4833ceaa1bf82dde9757312b26f0ad596873e2361de203e2cf5d20ef4ef870e0

Analysis

max time kernel
150s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
02-01-2024 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e1686574d7d218527e8990c8c474a64.exe
Size

244KB
MD5

7e1686574d7d218527e8990c8c474a64
SHA1

07fa7d34653172e6c6b00c038f57c038abd6c6ff
SHA256

4833ceaa1bf82dde9757312b26f0ad596873e2361de203e2cf5d20ef4ef870e0
SHA512

63afbc023869da1c3b3b988f3b5e972bb25c2038dd9ce3e54efb335dd71c517e0e6555edc7c3b4987b28890cf415b19d1d8308daf18aa80f338b0663bab850a2
SSDEEP

1536:wvf1zwQVgdYYuAXyeHl0BTFXEqkEgOUXhQp1of1zwQVgvKa60+:wn1zwLyYuAXyeaTFbkEg1Qp1o1zwLvK

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2332	userinit.exe
2804	system.exe
2796	system.exe
2164	system.exe
2584	system.exe
3028	system.exe
1960	system.exe
1100	system.exe
564	system.exe
476	system.exe
1932	system.exe
632	system.exe
884	system.exe
1676	system.exe
2212	system.exe
2372	system.exe
2488	system.exe
2116	system.exe
3064	system.exe
2528	system.exe
1420	system.exe
2132	system.exe
1836	system.exe
2036	system.exe
2192	system.exe
1996	system.exe
1248	system.exe
320	system.exe
1632	system.exe
2924	system.exe
2700	system.exe
2864	system.exe
2856	system.exe
2096	system.exe
2632	system.exe
1704	system.exe
1840	system.exe
2888	system.exe
1912	system.exe
2556	system.exe
2016	system.exe
1284	system.exe
880	system.exe
1004	system.exe
1108	system.exe
312	system.exe
1780	system.exe
3044	system.exe
840	system.exe
1652	system.exe
2276	system.exe
1888	system.exe
1420	system.exe
1828	system.exe
560	system.exe
612	system.exe
2904	system.exe
900	system.exe
2944	system.exe
2736	system.exe
2720	system.exe
2696	system.exe
2200	system.exe
2644	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe
2332	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	7e1686574d7d218527e8990c8c474a64.exe
File opened for modification	C:\Windows\userinit.exe	7e1686574d7d218527e8990c8c474a64.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1152	7e1686574d7d218527e8990c8c474a64.exe
2332	userinit.exe
2332	userinit.exe
2804	system.exe
2332	userinit.exe
2796	system.exe
2332	userinit.exe
2164	system.exe
2332	userinit.exe
2584	system.exe
2332	userinit.exe
3028	system.exe
2332	userinit.exe
1960	system.exe
2332	userinit.exe
1100	system.exe
2332	userinit.exe
564	system.exe
2332	userinit.exe
476	system.exe
2332	userinit.exe
1932	system.exe
2332	userinit.exe
632	system.exe
2332	userinit.exe
884	system.exe
2332	userinit.exe
1676	system.exe
2332	userinit.exe
2212	system.exe
2332	userinit.exe
2372	system.exe
2332	userinit.exe
2488	system.exe
2332	userinit.exe
2116	system.exe
2332	userinit.exe
3064	system.exe
2332	userinit.exe
2528	system.exe
2332	userinit.exe
1420	system.exe
2332	userinit.exe
2132	system.exe
2332	userinit.exe
1836	system.exe
2332	userinit.exe
2036	system.exe
2332	userinit.exe
2192	system.exe
2332	userinit.exe
1996	system.exe
2332	userinit.exe
1248	system.exe
2332	userinit.exe
320	system.exe
2332	userinit.exe
1632	system.exe
2332	userinit.exe
2924	system.exe
2332	userinit.exe
2700	system.exe
2332	userinit.exe
2864	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2332	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1152	7e1686574d7d218527e8990c8c474a64.exe
1152	7e1686574d7d218527e8990c8c474a64.exe
2332	userinit.exe
2332	userinit.exe
2804	system.exe
2804	system.exe
2796	system.exe
2796	system.exe
2164	system.exe
2164	system.exe
2584	system.exe
2584	system.exe
3028	system.exe
3028	system.exe
1960	system.exe
1960	system.exe
1100	system.exe
1100	system.exe
564	system.exe
564	system.exe
476	system.exe
476	system.exe
1932	system.exe
1932	system.exe
632	system.exe
632	system.exe
884	system.exe
884	system.exe
1676	system.exe
1676	system.exe
2212	system.exe
2212	system.exe
2372	system.exe
2372	system.exe
2488	system.exe
2488	system.exe
2116	system.exe
2116	system.exe
3064	system.exe
3064	system.exe
2528	system.exe
