
572	system.exe
572	system.exe
3504	system.exe
3504	system.exe
2452	system.exe
2452	system.exe
4620	system.exe
4620	system.exe
3524	system.exe
3524	system.exe
2112	system.exe
2112	system.exe
2272	system.exe
2272	system.exe
2876	system.exe
2876	system.exe
892	system.exe
892	system.exe
4104	system.exe
4104	system.exe
1056	system.exe
1056	system.exe
1788	system.exe
1788	system.exe
4424	system.exe
4424	system.exe
3308	system.exe
3308	system.exe
4152	system.exe
4152	system.exe
1996	system.exe
1996	system.exe
3384	system.exe
3384	system.exe
5056	system.exe
5056	system.exe
3024	system.exe
3024	system.exe
4824	system.exe
4824	system.exe
2308	system.exe
2308	system.exe
444	system.exe
444	system.exe
1840	system.exe
1840	system.exe
1684	system.exe
1684	system.exe
2548	system.exe
2548	system.exe
4416	system.exe
4416	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4532	2836	738919a12ecfe3b6eaae65a7d600fc9a.exe	87
PID 2836 wrote to memory of 4532	2836	738919a12ecfe3b6eaae65a7d600fc9a.exe	87
PID 2836 wrote to memory of 4532	2836	738919a12ecfe3b6eaae65a7d600fc9a.exe	87
PID 4532 wrote to memory of 1868	4532	userinit.exe	89
PID 4532 wrote to memory of 1868	4532	userinit.exe	89
PID 4532 wrote to memory of 1868	4532	userinit.exe	89
PID 4532 wrote to memory of 4688	4532	userinit.exe	91
PID 4532 wrote to memory of 4688	4532	userinit.exe	91
PID 4532 wrote to memory of 4688	4532	userinit.exe	91
PID 4532 wrote to memory of 1768	4532	userinit.exe	92
PID 4532 wrote to memory of 1768	4532	userinit.exe	92
PID 4532 wrote to memory of 1768	4532	userinit.exe	92
PID 4532 wrote to memory of 3760	4532	userinit.exe	95
PID 4532 wrote to memory of 3760	4532	userinit.exe	95
PID 4532 wrote to memory of 3760	4532	userinit.exe	95
PID 4532 wrote to memory of 572	4532	userinit.exe	98
PID 4532 wrote to memory of 572	4532	userinit.exe	98
PID 4532 wrote to memory of 572	4532	userinit.exe	98
PID 4532 wrote to memory of 3504	4532	userinit.exe	100
PID 4532 wrote to memory of 3504	4532	userinit.exe	100
PID 4532 wrote to memory of 3504	4532	userinit.exe	100
PID 4532 wrote to memory of 2452	4532	userinit.exe	101
PID 4532 wrote to memory of 2452	4532	userinit.exe	101
PID 4532 wrote to memory of 2452	4532	userinit.exe	101
PID 4532 wrote to memory of 4620	4532	userinit.exe	102
PID 4532 wrote to memory of 4620	4532	userinit.exe	102
PID 4532 wrote to memory of 4620	4532	userinit.exe	102
PID 4532 wrote to memory of 3524	4532	userinit.exe	105
PID 4532 wrote to memory of 3524	4532	userinit.exe	105
PID 4532 wrote to memory of 3524	4532	userinit.exe	105
PID 4532 wrote to memory of 2112	4532	userinit.exe	106
PID 4532 wrote to memory of 2112	4532	userinit.exe	106
PID 4532 wrote to memory of 2112	4532	userinit.exe	106
PID 4532 wrote to memory of 2272	4532	userinit.exe	107
PID 4532 wrote to memory of 2272	4532	userinit.exe	107
PID 4532 wrote to memory of 2272	4532	userinit.exe	107
PID 4532 wrote to memory of 2876	4532	userinit.exe	108
PID 4532 wrote to memory of 2876	4532	userinit.exe	108
PID 4532 wrote to memory of 2876	4532	userinit.exe	108
PID 4532 wrote to memory of 892	4532	userinit.exe	109
PID 4532 wrote to memory of 892	4532	userinit.exe	109
PID 4532 wrote to memory of 892	4532	userinit.exe	109
PID 4532 wrote to memory of 4104	4532	userinit.exe	110
PID 4532 wrote to memory of 4104	4532	userinit.exe	110
PID 4532 wrote to memory of 4104	4532	userinit.exe	110
PID 4532 wrote to memory of 1056	4532	userinit.exe	111
PID 4532 wrote to memory of 1056	4532	userinit.exe	111
PID 4532 wrote to memory of 1056	4532	userinit.exe	111
PID 4532 wrote to memory of 1788	4532	userinit.exe	112
PID 4532 wrote to memory of 1788	4532	userinit.exe	112
PID 4532 wrote to memory of 1788	4532	userinit.exe	112
PID 4532 wrote to memory of 4424	4532	userinit.exe	113
PID 4532 wrote to memory of 4424	4532	userinit.exe	113
PID 4532 wrote to memory of 4424	4532	userinit.exe	113
PID 4532 wrote to memory of 3308	4532	userinit.exe	114
PID 4532 wrote to memory of 3308	4532	userinit.exe	114
PID 4532 wrote to memory of 3308	4532	userinit.exe	114
PID 4532 wrote to memory of 4152	4532	userinit.exe	115
PID 4532 wrote to memory of 4152	4532	userinit.exe	115
PID 4532 wrote to memory of 4152	4532	userinit.exe	115
PID 4532 wrote to memory of 1996	4532	userinit.exe	116
PID 4532 wrote to memory of 1996	4532	userinit.exe	116
PID 4532 wrote to memory of 1996	4532	userinit.exe	116
PID 4532 wrote to memory of 3384	4532	userinit.exe	118

