7aafb869b8be4ef14da36bcbac6bd392da1596c57c134b595ab87b40e7a72f5f

Analysis

max time kernel
11s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24cc22632b7a816d642499e61c77d192.exe
Size

237KB
MD5

24cc22632b7a816d642499e61c77d192
SHA1

626f7251883b3dbca8566db16e1059ecf017d9a6
SHA256

7aafb869b8be4ef14da36bcbac6bd392da1596c57c134b595ab87b40e7a72f5f
SHA512

4d6a4d89e30007e6bc1c56bd8dcd774c3909214205714759bafbd844474584ffa414c110a586bf186e0510dc2206a0035d31bf210bc7d643ae4dc6157b9443e2
SSDEEP

1536:1f1zwQVgUAmEhSuWELl4Ec9ghMkhRsuJe2pzf1zwQVgvXS6f+:l1zwLNzhSuWEal9bkhRc2pb1zwLvX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 11 IoCs

pid	Process
2920	userinit.exe
2784	system.exe
2228	system.exe
2440	system.exe
2560	system.exe
1620	system.exe
2872	system.exe
2880	system.exe
2628	system.exe
1628	system.exe
2540	system.exe

Loads dropped DLL 21 IoCs

pid	Process
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe
2920	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	24cc22632b7a816d642499e61c77d192.exe
File opened for modification	C:\Windows\userinit.exe	24cc22632b7a816d642499e61c77d192.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1884	24cc22632b7a816d642499e61c77d192.exe
2920	userinit.exe
2920	userinit.exe
2784	system.exe
2920	userinit.exe
2228	system.exe
2920	userinit.exe
2440	system.exe
2920	userinit.exe
2560	system.exe
2920	userinit.exe
1620	system.exe
2920	userinit.exe
2872	system.exe
2920	userinit.exe
2880	system.exe
2920	userinit.exe
2628	system.exe
2920	userinit.exe
1628	system.exe
2920	userinit.exe
2540	system.exe
2920	userinit.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
1884	24cc22632b7a816d642499e61c77d192.exe
1884	24cc22632b7a816d642499e61c77d192.exe
2920	userinit.exe
2920	userinit.exe
2784	system.exe
2784	system.exe
2228	system.exe
2228	system.exe
2440	system.exe
2440	system.exe
2560	system.exe
2560	system.exe
1620	system.exe
1620	system.exe
2872	system.exe
2872	system.exe
2880	system.exe
2880	system.exe
2628	system.exe
2628	system.exe
1628	system.exe
1628	system.exe
2540	system.exe
2540	system.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2920	1884	24cc22632b7a816d642499e61c77d192.exe	16
PID 1884 wrote to memory of 2920	1884	24cc22632b7a816d642499e61c77d192.exe	16
PID 1884 wrote to memory of 2920	1884	24cc22632b7a816d642499e61c77d192.exe	16
PID 1884 wrote to memory of 2920	1884	24cc22632b7a816d642499e61c77d192.exe	16
PID 2920 wrote to memory of 2784	2920	userinit.exe	29
PID 2920 wrote to memory of 2784	2920	userinit.exe	29
PID 2920 wrote to memory of 2784	2920	userinit.exe	29
PID 2920 wrote to memory of 2784	2920	userinit.exe	29
PID 2920 wrote to memory of 2228	2920	userinit.exe	30
PID 2920 wrote to memory of 2228	2920	userinit.exe	30
PID 2920 wrote to memory of 2228	2920	userinit.exe	30
PID 2920 wrote to memory of 2228	2920	userinit.exe	30
PID 2920 wrote to memory of 2440	2920	userinit.exe	31
PID 2920 wrote to memory of 2440	2920	userinit.exe	31
PID 2920 wrote to memory of 2440	2920	userinit.exe	31
PID 2920 wrote to memory of 2440	2920	userinit.exe	31
PID 2920 wrote to memory of 2560	2920	userinit.exe	60
PID 2920 wrote to memory of 2560	2920	userinit.exe	60
PID 2920 wrote to memory of 2560	2920	userinit.exe	60
PID 2920 wrote to memory of 2560	2920	userinit.exe	60
PID 2920 wrote to memory of 1620	2920	userinit.exe	33
PID 2920 wrote to memory of 1620	2920	userinit.exe	33
PID 2920 wrote to memory of 1620	2920	userinit.exe	33
PID 2920 wrote to memory of 1620	2920	userinit.exe	33
PID 2920 wrote to memory of 2872	2920	userinit.exe	34
PID 2920 wrote to memory of 2872	2920	userinit.exe	34
PID 2920 wrote to memory of 2872	2920	userinit.exe	34
PID 2920 wrote to memory of 2872	2920	userinit.exe	34
PID 2920 wrote to memory of 2880	2920	userinit.exe	35
PID 2920 wrote to memory of 2880	2920	userinit.exe	35
PID 2920 wrote to memory of 2880	2920	userinit.exe	35
PID 2920 wrote to memory of 2880	2920	userinit.exe	35
PID 2920 wrote to memory of 2628	2920	userinit.exe	36
PID 2920 wrote to memory of 2628	2920	userinit.exe	36
PID 2920 wrote to memory of 2628	2920	userinit.exe	36
PID 2920 wrote to memory of 2628	2920	userinit.exe	36
PID 2920 wrote to memory of 1628	2920	userinit.exe	37
PID 2920 wrote to memory of 1628	2920	userinit.exe	37
PID 2920 wrote to memory of 1628	2920	userinit.exe	37
PID 2920 wrote to memory of 1628	2920	userinit.exe	37
PID 2920 wrote to memory of 2540	2920	userinit.exe	38
PID 2920 wrote to memory of 2540	2920	userinit.exe	38
PID 2920 wrote to memory of 2540	2920	userinit.exe	38
PID 2920 wrote to memory of 2540	2920	userinit.exe	38