2528	system.exe
1420	system.exe
1420	system.exe
2132	system.exe
2132	system.exe
1836	system.exe
1836	system.exe
2036	system.exe
2036	system.exe
2192	system.exe
2192	system.exe
1996	system.exe
1996	system.exe
1248	system.exe
1248	system.exe
320	system.exe
320	system.exe
1632	system.exe
1632	system.exe
2924	system.exe
2924	system.exe
2700	system.exe
2700	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2332	1152	7e1686574d7d218527e8990c8c474a64.exe	28
PID 1152 wrote to memory of 2332	1152	7e1686574d7d218527e8990c8c474a64.exe	28
PID 1152 wrote to memory of 2332	1152	7e1686574d7d218527e8990c8c474a64.exe	28
PID 1152 wrote to memory of 2332	1152	7e1686574d7d218527e8990c8c474a64.exe	28
PID 2332 wrote to memory of 2804	2332	userinit.exe	29
PID 2332 wrote to memory of 2804	2332	userinit.exe	29
PID 2332 wrote to memory of 2804	2332	userinit.exe	29
PID 2332 wrote to memory of 2804	2332	userinit.exe	29
PID 2332 wrote to memory of 2796	2332	userinit.exe	30
PID 2332 wrote to memory of 2796	2332	userinit.exe	30
PID 2332 wrote to memory of 2796	2332	userinit.exe	30
PID 2332 wrote to memory of 2796	2332	userinit.exe	30
PID 2332 wrote to memory of 2164	2332	userinit.exe	31
PID 2332 wrote to memory of 2164	2332	userinit.exe	31
PID 2332 wrote to memory of 2164	2332	userinit.exe	31
PID 2332 wrote to memory of 2164	2332	userinit.exe	31
PID 2332 wrote to memory of 2584	2332	userinit.exe	32
PID 2332 wrote to memory of 2584	2332	userinit.exe	32
PID 2332 wrote to memory of 2584	2332	userinit.exe	32
PID 2332 wrote to memory of 2584	2332	userinit.exe	32
PID 2332 wrote to memory of 3028	2332	userinit.exe	33
PID 2332 wrote to memory of 3028	2332	userinit.exe	33
PID 2332 wrote to memory of 3028	2332	userinit.exe	33
PID 2332 wrote to memory of 3028	2332	userinit.exe	33
PID 2332 wrote to memory of 1960	2332	userinit.exe	34
PID 2332 wrote to memory of 1960	2332	userinit.exe	34
PID 2332 wrote to memory of 1960	2332	userinit.exe	34
PID 2332 wrote to memory of 1960	2332	userinit.exe	34
PID 2332 wrote to memory of 1100	2332	userinit.exe	35
PID 2332 wrote to memory of 1100	2332	userinit.exe	35
PID 2332 wrote to memory of 1100	2332	userinit.exe	35
PID 2332 wrote to memory of 1100	2332	userinit.exe	35
PID 2332 wrote to memory of 564	2332	userinit.exe	36
PID 2332 wrote to memory of 564	2332	userinit.exe	36
PID 2332 wrote to memory of 564	2332	userinit.exe	36
PID 2332 wrote to memory of 564	2332	userinit.exe	36
PID 2332 wrote to memory of 476	2332	userinit.exe	37
PID 2332 wrote to memory of 476	2332	userinit.exe	37
PID 2332 wrote to memory of 476	2332	userinit.exe	37
PID 2332 wrote to memory of 476	2332	userinit.exe	37
PID 2332 wrote to memory of 1932	2332	userinit.exe	38
PID 2332 wrote to memory of 1932	2332	userinit.exe	38
PID 2332 wrote to memory of 1932	2332	userinit.exe	38
PID 2332 wrote to memory of 1932	2332	userinit.exe	38
PID 2332 wrote to memory of 632	2332	userinit.exe	39
PID 2332 wrote to memory of 632	2332	userinit.exe	39
PID 2332 wrote to memory of 632	2332	userinit.exe	39
PID 2332 wrote to memory of 632	2332	userinit.exe	39
PID 2332 wrote to memory of 884	2332	userinit.exe	40
PID 2332 wrote to memory of 884	2332	userinit.exe	40
PID 2332 wrote to memory of 884	2332	userinit.exe	40
PID 2332 wrote to memory of 884	2332	userinit.exe	40
PID 2332 wrote to memory of 1676	2332	userinit.exe	41
PID 2332 wrote to memory of 1676	2332	userinit.exe	41
PID 2332 wrote to memory of 1676	2332	userinit.exe	41
PID 2332 wrote to memory of 1676	2332	userinit.exe	41
PID 2332 wrote to memory of 2212	2332	userinit.exe	42
PID 2332 wrote to memory of 2212	2332	userinit.exe	42
PID 2332 wrote to memory of 2212	2332	userinit.exe	42
PID 2332 wrote to memory of 2212	2332	userinit.exe	42
PID 2332 wrote to memory of 2372	2332	userinit.exe	43
PID 2332 wrote to memory of 2372	2332	userinit.exe	43
PID 2332 wrote to memory of 2372	2332	userinit.exe	43
PID 2332 wrote to memory of 2372	2332	userinit.exe	43