C:\Users\Admin\AppData\Local\Temp\738919a12ecfe3b6eaae65a7d600fc9a.exe
"C:\Users\Admin\AppData\Local\Temp\738919a12ecfe3b6eaae65a7d600fc9a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:64
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
73KB

MD5
738919a12ecfe3b6eaae65a7d600fc9a

SHA1
04f8d380c2c1040429438ecd10b1fea3f3fcdb92

SHA256
2cf0276f8e4c2d4fcc7478eb9e4b3736928d6cf0e902a7bacacd5d4649577b82

SHA512
b9fa077caa7b1b198d71244cd6df5d5ec874af4f61297def58753d7fca3eb422654aec8c23684e1af94f10c5b429018f1974e705465f943026287654bb741717

Download Submit
memory/64-475-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/444-165-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/444-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/492-228-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/496-465-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/572-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/656-413-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/728-423-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/764-206-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/892-94-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1008-288-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1008-284-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1008-283-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-320-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1044-316-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1056-109-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1056-105-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1060-494-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-499-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-304-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1220-241-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1220-245-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1368-201-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1416-213-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1416-403-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1440-433-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1452-238-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1464-350-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1620-299-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1680-330-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-179-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1700-392-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1744-367-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-37-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1768-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1768-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-114-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1828-500-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1828-505-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1840-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-398-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1868-24-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1868-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1996-134-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2016-362-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2020-450-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2060-445-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2104-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-81-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2112-77-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2308-163-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2308-159-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2428-196-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-377-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2452-59-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2452-63-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-476-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2836-481-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2836-1-0x00000000001D0000-0x00000000001D2000-memory.dmp

Filesize
8KB

Download
memory/2876-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2876-250-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3024-152-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3036-211-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-261-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3084-309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3108-276-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3248-428-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3268-325-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3296-372-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3308-124-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3384-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3452-460-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3476-294-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-57-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3504-53-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3524-75-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3524-71-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3524-219-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3524-223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3560-470-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3696-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3760-344-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3996-266-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-337-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4028-333-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4028-332-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4072-252-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4104-103-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4152-129-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4168-382-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4252-271-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4280-418-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4416-186-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4416-190-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4424-119-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4440-455-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4448-383-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4472-281-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4512-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4532-65-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4532-11-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4532-12-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4620-69-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4688-30-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4688-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4820-408-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4824-157-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-488-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4944-493-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4996-314-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-434-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5040-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-147-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-142-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5056-143-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download