ca808d092ab91b9003b32560941a1a30f3c76cc427512ab3c4fb70efb62d4ba3

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 14:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

763ef796ee1af7d3217013c25a48f7fd.exe
Size

216KB
MD5

763ef796ee1af7d3217013c25a48f7fd
SHA1

5c7b2eac202d1642ac58a840f5de3b47c10012fa
SHA256

ca808d092ab91b9003b32560941a1a30f3c76cc427512ab3c4fb70efb62d4ba3
SHA512

b8750482fd3514a14377fdf71c902e5a774ceb2f97381a74414e1b520516ce2a63e6a8710345d416420b7b16c87fc5495a22f218f3465621eb30aeeabadd9310
SSDEEP

1536:Dkf1zwQVg/8WuREUlOQnF7TkkYSDY6ep5f1zwQVgvXg6Y+:I1zwL/8WuREcnFEkYSYpJ1zwLvX

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2812	userinit.exe
2444	system.exe
2436	system.exe
2852	system.exe
2564	system.exe
2612	system.exe
1796	system.exe
984	system.exe
1660	system.exe
2892	system.exe
1996	system.exe
1832	system.exe
1976	system.exe
892	system.exe
1536	system.exe
1448	system.exe
2352	system.exe
2364	system.exe
1860	system.exe
2316	system.exe
1392	system.exe
1628	system.exe
1868	system.exe
1600	system.exe
688	system.exe
2512	system.exe
840	system.exe
1972	system.exe
1748	system.exe
2032	system.exe
2520	system.exe
2244	system.exe
2384	system.exe
2596	system.exe
2548	system.exe
2572	system.exe
2180	system.exe
672	system.exe
704	system.exe
580	system.exe
2616	system.exe
1988	system.exe
2272	system.exe
2504	system.exe
2500	system.exe
1028	system.exe
980	system.exe
2112	system.exe
2284	system.exe
1476	system.exe
2352	system.exe
2348	system.exe
2868	system.exe
2308	system.exe
2392	system.exe
844	system.exe
1604	system.exe
2172	system.exe
1332	system.exe
1696	system.exe
2188	system.exe
2848	system.exe
876	system.exe
1748	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe
2812	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	763ef796ee1af7d3217013c25a48f7fd.exe
File opened for modification	C:\Windows\userinit.exe	763ef796ee1af7d3217013c25a48f7fd.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2008	763ef796ee1af7d3217013c25a48f7fd.exe
2812	userinit.exe
2812	userinit.exe
2444	system.exe
2812	userinit.exe
2436	system.exe
2812	userinit.exe
2852	system.exe
2812	userinit.exe
2564	system.exe
2812	userinit.exe
2612	system.exe
2812	userinit.exe
1796	system.exe
2812	userinit.exe
984	system.exe
2812	userinit.exe
1660	system.exe
2812	userinit.exe
2892	system.exe
2812	userinit.exe
1996	system.exe
2812	userinit.exe
1832	system.exe
2812	userinit.exe
1976	system.exe
2812	userinit.exe
892	system.exe
2812	userinit.exe
1536	system.exe
2812	userinit.exe
1448	system.exe
2812	userinit.exe
2352	system.exe
2812	userinit.exe
2364	system.exe
2812	userinit.exe
1860	system.exe
2812	userinit.exe
2316	system.exe
2812	userinit.exe
1392	system.exe
2812	userinit.exe
1628	system.exe
2812	userinit.exe
1868	system.exe
2812	userinit.exe
1600	system.exe
2812	userinit.exe
688	system.exe
2812	userinit.exe
2512	system.exe
2812	userinit.exe
840	system.exe
2812	userinit.exe
1972	system.exe
2812	userinit.exe
1748	system.exe
2812	userinit.exe
2032	system.exe
2812	userinit.exe
2520	system.exe
2812	userinit.exe
2244	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2812	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2008	763ef796ee1af7d3217013c25a48f7fd.exe
2008	763ef796ee1af7d3217013c25a48f7fd.exe
2812	userinit.exe
2812	userinit.exe
2444	system.exe
2444	system.exe
2436	system.exe
2436	system.exe
2852	system.exe
2852	system.exe
2564	system.exe
2564	system.exe
2612	system.exe
2612	system.exe
1796	system.exe
1796	system.exe
984	system.exe
984	system.exe
1660	system.exe
1660	system.exe
2892	system.exe
2892	system.exe
1996	system.exe
1996	system.exe
1832	system.exe
1832	system.exe
1976	system.exe
1976	system.exe
892	system.exe
892	system.exe
1536	system.exe
1536	system.exe
1448	system.exe
1448	system.exe
2352	system.exe
2352	system.exe
2364	system.exe
2364	system.exe
1860	system.exe
1860	system.exe
2316	system.exe
2316	system.exe
