55982ee9b3225fedb2c2ffed0884da1f4c99443bfd94402f2097f98ebc0c18c6

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14-03-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8a7b930072f7ca7d8e7df988e03d951.exe
Size

684KB
MD5

c8a7b930072f7ca7d8e7df988e03d951
SHA1

a5ce715a12de27c714ae81ed9c31cb24e037832f
SHA256

55982ee9b3225fedb2c2ffed0884da1f4c99443bfd94402f2097f98ebc0c18c6
SHA512

40126527ead3d5a0966c457e5f33566a0a208112b2fb1ac1187f36ff25fdbd67a945a6726bf7a9caa970f19c8f04ae072c804c529c0351da196eeda8c0bd8608
SSDEEP

1536:cOaxhd8R9NeUl6EbRDbeY5uIaRhdsRxOVhnd:FaD0NeUlnRDKGTajLV

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
5028	userinit.exe
4400	system.exe
4596	system.exe
2884	system.exe
1828	system.exe
2600	system.exe
3584	system.exe
948	system.exe
3788	system.exe
32	system.exe
5020	system.exe
1132	system.exe
3204	system.exe
1664	system.exe
1084	system.exe
700	system.exe
2864	system.exe
2104	system.exe
1552	system.exe
1968	system.exe
1132	system.exe
5068	system.exe
1104	system.exe
964	system.exe
4300	system.exe
4404	system.exe
3464	system.exe
5032	system.exe
3680	system.exe
5064	system.exe
2236	system.exe
4340	system.exe
1576	system.exe
2168	system.exe
1104	system.exe
964	system.exe
3008	system.exe
2124	system.exe
2128	system.exe
2140	system.exe
3156	system.exe
2104	system.exe
880	system.exe
5060	system.exe
4644	system.exe
2828	system.exe
4340	system.exe
1664	system.exe
3584	system.exe
2916	system.exe
656	system.exe
984	system.exe
228	system.exe
2104	system.exe
3344	system.exe
3680	system.exe
3688	system.exe
4664	system.exe
3204	system.exe
5008	system.exe
4104	system.exe
4964	system.exe
3584	system.exe
2348	system.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	Regsvr32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	c8a7b930072f7ca7d8e7df988e03d951.exe
File opened for modification	C:\Windows\userinit.exe	c8a7b930072f7ca7d8e7df988e03d951.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
860	2316	WerFault.exe	100

