28cfbb2fdb195bb371d07ec62ee7c037f5144cb3cf37c000d457309eec2e0fb2

Analysis

max time kernel
151s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

150d98154489ecdbcb60056eb3630b5b.exe
Size

2.8MB
MD5

150d98154489ecdbcb60056eb3630b5b
SHA1

e0e6b0455e326eaacc260cc745505355671386a1
SHA256

28cfbb2fdb195bb371d07ec62ee7c037f5144cb3cf37c000d457309eec2e0fb2
SHA512

f15f7aa760bda2d9fb09b8a15a69472498eb03c5db2f79faff1db555eefb5ad3699f472e6aaae55cc10304ca08d95e6b86d3472668ecccbb39aec143e4e20e14
SSDEEP

1536:Mvzk+n/yZgaeEalqyVLo9dYJ+0ECg6aRhdsRJ+F:Mbk+6ZganMqykPE+0Ej6aji+F

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2796	userinit.exe
2952	system.exe
2844	system.exe
2712	system.exe
2616	system.exe
3060	system.exe
1304	system.exe
2872	system.exe
2544	system.exe
1976	system.exe
1704	system.exe
1044	system.exe
488	system.exe
868	system.exe
2880	system.exe
1732	system.exe
636	system.exe
1792	system.exe
1760	system.exe
1364	system.exe
1424	system.exe
552	system.exe
2108	system.exe
2696	system.exe
2088	system.exe
1620	system.exe
2704	system.exe
2856	system.exe
2636	system.exe
2644	system.exe
2592	system.exe
1932	system.exe
2652	system.exe
852	system.exe
2544	system.exe
2272	system.exe
1960	system.exe
776	system.exe
1768	system.exe
696	system.exe
1520	system.exe
2368	system.exe
2964	system.exe
1160	system.exe
1708	system.exe
1124	system.exe
616	system.exe
2504	system.exe
3036	system.exe
1020	system.exe
3004	system.exe
460	system.exe
864	system.exe
628	system.exe
2276	system.exe
2104	system.exe
1724	system.exe
2772	system.exe
2612	system.exe
2268	system.exe
312	system.exe
1636	system.exe
1932	system.exe
2652	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe
2796	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	150d98154489ecdbcb60056eb3630b5b.exe
File opened for modification	C:\Windows\userinit.exe	150d98154489ecdbcb60056eb3630b5b.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2564	150d98154489ecdbcb60056eb3630b5b.exe
2796	userinit.exe
2796	userinit.exe
2952	system.exe
2796	userinit.exe
2844	system.exe
2796	userinit.exe
2712	system.exe
2796	userinit.exe
2616	system.exe
2796	userinit.exe
3060	system.exe
2796	userinit.exe
1304	system.exe
2796	userinit.exe
2872	system.exe
2796	userinit.exe
2544	system.exe
2796	userinit.exe
1976	system.exe
2796	userinit.exe
1704	system.exe
2796	userinit.exe
1044	system.exe
2796	userinit.exe
488	system.exe
2796	userinit.exe
868	system.exe
2796	userinit.exe
2880	system.exe
2796	userinit.exe
1732	system.exe
2796	userinit.exe
636	system.exe
2796	userinit.exe
1792	system.exe
2796	userinit.exe
1760	system.exe
2796	userinit.exe
1364	system.exe
2796	userinit.exe
1424	system.exe
2796	userinit.exe
552	system.exe
2796	userinit.exe
2108	system.exe
2796	userinit.exe
2696	system.exe
2796	userinit.exe
2088	system.exe
2796	userinit.exe
1620	system.exe
2796	userinit.exe
2704	system.exe
2796	userinit.exe
2856	system.exe
2796	userinit.exe
2636	system.exe
2796	userinit.exe
2644	system.exe
2796	userinit.exe
2592	system.exe
2796	userinit.exe
1932	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2796	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2564	150d98154489ecdbcb60056eb3630b5b.exe
2564	150d98154489ecdbcb60056eb3630b5b.exe
2796	userinit.exe
2796	userinit.exe
2952	system.exe
2952	system.exe
2844	system.exe
2844	system.exe
2712	system.exe
2712	system.exe
2616	system.exe
2616	system.exe
3060	system.exe
3060	system.exe
1304	system.exe
1304	system.exe
2872	system.exe
2872	system.exe
2544	system.exe
2544	system.exe
1976	system.exe
1976	system.exe
1704	system.exe
1704	system.exe
1044	system.exe
1044	system.exe
488	system.exe
488	system.exe
868	system.exe
868	system.exe
2880	system.exe
2880	system.exe
1732	system.exe
1732	system.exe
636	system.exe
636	system.exe
1792	system.exe
1792	system.exe
1760	system.exe
1760	system.exe
1364	system.exe
1364	system.exe
1424	system.exe
1424	system.exe