1392	system.exe
1392	system.exe
1628	system.exe
1628	system.exe
1868	system.exe
1868	system.exe
1600	system.exe
1600	system.exe
688	system.exe
688	system.exe
2512	system.exe
2512	system.exe
840	system.exe
840	system.exe
1972	system.exe
1972	system.exe
1748	system.exe
1748	system.exe
2032	system.exe
2032	system.exe
2520	system.exe
2520	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2812	2008	763ef796ee1af7d3217013c25a48f7fd.exe	28
PID 2008 wrote to memory of 2812	2008	763ef796ee1af7d3217013c25a48f7fd.exe	28
PID 2008 wrote to memory of 2812	2008	763ef796ee1af7d3217013c25a48f7fd.exe	28
PID 2008 wrote to memory of 2812	2008	763ef796ee1af7d3217013c25a48f7fd.exe	28
PID 2812 wrote to memory of 2444	2812	userinit.exe	29
PID 2812 wrote to memory of 2444	2812	userinit.exe	29
PID 2812 wrote to memory of 2444	2812	userinit.exe	29
PID 2812 wrote to memory of 2444	2812	userinit.exe	29
PID 2812 wrote to memory of 2436	2812	userinit.exe	30
PID 2812 wrote to memory of 2436	2812	userinit.exe	30
PID 2812 wrote to memory of 2436	2812	userinit.exe	30
PID 2812 wrote to memory of 2436	2812	userinit.exe	30
PID 2812 wrote to memory of 2852	2812	userinit.exe	31
PID 2812 wrote to memory of 2852	2812	userinit.exe	31
PID 2812 wrote to memory of 2852	2812	userinit.exe	31
PID 2812 wrote to memory of 2852	2812	userinit.exe	31
PID 2812 wrote to memory of 2564	2812	userinit.exe	32
PID 2812 wrote to memory of 2564	2812	userinit.exe	32
PID 2812 wrote to memory of 2564	2812	userinit.exe	32
PID 2812 wrote to memory of 2564	2812	userinit.exe	32
PID 2812 wrote to memory of 2612	2812	userinit.exe	33
PID 2812 wrote to memory of 2612	2812	userinit.exe	33
PID 2812 wrote to memory of 2612	2812	userinit.exe	33
PID 2812 wrote to memory of 2612	2812	userinit.exe	33
PID 2812 wrote to memory of 1796	2812	userinit.exe	34
PID 2812 wrote to memory of 1796	2812	userinit.exe	34
PID 2812 wrote to memory of 1796	2812	userinit.exe	34
PID 2812 wrote to memory of 1796	2812	userinit.exe	34
PID 2812 wrote to memory of 984	2812	userinit.exe	35
PID 2812 wrote to memory of 984	2812	userinit.exe	35
PID 2812 wrote to memory of 984	2812	userinit.exe	35
PID 2812 wrote to memory of 984	2812	userinit.exe	35
PID 2812 wrote to memory of 1660	2812	userinit.exe	36
PID 2812 wrote to memory of 1660	2812	userinit.exe	36
PID 2812 wrote to memory of 1660	2812	userinit.exe	36
PID 2812 wrote to memory of 1660	2812	userinit.exe	36
PID 2812 wrote to memory of 2892	2812	userinit.exe	37
PID 2812 wrote to memory of 2892	2812	userinit.exe	37
PID 2812 wrote to memory of 2892	2812	userinit.exe	37
PID 2812 wrote to memory of 2892	2812	userinit.exe	37
PID 2812 wrote to memory of 1996	2812	userinit.exe	38
PID 2812 wrote to memory of 1996	2812	userinit.exe	38
PID 2812 wrote to memory of 1996	2812	userinit.exe	38
PID 2812 wrote to memory of 1996	2812	userinit.exe	38
PID 2812 wrote to memory of 1832	2812	userinit.exe	39
PID 2812 wrote to memory of 1832	2812	userinit.exe	39
PID 2812 wrote to memory of 1832	2812	userinit.exe	39
PID 2812 wrote to memory of 1832	2812	userinit.exe	39
PID 2812 wrote to memory of 1976	2812	userinit.exe	40
PID 2812 wrote to memory of 1976	2812	userinit.exe	40
PID 2812 wrote to memory of 1976	2812	userinit.exe	40
PID 2812 wrote to memory of 1976	2812	userinit.exe	40
PID 2812 wrote to memory of 892	2812	userinit.exe	41
PID 2812 wrote to memory of 892	2812	userinit.exe	41
PID 2812 wrote to memory of 892	2812	userinit.exe	41
PID 2812 wrote to memory of 892	2812	userinit.exe	41
PID 2812 wrote to memory of 1536	2812	userinit.exe	42
PID 2812 wrote to memory of 1536	2812	userinit.exe	42
PID 2812 wrote to memory of 1536	2812	userinit.exe	42
PID 2812 wrote to memory of 1536	2812	userinit.exe	42
PID 2812 wrote to memory of 1448	2812	userinit.exe	43
PID 2812 wrote to memory of 1448	2812	userinit.exe	43
PID 2812 wrote to memory of 1448	2812	userinit.exe	43
PID 2812 wrote to memory of 1448	2812	userinit.exe	43