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3340	c8a7b930072f7ca7d8e7df988e03d951.exe
3340	c8a7b930072f7ca7d8e7df988e03d951.exe
5028	userinit.exe
5028	userinit.exe
5028	userinit.exe
5028	userinit.exe
4400	system.exe
4400	system.exe
5028	userinit.exe
5028	userinit.exe
4596	system.exe
4596	system.exe
5028	userinit.exe
5028	userinit.exe
2884	system.exe
2884	system.exe
5028	userinit.exe
5028	userinit.exe
1828	system.exe
1828	system.exe
5028	userinit.exe
5028	userinit.exe
2600	system.exe
2600	system.exe
5028	userinit.exe
5028	userinit.exe
3584	system.exe
3584	system.exe
5028	userinit.exe
5028	userinit.exe
948	system.exe
948	system.exe
5028	userinit.exe
5028	userinit.exe
3788	system.exe
3788	system.exe
5028	userinit.exe
5028	userinit.exe
32	system.exe
32	system.exe
5028	userinit.exe
5028	userinit.exe
5020	system.exe
5020	system.exe
5028	userinit.exe
5028	userinit.exe
1132	system.exe
1132	system.exe
5028	userinit.exe
5028	userinit.exe
3204	system.exe
3204	system.exe
5028	userinit.exe
5028	userinit.exe
1664	system.exe
1664	system.exe
5028	userinit.exe
5028	userinit.exe
1084	system.exe
1084	system.exe
5028	userinit.exe
5028	userinit.exe
700	system.exe
700	system.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3340	c8a7b930072f7ca7d8e7df988e03d951.exe
3340	c8a7b930072f7ca7d8e7df988e03d951.exe
5028	userinit.exe
5028	userinit.exe
4400	system.exe
4400	system.exe
4596	system.exe
4596	system.exe
2884	system.exe
2884	system.exe
1828	system.exe
1828	system.exe
2600	system.exe
2600	system.exe
3584	system.exe
3584	system.exe
948	system.exe
948	system.exe
3788	system.exe
3788	system.exe
32	system.exe
32	system.exe
5020	system.exe
5020	system.exe
1132	system.exe
1132	system.exe
3204	system.exe
3204	system.exe
1664	system.exe
1664	system.exe
1084	system.exe
1084	system.exe
700	system.exe
700	system.exe
2864	system.exe
2864	system.exe
2104	system.exe
2104	system.exe
1552	system.exe
1552	system.exe
1968	system.exe
1968	system.exe
1132	system.exe
1132	system.exe
5068	system.exe
5068	system.exe
1104	system.exe
1104	system.exe
964	system.exe
964	system.exe
4300	system.exe
4300	system.exe
4404	system.exe
4404	system.exe
3464	system.exe
3464	system.exe
5032	system.exe
5032	system.exe
3680	system.exe
3680	system.exe
5064	system.exe
5064	system.exe
2236	system.exe
2236	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3340 wrote to memory of 5028	3340	c8a7b930072f7ca7d8e7df988e03d951.exe	99
PID 3340 wrote to memory of 5028	3340	c8a7b930072f7ca7d8e7df988e03d951.exe	99
PID 3340 wrote to memory of 5028	3340	c8a7b930072f7ca7d8e7df988e03d951.exe	99
PID 5028 wrote to memory of 2316	5028	userinit.exe	100
PID 5028 wrote to memory of 2316	5028	userinit.exe	100
PID 5028 wrote to memory of 2316	5028	userinit.exe	100
PID 5028 wrote to memory of 4400	5028	userinit.exe	105
PID 5028 wrote to memory of 4400	5028	userinit.exe	105
PID 5028 wrote to memory of 4400	5028	userinit.exe	105
PID 5028 wrote to memory of 4596	5028	userinit.exe	106
PID 5028 wrote to memory of 4596	5028	userinit.exe	106
PID 5028 wrote to memory of 4596	5028	userinit.exe	106
PID 5028 wrote to memory of 2884	5028	userinit.exe	108
PID 5028 wrote to memory of 2884	5028	userinit.exe	108
PID 5028 wrote to memory of 2884	5028	userinit.exe	108
PID 5028 wrote to memory of 1828	5028	userinit.exe	110
PID 5028 wrote to memory of 1828	5028	userinit.exe	110
PID 5028 wrote to memory of 1828	5028	userinit.exe	110
PID 5028 wrote to memory of 2600	5028	userinit.exe	111
PID 5028 wrote to memory of 2600	5028	userinit.exe	111
PID 5028 wrote to memory of 2600	5028	userinit.exe	111
PID 5028 wrote to memory of 3584	5028	userinit.exe	112
PID 5028 wrote to memory of 3584	5028	userinit.exe	112
PID 5028 wrote to memory of 3584	5028	userinit.exe	112
PID 5028 wrote to memory of 948	5028	userinit.exe	115
PID 5028 wrote to memory of 948	5028	userinit.exe	115
PID 5028 wrote to memory of 948	5028	userinit.exe	115
PID 5028 wrote to memory of 3788	5028	userinit.exe	117
PID 5028 wrote to memory of 3788	5028	userinit.exe	117
PID 5028 wrote to memory of 3788	5028	userinit.exe	117
PID 5028 wrote to memory of 32	5028	userinit.exe	118
PID 5028 wrote to memory of 32	5028	userinit.exe	118
PID 5028 wrote to memory of 32	5028	userinit.exe	118
PID 5028 wrote to memory of 5020	5028	userinit.exe	119
PID 5028 wrote to memory of 5020	5028	userinit.exe	119
PID 5028 wrote to memory of 5020	5028	userinit.exe	119
PID 5028 wrote to memory of 1132	5028	userinit.exe	121
PID 5028 wrote to memory of 1132	5028	userinit.exe	121
PID 5028 wrote to memory of 1132	5028	userinit.exe	121
PID 5028 wrote to memory of 3204	5028	userinit.exe	122
PID 5028 wrote to memory of 3204	5028	userinit.exe	122
PID 5028 wrote to memory of 3204	5028	userinit.exe	122
PID 5028 wrote to memory of 1664	5028	userinit.exe	123
PID 5028 wrote to memory of 1664	5028	userinit.exe	123
PID 5028 wrote to memory of 1664	5028	userinit.exe	123
PID 5028 wrote to memory of 1084	5028	userinit.exe	126
PID 5028 wrote to memory of 1084	5028	userinit.exe	126
PID 5028 wrote to memory of 1084	5028	userinit.exe	126
PID 5028 wrote to memory of 700	5028	userinit.exe	127
PID 5028 wrote to memory of 700	5028	userinit.exe	127
PID 5028 wrote to memory of 700	5028	userinit.exe	127
PID 5028 wrote to memory of 2864	5028	userinit.exe	128
PID 5028 wrote to memory of 2864	5028	userinit.exe	128
PID 5028 wrote to memory of 2864	5028	userinit.exe	128
PID 5028 wrote to memory of 2104	5028	userinit.exe	129
PID 5028 wrote to memory of 2104	5028	userinit.exe	129
PID 5028 wrote to memory of 2104	5028	userinit.exe	129
PID 5028 wrote to memory of 1552	5028	userinit.exe	131
PID 5028 wrote to memory of 1552	5028	userinit.exe	131
PID 5028 wrote to memory of 1552	5028	userinit.exe	131
PID 5028 wrote to memory of 1968	5028	userinit.exe	132
PID 5028 wrote to memory of 1968	5028	userinit.exe	132
PID 5028 wrote to memory of 1968	5028	userinit.exe	132
PID 5028 wrote to memory of 1132	5028	userinit.exe	133

