7aafb869b8be4ef14da36bcbac6bd392da1596c57c134b595ab87b40e7a72f5f

Analysis

max time kernel
52s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24cc22632b7a816d642499e61c77d192.exe
Size

237KB
MD5

24cc22632b7a816d642499e61c77d192
SHA1

626f7251883b3dbca8566db16e1059ecf017d9a6
SHA256

7aafb869b8be4ef14da36bcbac6bd392da1596c57c134b595ab87b40e7a72f5f
SHA512

4d6a4d89e30007e6bc1c56bd8dcd774c3909214205714759bafbd844474584ffa414c110a586bf186e0510dc2206a0035d31bf210bc7d643ae4dc6157b9443e2
SSDEEP

1536:1f1zwQVgUAmEhSuWELl4Ec9ghMkhRsuJe2pzf1zwQVgvXS6f+:l1zwLNzhSuWEal9bkhRc2pb1zwLvX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 50 IoCs

pid	Process
4500	userinit.exe
5048	system.exe
4488	system.exe
5112	system.exe
3400	system.exe
3908	system.exe
4896	system.exe
4832	system.exe
5072	system.exe
4048	system.exe
3948	system.exe
876	system.exe
4440	system.exe
2384	system.exe
2056	system.exe
1140	system.exe
1440	system.exe
4656	system.exe
548	system.exe
3144	system.exe
3932	system.exe
3224	system.exe
3112	system.exe
3644	system.exe
1296	system.exe
2152	system.exe
4912	system.exe
4408	system.exe
4604	system.exe
3436	system.exe
2056	system.exe
3388	system.exe
4944	system.exe
5016	system.exe
3216	system.exe
4192	system.exe
4320	system.exe
976	system.exe
2068	system.exe
4528	system.exe
2100	BackgroundTransferHost.exe
4440	system.exe
4872	system.exe
696	system.exe
3004	system.exe
4600	system.exe
2016	system.exe
4832	system.exe
5072	system.exe
2152	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	24cc22632b7a816d642499e61c77d192.exe
File opened for modification	C:\Windows\userinit.exe	24cc22632b7a816d642499e61c77d192.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1624	24cc22632b7a816d642499e61c77d192.exe
1624	24cc22632b7a816d642499e61c77d192.exe
4500	userinit.exe
4500	userinit.exe
4500	userinit.exe
4500	userinit.exe
5048	system.exe
5048	system.exe
4500	userinit.exe
4500	userinit.exe
4488	system.exe
4488	system.exe
4500	userinit.exe
4500	userinit.exe
5112	system.exe
5112	system.exe
4500	userinit.exe
4500	userinit.exe
3400	system.exe
3400	system.exe
4500	userinit.exe
4500	userinit.exe
3908	system.exe
3908	system.exe
4500	userinit.exe
4500	userinit.exe
4896	system.exe
4896	system.exe
4500	userinit.exe
4500	userinit.exe
4832	system.exe
4832	system.exe
4500	userinit.exe
4500	userinit.exe
5072	system.exe
5072	system.exe
4500	userinit.exe
4500	userinit.exe
4048	system.exe
4048	system.exe
4500	userinit.exe
4500	userinit.exe
3948	system.exe
3948	system.exe
4500	userinit.exe
4500	userinit.exe
876	system.exe
876	system.exe
4500	userinit.exe
4500	userinit.exe
4440	system.exe
4440	system.exe
4500	userinit.exe
4500	userinit.exe
2384	system.exe
2384	system.exe
4500	userinit.exe
4500	userinit.exe
2056	system.exe
2056	system.exe
4500	userinit.exe
4500	userinit.exe
1140	system.exe
1140	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4500	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1624	24cc22632b7a816d642499e61c77d192.exe
1624	24cc22632b7a816d642499e61c77d192.exe
4500	userinit.exe
4500	userinit.exe
5048	system.exe
5048	system.exe
4488	system.exe
4488	system.exe
5112	system.exe
5112	system.exe
3400	system.exe
3400	system.exe
3908	system.exe
3908	system.exe
4896	system.exe
4896	system.exe
4832	system.exe
4832	system.exe
5072	system.exe
5072	system.exe
4048	system.exe
4048	system.exe
3948	system.exe
3948	system.exe
876	system.exe
876	system.exe
4440	system.exe
4440	system.exe
2384	system.exe
2384	system.exe
2056	system.exe
2056	system.exe
1140	system.exe
1140	system.exe
1440	system.exe
1440	system.exe
4656	system.exe
4656	system.exe
548	system.exe
548	system.exe
3144	system.exe
3144	system.exe
3932	system.exe
3932	system.exe
3224	system.exe
3224	system.exe
3112	system.exe
3112	system.exe
3644	system.exe
3644	system.exe
1296	system.exe
