41e5b9ead647fe7d753b46ce735813e53b302308e456f471fbd3b4f183025db7

Analysis

max time kernel
167s
max time network
134s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 02:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b7f855c9f53a021551e7b43a9b87970.exe
Size

368KB
MD5

0b7f855c9f53a021551e7b43a9b87970
SHA1

168d5faef9fa91c5d0df1c430759ba02ec1caec8
SHA256

41e5b9ead647fe7d753b46ce735813e53b302308e456f471fbd3b4f183025db7
SHA512

f59b405055284f5aa8f142b4307aa27cac4675f75d60e80c21d6a26732b174998dd21aacbc1aa785b4a2daf7751d6740acf474f2d3a51d31a93401534e193429
SSDEEP

1536:kaxhd8R1Sl1TDL0QXlkae7oMEqLY7xicp+ZvaRhdsRxO25Qd:kaDT3L0QBMoeLAxpp+ZvajL2

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2792	userinit.exe
2868	system.exe
2808	system.exe
2616	system.exe
2060	system.exe
3012	system.exe
2904	system.exe
1800	system.exe
2924	system.exe
1560	system.exe
1704	system.exe
1412	system.exe
2400	system.exe
1496	system.exe
604	system.exe
1240	system.exe
1228	system.exe
1340	system.exe
1852	system.exe
2360	system.exe
2364	system.exe
1368	system.exe
1728	system.exe
1464	system.exe
2196	system.exe
2696	system.exe
2472	system.exe
2592	system.exe
2620	system.exe
2632	system.exe
2636	system.exe
2616	system.exe
2956	system.exe
2836	system.exe
2676	system.exe
2016	system.exe
2020	system.exe
2936	system.exe
320	system.exe
1976	system.exe
1288	system.exe
2180	system.exe
2556	system.exe
836	system.exe
2572	system.exe
436	system.exe
1392	system.exe
304	system.exe
2200	system.exe
1860	system.exe
1780	system.exe
2324	system.exe
1208	system.exe
3048	system.exe
1672	system.exe
2408	system.exe
1268	system.exe
1552	system.exe
2820	system.exe
2404	system.exe
2860	system.exe
2724	system.exe
2156	system.exe
2700	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe
2792	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	0b7f855c9f53a021551e7b43a9b87970.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	0b7f855c9f53a021551e7b43a9b87970.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2404	0b7f855c9f53a021551e7b43a9b87970.exe
2792	userinit.exe
2792	userinit.exe
2868	system.exe
2792	userinit.exe
2808	system.exe
2792	userinit.exe
2616	system.exe
2792	userinit.exe
2060	system.exe
2792	userinit.exe
3012	system.exe
2792	userinit.exe
2904	system.exe
2792	userinit.exe
1800	system.exe
2792	userinit.exe
2924	system.exe
2792	userinit.exe
1560	system.exe
2792	userinit.exe
1704	system.exe
2792	userinit.exe
1412	system.exe
2792	userinit.exe
2400	system.exe
2792	userinit.exe
1496	system.exe
2792	userinit.exe
604	system.exe
2792	userinit.exe
1240	system.exe
2792	userinit.exe
1228	system.exe
2792	userinit.exe
1340	system.exe
2792	userinit.exe
1852	system.exe
2792	userinit.exe
2360	system.exe
2792	userinit.exe
2364	system.exe
2792	userinit.exe
1368	system.exe
2792	userinit.exe
1728	system.exe
2792	userinit.exe
1464	system.exe
2792	userinit.exe
2196	system.exe
2792	userinit.exe
2696	system.exe
2792	userinit.exe
2472	system.exe
2792	userinit.exe
2592	system.exe
2792	userinit.exe
2620	system.exe
2792	userinit.exe
2632	system.exe
2792	userinit.exe
2636	system.exe
2792	userinit.exe
2616	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2404	0b7f855c9f53a021551e7b43a9b87970.exe
2404	0b7f855c9f53a021551e7b43a9b87970.exe
2792	userinit.exe
2792	userinit.exe
2868	system.exe
2868	system.exe
2808	system.exe
2808	system.exe
2616	system.exe
2616	system.exe
2060	system.exe
2060	system.exe
3012	system.exe
3012	system.exe
2904	system.exe
2904	system.exe
1800	system.exe
1800	system.exe
2924	system.exe
2924	system.exe
1560	system.exe
1560	system.exe
1704	system.exe
1704	system.exe
1412	system.exe
1412	system.exe
2400	system.exe
2400	system.exe
1496	system.exe
1496	system.exe
604	system.exe
604	system.exe
1240	system.exe
1240	system.exe
1228	system.exe
1228	system.exe
1340	system.exe
1340	system.exe
1852	system.exe
1852	system.exe
2360	system.exe
2360	system.exe
2364	system.exe