C:\Users\Admin\AppData\Local\Temp\763ef796ee1af7d3217013c25a48f7fd.exe
"C:\Users\Admin\AppData\Local\Temp\763ef796ee1af7d3217013c25a48f7fd.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
192KB

MD5
9fbc09aaf74dac98adbb7a3da9818050

SHA1
6d2fc8587c9160632d6e6749276d3336b4a17195

SHA256
66fbc6c476f3698fcff2706b6dd3cdf3da10145d2b40543d8d952f017c9ed851

SHA512
b968441b5eb940250726a37ec38b16827ef86d751c2131204ed85cb60db74c16497186d847f0fafc5b109f8643b861e3fefc4e805bab882b162d05175188a730

Download Submit
C:\Windows\userinit.exe

Filesize
216KB

MD5
763ef796ee1af7d3217013c25a48f7fd

SHA1
5c7b2eac202d1642ac58a840f5de3b47c10012fa

SHA256
ca808d092ab91b9003b32560941a1a30f3c76cc427512ab3c4fb70efb62d4ba3

SHA512
b8750482fd3514a14377fdf71c902e5a774ceb2f97381a74414e1b520516ce2a63e6a8710345d416420b7b16c87fc5495a22f218f3465621eb30aeeabadd9310

Download Submit
memory/672-385-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/892-166-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/984-102-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1392-244-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1600-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1628-254-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1660-113-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1832-145-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1860-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1868-262-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1988-418-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2008-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2008-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2008-11-0x0000000000500000-0x0000000000536000-memory.dmp

Filesize
216KB

Download
memory/2032-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2244-330-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2284-472-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2316-233-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-490-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2352-197-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-208-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2364-210-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2384-338-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-45-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2444-34-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2520-322-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2564-69-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2572-365-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2596-347-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2612-80-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2616-410-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-371-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-486-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-343-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-536-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-352-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-353-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-361-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-363-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-65-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-527-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-372-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-380-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-30-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-383-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-391-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-399-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-218-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2812-431-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-460-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-468-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-206-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-477-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-478-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-53-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-98-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-495-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-503-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-518-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2812-519-0x00000000002A0000-0x00000000002D6000-memory.dmp

Filesize
216KB

Download
memory/2852-57-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2892-124-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download