e3aaf570c1cd1cb809d7cce76bcbe60468c17be0d73eea8394d1436c6f7ca07d

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/03/2024, 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2fcbf70696315646a34d27ce9906d55.exe
Size

80KB
MD5

c2fcbf70696315646a34d27ce9906d55
SHA1

feed301fe84a4b87aa94218d25cfcf33d268db9c
SHA256

e3aaf570c1cd1cb809d7cce76bcbe60468c17be0d73eea8394d1436c6f7ca07d
SHA512

351e6d082fb5141c06ee97e9f6916d302541b5c38c81e64c2719854b4c55602abcd52783da8a6302abbc26d2b2e3030b3d7851187ab7b167add753a9dbd88653
SSDEEP

1536:Jdkf22gypebgdFwgXfu+xW2zRk5If4aRhdsRRkF:nkepys/+xW2zRk5IwajKkF

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
4864	userinit.exe
1968	system.exe
3996	system.exe
3724	system.exe
3224	system.exe
4052	system.exe
1540	system.exe
3232	system.exe
3636	system.exe
828	system.exe
4880	system.exe
2800	system.exe
3056	system.exe
1904	system.exe
4336	system.exe
2248	system.exe
1524	system.exe
3596	system.exe
4564	system.exe
2448	system.exe
1164	system.exe
3224	system.exe
4180	system.exe
2052	system.exe
5064	system.exe
3316	system.exe
3876	system.exe
4384	system.exe
1468	system.exe
4312	system.exe
1528	system.exe
4688	system.exe
2800	system.exe
3816	system.exe
4996	system.exe
2840	system.exe
4088	system.exe
2468	system.exe
2832	system.exe
1488	system.exe
224	system.exe
1352	system.exe
2328	system.exe
552	system.exe
4796	system.exe
4308	system.exe
4028	system.exe
2852	system.exe
5004	system.exe
4696	system.exe
4184	system.exe
4388	system.exe
3876	system.exe
4220	system.exe
4800	system.exe
4312	system.exe
4108	system.exe
4348	system.exe
1996	system.exe
3608	system.exe
3620	system.exe
3912	system.exe
4316	system.exe
4808	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	c2fcbf70696315646a34d27ce9906d55.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	c2fcbf70696315646a34d27ce9906d55.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2852	c2fcbf70696315646a34d27ce9906d55.exe
2852	c2fcbf70696315646a34d27ce9906d55.exe
4864	userinit.exe
4864	userinit.exe
4864	userinit.exe
4864	userinit.exe
1968	system.exe
1968	system.exe
4864	userinit.exe
4864	userinit.exe
3996	system.exe
3996	system.exe
4864	userinit.exe
4864	userinit.exe
3724	system.exe
3724	system.exe
4864	userinit.exe
4864	userinit.exe
3224	system.exe
3224	system.exe
4864	userinit.exe
4864	userinit.exe
4052	system.exe
4052	system.exe
4864	userinit.exe
4864	userinit.exe
1540	system.exe
1540	system.exe
4864	userinit.exe
4864	userinit.exe
3232	system.exe
3232	system.exe
4864	userinit.exe
4864	userinit.exe
3636	system.exe
3636	system.exe
4864	userinit.exe
4864	userinit.exe
828	system.exe
828	system.exe
4864	userinit.exe
4864	userinit.exe
4880	system.exe
4880	system.exe
4864	userinit.exe
4864	userinit.exe
2800	system.exe
2800	system.exe
4864	userinit.exe
4864	userinit.exe
3056	system.exe
3056	system.exe
4864	userinit.exe
4864	userinit.exe
1904	system.exe
1904	system.exe
4864	userinit.exe
4864	userinit.exe
4336	system.exe
4336	system.exe
4864	userinit.exe
4864	userinit.exe
2248	system.exe
2248	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4864	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2852	c2fcbf70696315646a34d27ce9906d55.exe
2852	c2fcbf70696315646a34d27ce9906d55.exe
4864	userinit.exe
4864	userinit.exe
1968	system.exe
1968	system.exe
3996	system.exe
3996	system.exe
3724	system.exe
3724	system.exe
3224	system.exe
3224	system.exe
4052	system.exe
4052	system.exe
1540	system.exe
1540	system.exe
3232	system.exe
3232	system.exe
3636	system.exe
3636	system.exe
828	system.exe
828	system.exe
4880	system.exe
4880	system.exe
2800	system.exe
2800	system.exe
3056	system.exe
3056	system.exe
1904	system.exe
1904	system.exe
4336	system.exe
4336	system.exe
2248	system.exe
2248	system.exe
1524	system.exe
1524	system.exe
3596	system.exe
3596	system.exe
4564	system.exe
4564	system.exe
2448	system.exe
2448	system.exe
1164	system.exe
1164	system.exe
3224	system.exe