2364	system.exe
1368	system.exe
1368	system.exe
1728	system.exe
1728	system.exe
1464	system.exe
1464	system.exe
2196	system.exe
2196	system.exe
2696	system.exe
2696	system.exe
2472	system.exe
2472	system.exe
2592	system.exe
2592	system.exe
2620	system.exe
2620	system.exe
2632	system.exe
2632	system.exe
2636	system.exe
2636	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2792	2404	0b7f855c9f53a021551e7b43a9b87970.exe	27
PID 2404 wrote to memory of 2792	2404	0b7f855c9f53a021551e7b43a9b87970.exe	27
PID 2404 wrote to memory of 2792	2404	0b7f855c9f53a021551e7b43a9b87970.exe	27
PID 2404 wrote to memory of 2792	2404	0b7f855c9f53a021551e7b43a9b87970.exe	27
PID 2792 wrote to memory of 2868	2792	userinit.exe	28
PID 2792 wrote to memory of 2868	2792	userinit.exe	28
PID 2792 wrote to memory of 2868	2792	userinit.exe	28
PID 2792 wrote to memory of 2868	2792	userinit.exe	28
PID 2792 wrote to memory of 2808	2792	userinit.exe	29
PID 2792 wrote to memory of 2808	2792	userinit.exe	29
PID 2792 wrote to memory of 2808	2792	userinit.exe	29
PID 2792 wrote to memory of 2808	2792	userinit.exe	29
PID 2792 wrote to memory of 2616	2792	userinit.exe	30
PID 2792 wrote to memory of 2616	2792	userinit.exe	30
PID 2792 wrote to memory of 2616	2792	userinit.exe	30
PID 2792 wrote to memory of 2616	2792	userinit.exe	30
PID 2792 wrote to memory of 2060	2792	userinit.exe	31
PID 2792 wrote to memory of 2060	2792	userinit.exe	31
PID 2792 wrote to memory of 2060	2792	userinit.exe	31
PID 2792 wrote to memory of 2060	2792	userinit.exe	31
PID 2792 wrote to memory of 3012	2792	userinit.exe	32
PID 2792 wrote to memory of 3012	2792	userinit.exe	32
PID 2792 wrote to memory of 3012	2792	userinit.exe	32
PID 2792 wrote to memory of 3012	2792	userinit.exe	32
PID 2792 wrote to memory of 2904	2792	userinit.exe	33
PID 2792 wrote to memory of 2904	2792	userinit.exe	33
PID 2792 wrote to memory of 2904	2792	userinit.exe	33
PID 2792 wrote to memory of 2904	2792	userinit.exe	33
PID 2792 wrote to memory of 1800	2792	userinit.exe	36
PID 2792 wrote to memory of 1800	2792	userinit.exe	36
PID 2792 wrote to memory of 1800	2792	userinit.exe	36
PID 2792 wrote to memory of 1800	2792	userinit.exe	36
PID 2792 wrote to memory of 2924	2792	userinit.exe	37
PID 2792 wrote to memory of 2924	2792	userinit.exe	37
PID 2792 wrote to memory of 2924	2792	userinit.exe	37
PID 2792 wrote to memory of 2924	2792	userinit.exe	37
PID 2792 wrote to memory of 1560	2792	userinit.exe	38
PID 2792 wrote to memory of 1560	2792	userinit.exe	38
PID 2792 wrote to memory of 1560	2792	userinit.exe	38
PID 2792 wrote to memory of 1560	2792	userinit.exe	38
PID 2792 wrote to memory of 1704	2792	userinit.exe	39
PID 2792 wrote to memory of 1704	2792	userinit.exe	39
PID 2792 wrote to memory of 1704	2792	userinit.exe	39
PID 2792 wrote to memory of 1704	2792	userinit.exe	39
PID 2792 wrote to memory of 1412	2792	userinit.exe	40
PID 2792 wrote to memory of 1412	2792	userinit.exe	40
PID 2792 wrote to memory of 1412	2792	userinit.exe	40
PID 2792 wrote to memory of 1412	2792	userinit.exe	40
PID 2792 wrote to memory of 2400	2792	userinit.exe	41
PID 2792 wrote to memory of 2400	2792	userinit.exe	41
PID 2792 wrote to memory of 2400	2792	userinit.exe	41
PID 2792 wrote to memory of 2400	2792	userinit.exe	41
PID 2792 wrote to memory of 1496	2792	userinit.exe	42
PID 2792 wrote to memory of 1496	2792	userinit.exe	42
PID 2792 wrote to memory of 1496	2792	userinit.exe	42
PID 2792 wrote to memory of 1496	2792	userinit.exe	42
PID 2792 wrote to memory of 604	2792	userinit.exe	43
PID 2792 wrote to memory of 604	2792	userinit.exe	43
PID 2792 wrote to memory of 604	2792	userinit.exe	43
PID 2792 wrote to memory of 604	2792	userinit.exe	43
PID 2792 wrote to memory of 1240	2792	userinit.exe	44
PID 2792 wrote to memory of 1240	2792	userinit.exe	44
PID 2792 wrote to memory of 1240	2792	userinit.exe	44
PID 2792 wrote to memory of 1240	2792	userinit.exe	44