552	system.exe
552	system.exe
2108	system.exe
2108	system.exe
2696	system.exe
2696	system.exe
2088	system.exe
2088	system.exe
1620	system.exe
1620	system.exe
2704	system.exe
2704	system.exe
2856	system.exe
2856	system.exe
2636	system.exe
2636	system.exe
2644	system.exe
2644	system.exe
2592	system.exe
2592	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 2796	2564	150d98154489ecdbcb60056eb3630b5b.exe	28
PID 2564 wrote to memory of 2796	2564	150d98154489ecdbcb60056eb3630b5b.exe	28
PID 2564 wrote to memory of 2796	2564	150d98154489ecdbcb60056eb3630b5b.exe	28
PID 2564 wrote to memory of 2796	2564	150d98154489ecdbcb60056eb3630b5b.exe	28
PID 2796 wrote to memory of 2952	2796	userinit.exe	29
PID 2796 wrote to memory of 2952	2796	userinit.exe	29
PID 2796 wrote to memory of 2952	2796	userinit.exe	29
PID 2796 wrote to memory of 2952	2796	userinit.exe	29
PID 2796 wrote to memory of 2844	2796	userinit.exe	30
PID 2796 wrote to memory of 2844	2796	userinit.exe	30
PID 2796 wrote to memory of 2844	2796	userinit.exe	30
PID 2796 wrote to memory of 2844	2796	userinit.exe	30
PID 2796 wrote to memory of 2712	2796	userinit.exe	31
PID 2796 wrote to memory of 2712	2796	userinit.exe	31
PID 2796 wrote to memory of 2712	2796	userinit.exe	31
PID 2796 wrote to memory of 2712	2796	userinit.exe	31
PID 2796 wrote to memory of 2616	2796	userinit.exe	32
PID 2796 wrote to memory of 2616	2796	userinit.exe	32
PID 2796 wrote to memory of 2616	2796	userinit.exe	32
PID 2796 wrote to memory of 2616	2796	userinit.exe	32
PID 2796 wrote to memory of 3060	2796	userinit.exe	33
PID 2796 wrote to memory of 3060	2796	userinit.exe	33
PID 2796 wrote to memory of 3060	2796	userinit.exe	33
PID 2796 wrote to memory of 3060	2796	userinit.exe	33
PID 2796 wrote to memory of 1304	2796	userinit.exe	34
PID 2796 wrote to memory of 1304	2796	userinit.exe	34
PID 2796 wrote to memory of 1304	2796	userinit.exe	34
PID 2796 wrote to memory of 1304	2796	userinit.exe	34
PID 2796 wrote to memory of 2872	2796	userinit.exe	35
PID 2796 wrote to memory of 2872	2796	userinit.exe	35
PID 2796 wrote to memory of 2872	2796	userinit.exe	35
PID 2796 wrote to memory of 2872	2796	userinit.exe	35
PID 2796 wrote to memory of 2544	2796	userinit.exe	64
PID 2796 wrote to memory of 2544	2796	userinit.exe	64
PID 2796 wrote to memory of 2544	2796	userinit.exe	64
PID 2796 wrote to memory of 2544	2796	userinit.exe	64
PID 2796 wrote to memory of 1976	2796	userinit.exe	37
PID 2796 wrote to memory of 1976	2796	userinit.exe	37
PID 2796 wrote to memory of 1976	2796	userinit.exe	37
PID 2796 wrote to memory of 1976	2796	userinit.exe	37
PID 2796 wrote to memory of 1704	2796	userinit.exe	38
PID 2796 wrote to memory of 1704	2796	userinit.exe	38
PID 2796 wrote to memory of 1704	2796	userinit.exe	38
PID 2796 wrote to memory of 1704	2796	userinit.exe	38
PID 2796 wrote to memory of 1044	2796	userinit.exe	39
PID 2796 wrote to memory of 1044	2796	userinit.exe	39
PID 2796 wrote to memory of 1044	2796	userinit.exe	39
PID 2796 wrote to memory of 1044	2796	userinit.exe	39
PID 2796 wrote to memory of 488	2796	userinit.exe	40
PID 2796 wrote to memory of 488	2796	userinit.exe	40
PID 2796 wrote to memory of 488	2796	userinit.exe	40
PID 2796 wrote to memory of 488	2796	userinit.exe	40
PID 2796 wrote to memory of 868	2796	userinit.exe	41
PID 2796 wrote to memory of 868	2796	userinit.exe	41
PID 2796 wrote to memory of 868	2796	userinit.exe	41
PID 2796 wrote to memory of 868	2796	userinit.exe	41
PID 2796 wrote to memory of 2880	2796	userinit.exe	42
PID 2796 wrote to memory of 2880	2796	userinit.exe	42
PID 2796 wrote to memory of 2880	2796	userinit.exe	42
PID 2796 wrote to memory of 2880	2796	userinit.exe	42
PID 2796 wrote to memory of 1732	2796	userinit.exe	43
PID 2796 wrote to memory of 1732	2796	userinit.exe	43
PID 2796 wrote to memory of 1732	2796	userinit.exe	43
PID 2796 wrote to memory of 1732	2796	userinit.exe	43

