b5c42bf68946de94cb58bb9e74baa78c5e10f9b3e39545bac75f4ed0ff4fd081

Analysis

max time kernel
150s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
13/01/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5905dc411bf712fc10533d5cd28c8f91.exe
Size

80KB
MD5

5905dc411bf712fc10533d5cd28c8f91
SHA1

2ae1d5245f719a442c37e56e10e221eb2b451c48
SHA256

b5c42bf68946de94cb58bb9e74baa78c5e10f9b3e39545bac75f4ed0ff4fd081
SHA512

52f1fde1f4730caf1cba81e116360ef2585952dca433427ef6ce149adbfec4994c03843d919244263561b99d8d7ea7c8e78a1c0d33e02af1f8159ccf664d4db0
SSDEEP

1536:sdBwRl7XqChS8Kr8Pypmr1zvaRhdsRJp7:sdGRJfHKA6pKDajip7

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2436	userinit.exe
2844	system.exe
2836	system.exe
2276	system.exe
2592	system.exe
2292	system.exe
2952	system.exe
3036	system.exe
2804	system.exe
2196	system.exe
2908	system.exe
2996	system.exe
1468	system.exe
480	system.exe
2552	system.exe
2128	system.exe
1708	system.exe
1488	system.exe
2372	system.exe
1796	system.exe
1832	system.exe
1224	system.exe
1588	system.exe
1460	system.exe
1756	system.exe
1968	system.exe
2368	system.exe
2860	system.exe
2716	system.exe
1532	system.exe
3032	system.exe
1132	system.exe
2656	system.exe
2236	system.exe
2816	system.exe
3040	system.exe
2620	system.exe
2792	system.exe
2908	system.exe
2948	system.exe
280	system.exe
1400	system.exe
1480	system.exe
2080	system.exe
2176	system.exe
2128	system.exe
1772	system.exe
2400	system.exe
1244	system.exe
2028	system.exe
1992	system.exe
1392	system.exe
1224	system.exe
1588	system.exe
2456	system.exe
1752	system.exe
2520	system.exe
2428	system.exe
1052	system.exe
2708	system.exe
2700	system.exe
3032	system.exe
2516	system.exe
2592	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe
2436	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	5905dc411bf712fc10533d5cd28c8f91.exe
File opened for modification	C:\Windows\userinit.exe	5905dc411bf712fc10533d5cd28c8f91.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1964	5905dc411bf712fc10533d5cd28c8f91.exe
2436	userinit.exe
2436	userinit.exe
2844	system.exe
2436	userinit.exe
2836	system.exe
2436	userinit.exe
2276	system.exe
2436	userinit.exe
2592	system.exe
2436	userinit.exe
2292	system.exe
2436	userinit.exe
2952	system.exe
2436	userinit.exe
3036	system.exe
2436	userinit.exe
2804	system.exe
2436	userinit.exe
2196	system.exe
2436	userinit.exe
2908	system.exe
2436	userinit.exe
2996	system.exe
2436	userinit.exe
1468	system.exe
2436	userinit.exe
480	system.exe
2436	userinit.exe
2552	system.exe
2436	userinit.exe
2128	system.exe
2436	userinit.exe
1708	system.exe
2436	userinit.exe
1488	system.exe
2436	userinit.exe
2372	system.exe
2436	userinit.exe
1796	system.exe
2436	userinit.exe
1832	system.exe
2436	userinit.exe
1224	system.exe
2436	userinit.exe
1588	system.exe
2436	userinit.exe
1460	system.exe
2436	userinit.exe
1756	system.exe
2436	userinit.exe
2436	userinit.exe
2368	system.exe
2436	userinit.exe
2860	system.exe
2436	userinit.exe
2716	system.exe
2436	userinit.exe
1532	system.exe
2436	userinit.exe
3032	system.exe
2436	userinit.exe
1132	system.exe
2436	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2436	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1964	5905dc411bf712fc10533d5cd28c8f91.exe
1964	5905dc411bf712fc10533d5cd28c8f91.exe
2436	userinit.exe
2436	userinit.exe
2844	system.exe
2844	system.exe
2836	system.exe
2836	system.exe
2276	system.exe
2276	system.exe
2592	system.exe
2592	system.exe
2292	system.exe
2292	system.exe
2952	system.exe
2952	system.exe
3036	system.exe
3036	system.exe
2804	system.exe
2804	system.exe
2196	system.exe
2196	system.exe
2908	system.exe
2908	system.exe
2996	system.exe
2996	system.exe
1468	system.exe
1468	system.exe
480	system.exe
480	system.exe
2552	system.exe
2552	system.exe
2128	system.exe
2128	system.exe
1708	system.exe
1708	system.exe
1488	system.exe
1488	system.exe
2372	system.exe
2372	system.exe
1796	system.exe
1796	system.exe