1296	system.exe
2152	system.exe
2152	system.exe
4912	system.exe
4912	system.exe
4408	system.exe
4408	system.exe
4604	system.exe
4604	system.exe
3436	system.exe
3436	system.exe
2056	system.exe
2056	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 4500	1624	24cc22632b7a816d642499e61c77d192.exe	20
PID 1624 wrote to memory of 4500	1624	24cc22632b7a816d642499e61c77d192.exe	20
PID 1624 wrote to memory of 4500	1624	24cc22632b7a816d642499e61c77d192.exe	20
PID 4500 wrote to memory of 5048	4500	userinit.exe	35
PID 4500 wrote to memory of 5048	4500	userinit.exe	35
PID 4500 wrote to memory of 5048	4500	userinit.exe	35
PID 4500 wrote to memory of 4488	4500	userinit.exe	52
PID 4500 wrote to memory of 4488	4500	userinit.exe	52
PID 4500 wrote to memory of 4488	4500	userinit.exe	52
PID 4500 wrote to memory of 5112	4500	userinit.exe	72
PID 4500 wrote to memory of 5112	4500	userinit.exe	72
PID 4500 wrote to memory of 5112	4500	userinit.exe	72
PID 4500 wrote to memory of 3400	4500	userinit.exe	96
PID 4500 wrote to memory of 3400	4500	userinit.exe	96
PID 4500 wrote to memory of 3400	4500	userinit.exe	96
PID 4500 wrote to memory of 3908	4500	userinit.exe	97
PID 4500 wrote to memory of 3908	4500	userinit.exe	97
PID 4500 wrote to memory of 3908	4500	userinit.exe	97
PID 4500 wrote to memory of 4896	4500	userinit.exe	98
PID 4500 wrote to memory of 4896	4500	userinit.exe	98
PID 4500 wrote to memory of 4896	4500	userinit.exe	98
PID 4500 wrote to memory of 4832	4500	userinit.exe	150
PID 4500 wrote to memory of 4832	4500	userinit.exe	150
PID 4500 wrote to memory of 4832	4500	userinit.exe	150
PID 4500 wrote to memory of 5072	4500	userinit.exe	151
PID 4500 wrote to memory of 5072	4500	userinit.exe	151
PID 4500 wrote to memory of 5072	4500	userinit.exe	151
PID 4500 wrote to memory of 4048	4500	userinit.exe	101
PID 4500 wrote to memory of 4048	4500	userinit.exe	101
PID 4500 wrote to memory of 4048	4500	userinit.exe	101
PID 4500 wrote to memory of 3948	4500	userinit.exe	102
PID 4500 wrote to memory of 3948	4500	userinit.exe	102
PID 4500 wrote to memory of 3948	4500	userinit.exe	102
PID 4500 wrote to memory of 876	4500	userinit.exe	105
PID 4500 wrote to memory of 876	4500	userinit.exe	105
PID 4500 wrote to memory of 876	4500	userinit.exe	105
PID 4500 wrote to memory of 4440	4500	userinit.exe	185
PID 4500 wrote to memory of 4440	4500	userinit.exe	185
PID 4500 wrote to memory of 4440	4500	userinit.exe	185
PID 4500 wrote to memory of 2384	4500	userinit.exe	109
PID 4500 wrote to memory of 2384	4500	userinit.exe	109
PID 4500 wrote to memory of 2384	4500	userinit.exe	109
PID 4500 wrote to memory of 2056	4500	userinit.exe	130
PID 4500 wrote to memory of 2056	4500	userinit.exe	130
PID 4500 wrote to memory of 2056	4500	userinit.exe	130
PID 4500 wrote to memory of 1140	4500	userinit.exe	112
PID 4500 wrote to memory of 1140	4500	userinit.exe	112
PID 4500 wrote to memory of 1140	4500	userinit.exe	112
PID 4500 wrote to memory of 1440	4500	userinit.exe	156
PID 4500 wrote to memory of 1440	4500	userinit.exe	156
PID 4500 wrote to memory of 1440	4500	userinit.exe	156
PID 4500 wrote to memory of 4656	4500	userinit.exe	114
PID 4500 wrote to memory of 4656	4500	userinit.exe	114
PID 4500 wrote to memory of 4656	4500	userinit.exe	114
PID 4500 wrote to memory of 548	4500	userinit.exe	204
PID 4500 wrote to memory of 548	4500	userinit.exe	204
PID 4500 wrote to memory of 548	4500	userinit.exe	204
PID 4500 wrote to memory of 3144	4500	userinit.exe	169
PID 4500 wrote to memory of 3144	4500	userinit.exe	169
PID 4500 wrote to memory of 3144	4500	userinit.exe	169
PID 4500 wrote to memory of 3932	4500	userinit.exe	118
PID 4500 wrote to memory of 3932	4500	userinit.exe	118
PID 4500 wrote to memory of 3932	4500	userinit.exe	118
PID 4500 wrote to memory of 3224	4500	userinit.exe	120