C:\Users\Admin\AppData\Local\Temp\150d98154489ecdbcb60056eb3630b5b.exe
"C:\Users\Admin\AppData\Local\Temp\150d98154489ecdbcb60056eb3630b5b.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
91KB

MD5
205f7e6f7c8300e114b175278dba1fba

SHA1
b76c7c6254a1a13db82329493529dc8b481aa0dd

SHA256
015a06aa36d7dfff65dc854b347310038fb33f1d578d3929d8a0c8065e11aecb

SHA512
f9039094db70fa8276837d37e75609b3cb88b7bf0a3afdfb25959a41f064cb8915ac69f55b404b97f1fbf1cb89c6b22b44cce5cd2beff709b482414e7439fd9a

Download Submit
C:\Windows\userinit.exe

Filesize
1.6MB

MD5
6d47b26166ff549cd341238ca1ddf190

SHA1
74e9a28ad64a02743f3e73b840392b02e62b068c

SHA256
3497fb14af8f8501e56b814df54cb5db1bc909ee09ec1e69a06014ff37ae9df7

SHA512
2eaa2c65753c7461e808781281729802953cbd17bda6f2a44b9d014149b4acd3ff7f32fde43d706e7f8a833ed52038ebba9d67f9e02e871999ff6785f9c2fcbb

Download Submit
C:\Windows\userinit.exe

Filesize
832KB

MD5
32d61642ad81c70b6e36f39b31426053

SHA1
18d26353f7ba076521b0936bc0e98346d9fe11b6

SHA256
0195982663e92f0feae7b4022d2b46c43285ea6d0c228314422998f9d62ddb21

SHA512
a1b05c2b881affcad7066d1a3c21e7024c234315ffe9f7064f2f846d250979ac84bd7dcff3a57ca4ab8b61b4343bf4f60b57ae59a4dcaca481302c1ee78770fd

Download Submit
C:\Windows\userinit.exe

Filesize
960KB

MD5
5f06f031992b08f015e6617246bdbc95

SHA1
86ed3f2604aa574912bfea47dd48c9b8bf1dc63b

SHA256
e2ce06d1e32d27962ceb4c60ad87f6e3b1a62daf1b2e531d252b224446b85db0

SHA512
3907148f21036f360a2747e78b18887349e152b7f48ac1cfc3f79184dca73bc8a2a51fb52793e41c9f6a64cb648cc51eb47e7c597e159ee6b05013e240a50ef9

Download Submit
\Windows\SysWOW64\system.exe

Filesize
893KB

MD5
688f16ede4fd1a21b0073d99fc0e4f65

SHA1
acd7da3b71e706b261648b63fbaa44c80cc26148

SHA256
048a413e99f29191a27882bc8ac98f4718608b6e71d2d3c3427768ee95086b32

SHA512
ef35cbe5563eb47bb3e117e7b5129003b3bac220b94424a11e0c776b0d9e265e669046eafd5e6893968f4ff2f561ed8008280b1b958ca0e9b00da408b6c4ef8a

Download Submit
\Windows\SysWOW64\system.exe

Filesize
381KB

MD5
e2cb5b5daba23abcb36790f5801b1439

SHA1
e7a0273b9d78615dc155ef63e947828867a2bd43

SHA256
004bf16ca978d70450f4cef1a06604b338b5cf75858acab7a4d2c7c5707c28e8

SHA512
f16157fce14c3c463372c4659911453a43cc8f832664990474921be1f0d0791970bafb6a316f10354a505105b1c636a38fd45f3d45bc1f50cbe2c8476265efa0

Download Submit
memory/488-170-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/488-174-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/852-413-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/852-411-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/852-407-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/868-182-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/868-186-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1044-161-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1304-98-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1364-253-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1364-258-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1620-320-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1704-146-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1704-150-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1708-507-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1732-208-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1768-459-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1792-233-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1792-230-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1792-232-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1932-390-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/1976-136-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2108-292-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2544-124-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2544-119-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2544-422-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2564-0-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2564-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2564-13-0x0000000000260000-0x00000000002A9000-memory.dmp

Filesize
292KB

Download
memory/2564-20-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2592-380-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2616-74-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2636-357-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2636-359-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2644-368-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2652-399-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2652-401-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2696-300-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2696-303-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2704-331-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2704-333-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2704-335-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2712-58-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2712-62-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2796-82-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-353-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-287-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-288-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-277-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-297-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-266-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-241-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-299-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-310-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-308-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-318-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-216-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-328-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-135-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-132-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-122-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2796-329-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-340-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-15-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2796-17-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2796-33-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-343-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-279-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-105-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-409-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-356-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-364-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-93-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-366-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-377-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-45-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-375-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-387-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-70-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-385-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-396-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-397-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-56-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2796-406-0x0000000002680000-0x00000000026C9000-memory.dmp

Filesize
292KB

Download
memory/2844-49-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2856-344-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2856-345-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2856-347-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2872-107-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2952-37-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download
memory/2952-35-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3060-86-0x0000000000400000-0x0000000000449000-memory.dmp

Filesize
292KB

Download