3224	system.exe
4180	system.exe
4180	system.exe
2052	system.exe
2052	system.exe
5064	system.exe
5064	system.exe
3316	system.exe
3316	system.exe
3876	system.exe
3876	system.exe
4384	system.exe
4384	system.exe
1468	system.exe
1468	system.exe
4312	system.exe
4312	system.exe
1528	system.exe
1528	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 4864	2852	c2fcbf70696315646a34d27ce9906d55.exe	87
PID 2852 wrote to memory of 4864	2852	c2fcbf70696315646a34d27ce9906d55.exe	87
PID 2852 wrote to memory of 4864	2852	c2fcbf70696315646a34d27ce9906d55.exe	87
PID 4864 wrote to memory of 1968	4864	userinit.exe	91
PID 4864 wrote to memory of 1968	4864	userinit.exe	91
PID 4864 wrote to memory of 1968	4864	userinit.exe	91
PID 4864 wrote to memory of 3996	4864	userinit.exe	94
PID 4864 wrote to memory of 3996	4864	userinit.exe	94
PID 4864 wrote to memory of 3996	4864	userinit.exe	94
PID 4864 wrote to memory of 3724	4864	userinit.exe	97
PID 4864 wrote to memory of 3724	4864	userinit.exe	97
PID 4864 wrote to memory of 3724	4864	userinit.exe	97
PID 4864 wrote to memory of 3224	4864	userinit.exe	98
PID 4864 wrote to memory of 3224	4864	userinit.exe	98
PID 4864 wrote to memory of 3224	4864	userinit.exe	98
PID 4864 wrote to memory of 4052	4864	userinit.exe	99
PID 4864 wrote to memory of 4052	4864	userinit.exe	99
PID 4864 wrote to memory of 4052	4864	userinit.exe	99
PID 4864 wrote to memory of 1540	4864	userinit.exe	101
PID 4864 wrote to memory of 1540	4864	userinit.exe	101
PID 4864 wrote to memory of 1540	4864	userinit.exe	101
PID 4864 wrote to memory of 3232	4864	userinit.exe	102
PID 4864 wrote to memory of 3232	4864	userinit.exe	102
PID 4864 wrote to memory of 3232	4864	userinit.exe	102
PID 4864 wrote to memory of 3636	4864	userinit.exe	104
PID 4864 wrote to memory of 3636	4864	userinit.exe	104
PID 4864 wrote to memory of 3636	4864	userinit.exe	104
PID 4864 wrote to memory of 828	4864	userinit.exe	105
PID 4864 wrote to memory of 828	4864	userinit.exe	105
PID 4864 wrote to memory of 828	4864	userinit.exe	105
PID 4864 wrote to memory of 4880	4864	userinit.exe	107
PID 4864 wrote to memory of 4880	4864	userinit.exe	107
PID 4864 wrote to memory of 4880	4864	userinit.exe	107
PID 4864 wrote to memory of 2800	4864	userinit.exe	108
PID 4864 wrote to memory of 2800	4864	userinit.exe	108
PID 4864 wrote to memory of 2800	4864	userinit.exe	108
PID 4864 wrote to memory of 3056	4864	userinit.exe	109
PID 4864 wrote to memory of 3056	4864	userinit.exe	109
PID 4864 wrote to memory of 3056	4864	userinit.exe	109
PID 4864 wrote to memory of 1904	4864	userinit.exe	110
PID 4864 wrote to memory of 1904	4864	userinit.exe	110
PID 4864 wrote to memory of 1904	4864	userinit.exe	110
PID 4864 wrote to memory of 4336	4864	userinit.exe	111
PID 4864 wrote to memory of 4336	4864	userinit.exe	111
PID 4864 wrote to memory of 4336	4864	userinit.exe	111
PID 4864 wrote to memory of 2248	4864	userinit.exe	112
PID 4864 wrote to memory of 2248	4864	userinit.exe	112
PID 4864 wrote to memory of 2248	4864	userinit.exe	112
PID 4864 wrote to memory of 1524	4864	userinit.exe	114
PID 4864 wrote to memory of 1524	4864	userinit.exe	114
PID 4864 wrote to memory of 1524	4864	userinit.exe	114
PID 4864 wrote to memory of 3596	4864	userinit.exe	115
PID 4864 wrote to memory of 3596	4864	userinit.exe	115
PID 4864 wrote to memory of 3596	4864	userinit.exe	115
PID 4864 wrote to memory of 4564	4864	userinit.exe	116
PID 4864 wrote to memory of 4564	4864	userinit.exe	116
PID 4864 wrote to memory of 4564	4864	userinit.exe	116
PID 4864 wrote to memory of 2448	4864	userinit.exe	118
PID 4864 wrote to memory of 2448	4864	userinit.exe	118
PID 4864 wrote to memory of 2448	4864	userinit.exe	118
PID 4864 wrote to memory of 1164	4864	userinit.exe	119
PID 4864 wrote to memory of 1164	4864	userinit.exe	119
PID 4864 wrote to memory of 1164	4864	userinit.exe	119
PID 4864 wrote to memory of 3224	4864	userinit.exe	120