1832	system.exe
1832	system.exe
1224	system.exe
1224	system.exe
1588	system.exe
1588	system.exe
1460	system.exe
1460	system.exe
1756	system.exe
1756	system.exe
2368	system.exe
2368	system.exe
2860	system.exe
2860	system.exe
2716	system.exe
2716	system.exe
1532	system.exe
1532	system.exe
3032	system.exe
3032	system.exe
1132	system.exe
1132	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2436	1964	5905dc411bf712fc10533d5cd28c8f91.exe	28
PID 1964 wrote to memory of 2436	1964	5905dc411bf712fc10533d5cd28c8f91.exe	28
PID 1964 wrote to memory of 2436	1964	5905dc411bf712fc10533d5cd28c8f91.exe	28
PID 1964 wrote to memory of 2436	1964	5905dc411bf712fc10533d5cd28c8f91.exe	28
PID 2436 wrote to memory of 2844	2436	userinit.exe	29
PID 2436 wrote to memory of 2844	2436	userinit.exe	29
PID 2436 wrote to memory of 2844	2436	userinit.exe	29
PID 2436 wrote to memory of 2844	2436	userinit.exe	29
PID 2436 wrote to memory of 2836	2436	userinit.exe	30
PID 2436 wrote to memory of 2836	2436	userinit.exe	30
PID 2436 wrote to memory of 2836	2436	userinit.exe	30
PID 2436 wrote to memory of 2836	2436	userinit.exe	30
PID 2436 wrote to memory of 2276	2436	userinit.exe	31
PID 2436 wrote to memory of 2276	2436	userinit.exe	31
PID 2436 wrote to memory of 2276	2436	userinit.exe	31
PID 2436 wrote to memory of 2276	2436	userinit.exe	31
PID 2436 wrote to memory of 2592	2436	userinit.exe	32
PID 2436 wrote to memory of 2592	2436	userinit.exe	32
PID 2436 wrote to memory of 2592	2436	userinit.exe	32
PID 2436 wrote to memory of 2592	2436	userinit.exe	32
PID 2436 wrote to memory of 2292	2436	userinit.exe	33
PID 2436 wrote to memory of 2292	2436	userinit.exe	33
PID 2436 wrote to memory of 2292	2436	userinit.exe	33
PID 2436 wrote to memory of 2292	2436	userinit.exe	33
PID 2436 wrote to memory of 2952	2436	userinit.exe	34
PID 2436 wrote to memory of 2952	2436	userinit.exe	34
PID 2436 wrote to memory of 2952	2436	userinit.exe	34
PID 2436 wrote to memory of 2952	2436	userinit.exe	34
PID 2436 wrote to memory of 3036	2436	userinit.exe	35
PID 2436 wrote to memory of 3036	2436	userinit.exe	35
PID 2436 wrote to memory of 3036	2436	userinit.exe	35
PID 2436 wrote to memory of 3036	2436	userinit.exe	35
PID 2436 wrote to memory of 2804	2436	userinit.exe	36
PID 2436 wrote to memory of 2804	2436	userinit.exe	36
PID 2436 wrote to memory of 2804	2436	userinit.exe	36
PID 2436 wrote to memory of 2804	2436	userinit.exe	36
PID 2436 wrote to memory of 2196	2436	userinit.exe	37
PID 2436 wrote to memory of 2196	2436	userinit.exe	37
PID 2436 wrote to memory of 2196	2436	userinit.exe	37
PID 2436 wrote to memory of 2196	2436	userinit.exe	37
PID 2436 wrote to memory of 2908	2436	userinit.exe	38
PID 2436 wrote to memory of 2908	2436	userinit.exe	38
PID 2436 wrote to memory of 2908	2436	userinit.exe	38
PID 2436 wrote to memory of 2908	2436	userinit.exe	38
PID 2436 wrote to memory of 2996	2436	userinit.exe	39
PID 2436 wrote to memory of 2996	2436	userinit.exe	39
PID 2436 wrote to memory of 2996	2436	userinit.exe	39
PID 2436 wrote to memory of 2996	2436	userinit.exe	39
PID 2436 wrote to memory of 1468	2436	userinit.exe	40
PID 2436 wrote to memory of 1468	2436	userinit.exe	40
PID 2436 wrote to memory of 1468	2436	userinit.exe	40
PID 2436 wrote to memory of 1468	2436	userinit.exe	40
PID 2436 wrote to memory of 480	2436	userinit.exe	41
PID 2436 wrote to memory of 480	2436	userinit.exe	41
PID 2436 wrote to memory of 480	2436	userinit.exe	41
PID 2436 wrote to memory of 480	2436	userinit.exe	41
PID 2436 wrote to memory of 2552	2436	userinit.exe	42
PID 2436 wrote to memory of 2552	2436	userinit.exe	42
PID 2436 wrote to memory of 2552	2436	userinit.exe	42
PID 2436 wrote to memory of 2552	2436	userinit.exe	42
PID 2436 wrote to memory of 2128	2436	userinit.exe	43
PID 2436 wrote to memory of 2128	2436	userinit.exe	43
PID 2436 wrote to memory of 2128	2436	userinit.exe	43
PID 2436 wrote to memory of 2128	2436	userinit.exe	43