C:\Users\Admin\AppData\Local\Temp\7e1686574d7d218527e8990c8c474a64.exe
"C:\Users\Admin\AppData\Local\Temp\7e1686574d7d218527e8990c8c474a64.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
244KB

MD5
7e1686574d7d218527e8990c8c474a64

SHA1
07fa7d34653172e6c6b00c038f57c038abd6c6ff

SHA256
4833ceaa1bf82dde9757312b26f0ad596873e2361de203e2cf5d20ef4ef870e0

SHA512
63afbc023869da1c3b3b988f3b5e972bb25c2038dd9ce3e54efb335dd71c517e0e6555edc7c3b4987b28890cf415b19d1d8308daf18aa80f338b0663bab850a2

Download Submit
\Windows\SysWOW64\system.exe

Filesize
85KB

MD5
22adceebb276f8304638f036eb0ac783

SHA1
fe5b71b03583730eb20b5ce474d14289d06fc2a8

SHA256
ac333b8d05caccf8237cb0f02816ec04a7cb0e69ad2fbc5005876cbe5403b267

SHA512
e355d92870e28865d3cdd5bcd348e0e9c1cffb38a428aa05c8d3a1d8244396a967a99470e51f4251fef5e42f396d5407f85ac4b2cb1b6a6d61a0f65b101a507a

Download Submit
memory/564-112-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/632-144-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/880-434-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1004-444-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1100-101-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1152-12-0x0000000000290000-0x00000000002CD000-memory.dmp

Filesize
244KB

Download
memory/1152-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1152-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1248-284-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1284-425-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1420-237-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1840-373-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1840-375-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1912-393-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1912-395-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1932-133-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1960-90-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2016-415-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2016-413-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2096-346-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2096-344-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2116-206-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2132-247-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2164-55-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2192-269-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2332-341-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-380-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2332-331-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-332-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-442-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-321-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-342-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-312-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-311-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-351-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-352-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-360-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-361-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-369-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-371-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-440-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-432-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-381-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-320-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-389-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-391-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-430-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-421-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-401-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-400-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-409-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-411-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-64-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-63-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2332-420-0x0000000000330000-0x000000000036D000-memory.dmp

Filesize
244KB

Download
memory/2372-185-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2584-68-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2796-44-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2804-33-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2856-334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2864-325-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2924-306-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3028-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download