C:\Users\Admin\AppData\Local\Temp\c8a7b930072f7ca7d8e7df988e03d951.exe
"C:\Users\Admin\AppData\Local\Temp\c8a7b930072f7ca7d8e7df988e03d951.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3340
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\SysWOW64\Regsvr32.exe
    Regsvr32 C:\Windows\system32\MSWINSCK.OCX /s
    3⤵
    - Loads dropped DLL
    PID:2316
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2316 -s 588
      4⤵
      Program crash
      PID:860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:32
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 2316 -ip 2316
1⤵
PID:4480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:3788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
19514e83ff7b391e5d6a3876a4aa535b

SHA1
de2c08563550d331049de540ddd931c0e88e30c1

SHA256
f330826e0a60474a6f2cf1095b45fc05845d01845ab5bfb282e10750ec270abf

SHA512
2c8c825f60cceac36027968081f7a9f84ee2260a6559d507855e8fa0629c368737d71c700b5a09c049f2f74443495b435517f54dba3ace0176e80eacfa0cb32b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
192KB

MD5
77a84e526e85837ab3edb509440c4efe

SHA1
b632fbbb0ac96c41b47bcfaec7c8a76cd55982c0

SHA256
613a6c68e73072fa56761fc30e47be00405a35e1c0ed0b86e0a39f3558b41da0

SHA512
4769584fc22f0ed64b265250f5f9cc5ecf65faaaf34786d0835b9b8d217cf5d3da7297f0d15f8a8bcdc5f61b86feb04d828bc1d1f60be1f39d36d703f985e3e7

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
640KB

MD5
3fa2e7123ca176bf7fef173b135b874c

SHA1
6d903a1635470988691e6ac2442b75dd78f4aa46

SHA256
ed46e91182e7f078044bb54c65dc8bcb5282dcdb4530fbcff720fd93eb93cc5e

SHA512
39c4f48d6bd77fd503d4aea099acf30577495943b296df44da2d164048f7bb54290ef84693e1932e46e29f9452e4e049bdcc58a305777e657d87f1d3a9d35aeb

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
193KB

MD5
e9aeb8d6aabfc42ce7d575533d857d82

SHA1
479776450b758cdc0b1e24b87feb1a1ff35c3142

SHA256
418894b1beb20fdf44d872ac4d5c1eb3a0a5302572052c556fbd54e472d35743

SHA512
ef7edae8c099ce3fb7a3ae77d4a6efe7e71862a234314a9d59ba2d731beb705b426781a9075bde56b9b83dd757aff28fe088568ab0b9c7eb97cd2b555d1936b6

Download Submit
C:\Windows\userinit.exe

Filesize
684KB

MD5
c8a7b930072f7ca7d8e7df988e03d951

SHA1
a5ce715a12de27c714ae81ed9c31cb24e037832f

SHA256
55982ee9b3225fedb2c2ffed0884da1f4c99443bfd94402f2097f98ebc0c18c6

SHA512
40126527ead3d5a0966c457e5f33566a0a208112b2fb1ac1187f36ff25fdbd67a945a6726bf7a9caa970f19c8f04ae072c804c529c0351da196eeda8c0bd8608

Download Submit
memory/32-67-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/228-280-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/656-270-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/700-97-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/948-57-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/964-196-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/964-137-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/984-275-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1084-92-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1104-191-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1104-132-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1132-122-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1132-77-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1552-112-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1664-255-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1664-87-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1828-42-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1968-117-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2104-226-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2104-107-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2104-285-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2124-206-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2128-211-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2140-216-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2168-186-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2236-172-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2348-330-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2600-47-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2828-245-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2864-102-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2884-37-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2916-265-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3008-201-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3156-221-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3204-309-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3204-82-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3340-17-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3340-0-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3344-290-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3464-152-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3584-260-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3584-326-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3584-52-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3680-162-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3680-295-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3788-62-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4104-318-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4300-142-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4332-334-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4340-177-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4340-250-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4400-27-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4404-147-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4596-32-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4644-240-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4664-304-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/4964-322-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/5008-314-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/5020-72-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/5028-10-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/5032-157-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/5060-235-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/5064-167-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/5068-127-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download