C:\Users\Admin\AppData\Local\Temp\5905dc411bf712fc10533d5cd28c8f91.exe
"C:\Users\Admin\AppData\Local\Temp\5905dc411bf712fc10533d5cd28c8f91.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1832
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1380
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2404
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
80KB

MD5
5905dc411bf712fc10533d5cd28c8f91

SHA1
2ae1d5245f719a442c37e56e10e221eb2b451c48

SHA256
b5c42bf68946de94cb58bb9e74baa78c5e10f9b3e39545bac75f4ed0ff4fd081

SHA512
52f1fde1f4730caf1cba81e116360ef2585952dca433427ef6ce149adbfec4994c03843d919244263561b99d8d7ea7c8e78a1c0d33e02af1f8159ccf664d4db0

Download Submit
memory/480-182-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1132-373-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1224-278-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1224-574-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1460-296-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1468-167-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1480-480-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1532-349-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1752-603-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1756-305-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1756-301-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1964-19-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1964-13-0x0000000000290000-0x00000000002CC000-memory.dmp

Filesize
240KB

Download
memory/1968-310-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/1968-311-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2128-203-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2196-132-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2196-135-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2236-393-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2276-56-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2276-60-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-85-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2292-81-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2372-244-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2372-242-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-408-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-378-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-154-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-15-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-31-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-129-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2436-531-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-522-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-201-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-214-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-239-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-117-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-521-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-250-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-263-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-513-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-283-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-292-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-105-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-511-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-92-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-485-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-476-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-320-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-459-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-450-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-449-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-68-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-358-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-431-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-432-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-368-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-369-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-422-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-419-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-380-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-388-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-389-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-409-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-398-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2436-399-0x0000000000270000-0x00000000002AC000-memory.dmp

Filesize
240KB

Download
memory/2552-190-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2592-70-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2592-73-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2620-424-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2620-426-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-339-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2716-341-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2792-436-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-122-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2804-119-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2816-403-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2836-48-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2836-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2844-36-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2844-32-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2860-331-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2908-143-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2908-444-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2908-147-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2948-454-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2952-97-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2996-159-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3032-360-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/3032-363-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3036-109-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/3040-410-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download