C:\Users\Admin\AppData\Local\Temp\c2fcbf70696315646a34d27ce9906d55.exe
"C:\Users\Admin\AppData\Local\Temp\c2fcbf70696315646a34d27ce9906d55.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
64KB

MD5
aaf9d5287278d162edc957aa60c5b378

SHA1
6657a543e19e1bbe4142fe8e76be6c368cdaf2d3

SHA256
60f15ea36049d1fd555dbd18f8eb93f74b20236356f94de39ac4a9b0a173b6af

SHA512
6e08f3f5af82d00e124a550d53009a45ab0ac55172d9c12315e4b8171eed03dfae081645027ac641fd586ab21fd0f7ae9c855ecb7292f4c4e8321fd242ac83b3

Download Submit
C:\Windows\userinit.exe

Filesize
80KB

MD5
c2fcbf70696315646a34d27ce9906d55

SHA1
feed301fe84a4b87aa94218d25cfcf33d268db9c

SHA256
e3aaf570c1cd1cb809d7cce76bcbe60468c17be0d73eea8394d1436c6f7ca07d

SHA512
351e6d082fb5141c06ee97e9f6916d302541b5c38c81e64c2719854b4c55602abcd52783da8a6302abbc26d2b2e3030b3d7851187ab7b167add753a9dbd88653

Download Submit
memory/224-252-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/224-247-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/224-248-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/552-267-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/564-402-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/828-75-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/828-70-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/828-71-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/972-486-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1108-387-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1164-137-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1308-470-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1468-178-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1468-182-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1488-241-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1488-245-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1524-111-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1524-114-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1524-110-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1528-191-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1540-54-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1540-58-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1904-96-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1968-22-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/1968-26-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1996-349-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1996-344-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2040-453-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2052-154-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2128-422-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2248-106-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2248-382-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2328-262-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2448-128-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2448-132-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2448-417-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2448-127-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2468-233-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2664-503-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2684-481-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-208-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2800-204-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2800-86-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2832-238-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2840-223-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2852-289-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2852-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2852-15-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2852-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3028-498-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3056-91-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3164-437-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3224-40-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3224-44-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3224-142-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3232-63-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3316-165-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3596-119-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3620-360-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3636-68-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3724-38-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3724-34-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3816-488-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3816-213-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3816-493-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3868-460-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3868-465-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3876-171-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3876-167-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3876-315-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3896-397-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3912-366-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3996-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3996-28-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4028-284-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4052-47-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4052-51-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4080-454-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4080-459-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4088-228-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4180-145-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4180-149-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4184-305-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4220-320-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4260-411-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4308-279-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4308-275-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4312-331-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4312-188-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4312-184-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4324-392-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4336-101-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4348-342-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4384-176-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4388-310-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4400-432-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4564-125-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4564-121-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4620-427-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4688-202-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4688-198-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4688-197-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4696-296-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4696-300-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4796-272-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4800-326-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4808-372-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/4808-377-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4864-45-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/4864-52-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4880-81-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4884-471-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4884-476-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4980-447-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4996-218-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5004-294-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/5064-156-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/5064-438-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/5064-160-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download