C:\Windows\userinit.exe
C:\Windows\userinit.exe
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2784
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2228
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2440
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2560
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1620
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2880
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2628
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1628
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2540
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:772
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:864
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2032
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1860
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:596
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1072
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1744
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1224
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2340
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1600
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:492
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:964
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2168
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:624
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2520
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1656
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1716
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2696
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2720
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2600
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2564
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2560
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2216
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2908
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:3056
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1908
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1720
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2852
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2252
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1076
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1940
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2276
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:892
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1744
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1224
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2348
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1600
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2324
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2152
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2496
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:896
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1616
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2116
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1732
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1576
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2724
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2740
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2616
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1988
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:3036
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2040
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2000
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2196
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1604
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1344
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2884
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2252
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2260
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:3028
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1972
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1928
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:448
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:3068
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:968
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1684
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:288
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2272
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2408
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2028
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1496
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2512
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1856
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1132
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2236
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1556
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:828
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2584
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2620
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2608
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1988
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2896
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2872
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1548
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:3052
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2284
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2508
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2660
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1604
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2876
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1420
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2064
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1440
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2060
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2276
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2176
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1516
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1184
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1960
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1500
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:492
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2272
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:832
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2996
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2428
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2524
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1868
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2140
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2720
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2592
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:556
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2616
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1268
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2820
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2856
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1520
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2684
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2284
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1904
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1412
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2636
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:772
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1448
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2252
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1980
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1492
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:584
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2212
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:280
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:332

C:\Users\Admin\AppData\Local\Temp\24cc22632b7a816d642499e61c77d192.exe
"C:\Users\Admin\AppData\Local\Temp\24cc22632b7a816d642499e61c77d192.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
237KB

MD5
24cc22632b7a816d642499e61c77d192

SHA1
626f7251883b3dbca8566db16e1059ecf017d9a6

SHA256
7aafb869b8be4ef14da36bcbac6bd392da1596c57c134b595ab87b40e7a72f5f

SHA512
4d6a4d89e30007e6bc1c56bd8dcd774c3909214205714759bafbd844474584ffa414c110a586bf186e0510dc2206a0035d31bf210bc7d643ae4dc6157b9443e2

Download Submit
memory/492-273-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/492-272-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/596-204-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/624-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/624-305-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/864-168-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/964-283-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1072-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1224-238-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1224-237-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1600-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1620-83-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1628-133-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1628-134-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1656-325-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1860-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1884-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1884-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1884-13-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/1884-11-0x00000000002F0000-0x0000000000326000-memory.dmp

Filesize
216KB

Download
memory/2032-181-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2032-179-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2168-294-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2168-293-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-47-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2440-59-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2440-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-315-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2540-146-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2560-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2560-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2628-119-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2628-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2784-32-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2872-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2872-93-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2880-107-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2880-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2920-145-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-292-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-258-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-214-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-130-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-270-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-131-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-282-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-280-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-117-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-246-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-166-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-291-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-301-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-178-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-202-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-303-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-80-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-312-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-311-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-44-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-324-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-322-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2920-332-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download