C:\Users\Admin\AppData\Local\Temp\0b7f855c9f53a021551e7b43a9b87970.exe
"C:\Users\Admin\AppData\Local\Temp\0b7f855c9f53a021551e7b43a9b87970.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
64KB

MD5
790a6bb06feacd11a3351fe2b3b7c277

SHA1
6aa0771a701368626309329b9b51912e05f02784

SHA256
21bb014f1f5c0f36f8a5eb605984a115776765f52e7744b321f41a8d55ec4076

SHA512
f940746f2abef4a1e6a317d3b8135d3b8d0e6a24393dc6865222fb4b40980b6a1a608368664bb5c3ab9e2c3b8b12655070e7227ea010bce6477ea4cc2f24b0f4

Download Submit
C:\Windows\userinit.exe

Filesize
368KB

MD5
0b7f855c9f53a021551e7b43a9b87970

SHA1
168d5faef9fa91c5d0df1c430759ba02ec1caec8

SHA256
41e5b9ead647fe7d753b46ce735813e53b302308e456f471fbd3b4f183025db7

SHA512
f59b405055284f5aa8f142b4307aa27cac4675f75d60e80c21d6a26732b174998dd21aacbc1aa785b4a2daf7751d6740acf474f2d3a51d31a93401534e193429

Download Submit
\Windows\SysWOW64\system.exe

Filesize
99KB

MD5
fc8fbf1edf8b9a6176925398c5942103

SHA1
ba8076fec5c1e452b37e3fe1e46dd8c03bdcd696

SHA256
858308adae079555a7e5a29fd2e8008edd980500ec4ad62c1665b5437df9d0fc

SHA512
8b37cb93b4088b65370579273bf501b5b1c0698308e9c2873e2b67becc9e31af50524fc4cba2dd2fc0e9b57c0da9af5b857058f6093755529386e8b32eda35ab

Download Submit
memory/1228-200-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1240-189-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1340-211-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1368-253-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1464-271-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1560-125-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1704-136-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1800-102-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2060-66-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2364-242-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2400-158-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2404-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2404-11-0x0000000000610000-0x0000000000667000-memory.dmp

Filesize
348KB

Download
memory/2404-17-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2472-300-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2592-310-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2616-55-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2620-319-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2632-330-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2636-339-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2696-290-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2792-260-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-315-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-120-0x00000000027B0000-0x0000000002807000-memory.dmp

Filesize
348KB

Download
memory/2792-399-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-249-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-97-0x00000000027B0000-0x0000000002807000-memory.dmp

Filesize
348KB

Download
memory/2792-258-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-392-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-267-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-390-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-274-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-277-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-285-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-286-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-73-0x00000000027B0000-0x0000000002807000-memory.dmp

Filesize
348KB

Download
memory/2792-295-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-297-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-75-0x00000000027B0000-0x0000000002807000-memory.dmp

Filesize
348KB

Download
memory/2792-306-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-305-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-382-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-144-0x00000000027B0000-0x0000000002807000-memory.dmp

Filesize
348KB

Download
memory/2792-317-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-381-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-325-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-326-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-29-0x00000000027B0000-0x0000000002807000-memory.dmp

Filesize
348KB

Download
memory/2792-336-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-13-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2792-337-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-346-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-345-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-355-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-356-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-363-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-364-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-372-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2792-373-0x00000000027F0000-0x0000000002847000-memory.dmp

Filesize
348KB

Download
memory/2808-44-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2868-33-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2904-90-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2924-113-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3012-79-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download