C:\Users\Admin\AppData\Local\Temp\24cc22632b7a816d642499e61c77d192.exe
"C:\Users\Admin\AppData\Local\Temp\24cc22632b7a816d642499e61c77d192.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2908

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
1⤵
- Executes dropped EXE
PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
237KB

MD5
24cc22632b7a816d642499e61c77d192

SHA1
626f7251883b3dbca8566db16e1059ecf017d9a6

SHA256
7aafb869b8be4ef14da36bcbac6bd392da1596c57c134b595ab87b40e7a72f5f

SHA512
4d6a4d89e30007e6bc1c56bd8dcd774c3909214205714759bafbd844474584ffa414c110a586bf186e0510dc2206a0035d31bf210bc7d643ae4dc6157b9443e2

Download Submit
C:\Windows\userinit.exe

Filesize
92KB

MD5
c053e38915e75da914aa5d6efb9c1c9c

SHA1
be8f1d7b12c5ec145a7a95d02f7be0737e515260

SHA256
fd8546f175c33b9d90f2d0787df8211f935c827e5907fa2c02319d0ec0fe5765

SHA512
e48a111b00f6d98d3133acbc09ed08bf652242454b9f7284f9c855cb3fac5483e4a8b07ac3af5384d70607de0864d69566577fa70d008d0c3c06a348b013d39f

Download Submit
memory/548-110-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/696-236-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/876-75-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/976-205-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1140-95-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1296-140-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1380-306-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1440-286-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1440-100-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1624-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1624-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2016-251-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2056-170-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2068-210-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2100-221-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2152-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2152-266-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2228-296-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2288-316-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2384-85-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2676-276-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3004-241-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3112-130-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3144-115-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3216-190-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3224-125-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3388-175-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3400-40-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3436-165-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3628-301-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3640-271-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3644-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3908-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3932-120-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3948-70-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4048-65-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4192-195-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4208-291-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4320-200-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4348-281-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4408-155-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4440-226-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4440-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4488-311-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4488-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4500-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4528-216-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4528-215-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4600-246-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4604-160-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4656-105-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4832-256-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4832-55-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4872-231-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4896-50-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4912-150-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4944-180-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5016-185-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5048-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5068-321-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5072-261-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5072-60-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5112-35-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download