2cf0276f8e4c2d4fcc7478eb9e4b3736928d6cf0e902a7bacacd5d4649577b82

Analysis

max time kernel
151s
max time network
126s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 02:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

738919a12ecfe3b6eaae65a7d600fc9a.exe
Size

73KB
MD5

738919a12ecfe3b6eaae65a7d600fc9a
SHA1

04f8d380c2c1040429438ecd10b1fea3f3fcdb92
SHA256

2cf0276f8e4c2d4fcc7478eb9e4b3736928d6cf0e902a7bacacd5d4649577b82
SHA512

b9fa077caa7b1b198d71244cd6df5d5ec874af4f61297def58753d7fca3eb422654aec8c23684e1af94f10c5b429018f1974e705465f943026287654bb741717
SSDEEP

1536:k7Qx7w3JD+bXqE/LWJU0Uv+aRhdsR13l:hx7wZsxYU0Uv+ajm3l

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2368	userinit.exe
2756	system.exe
2820	system.exe
2652	system.exe
2668	system.exe
2284	system.exe
1784	system.exe
2636	system.exe
1060	system.exe
1068	system.exe
1788	system.exe
580	system.exe
1684	system.exe
1480	system.exe
2392	system.exe
3044	system.exe
2248	system.exe
908	system.exe
2548	system.exe
288	system.exe
868	system.exe
568	system.exe
2080	system.exe
976	system.exe
2164	system.exe
1968	system.exe
2908	system.exe
2120	system.exe
3012	system.exe
2732	system.exe
2632	system.exe
3008	system.exe
2848	system.exe
1640	system.exe
2988	system.exe
1844	system.exe
1612	system.exe
2636	system.exe
1984	system.exe
1956	system.exe
668	system.exe
656	system.exe
1628	system.exe
1584	system.exe
2516	system.exe
2408	system.exe
2404	system.exe
1928	system.exe
828	system.exe
1132	system.exe
1340	system.exe
940	system.exe
1872	system.exe
936	system.exe
2112	system.exe
2136	system.exe
1484	system.exe
2164	system.exe
1968	system.exe
2904	system.exe
2120	system.exe
2868	system.exe
2852	system.exe
2764	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe
2368	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	738919a12ecfe3b6eaae65a7d600fc9a.exe
File opened for modification	C:\Windows\userinit.exe	738919a12ecfe3b6eaae65a7d600fc9a.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2984	738919a12ecfe3b6eaae65a7d600fc9a.exe
2368	userinit.exe
2368	userinit.exe
2756	system.exe
2368	userinit.exe
2820	system.exe
2368	userinit.exe
2652	system.exe
2368	userinit.exe
2668	system.exe
2368	userinit.exe
2284	system.exe
2368	userinit.exe
1784	system.exe
2368	userinit.exe
2636	system.exe
2368	userinit.exe
1060	system.exe
2368	userinit.exe
1068	system.exe
2368	userinit.exe
1788	system.exe
2368	userinit.exe
580	system.exe
2368	userinit.exe
1684	system.exe
2368	userinit.exe
1480	system.exe
2368	userinit.exe
2392	system.exe
2368	userinit.exe
3044	system.exe
2368	userinit.exe
2248	system.exe
2368	userinit.exe
908	system.exe
2368	userinit.exe
2548	system.exe
2368	userinit.exe
288	system.exe
2368	userinit.exe
868	system.exe
2368	userinit.exe
568	system.exe
2368	userinit.exe
2080	system.exe
2368	userinit.exe
976	system.exe
2368	userinit.exe
2164	system.exe
2368	userinit.exe
1968	system.exe
2368	userinit.exe
2908	system.exe
2368	userinit.exe
2120	system.exe
2368	userinit.exe
3012	system.exe
2368	userinit.exe
2732	system.exe
2368	userinit.exe
2632	system.exe
2368	userinit.exe
3008	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2368	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2984	738919a12ecfe3b6eaae65a7d600fc9a.exe
2984	738919a12ecfe3b6eaae65a7d600fc9a.exe
2368	userinit.exe
2368	userinit.exe
2756	system.exe
2756	system.exe
2820	system.exe
2820	system.exe
2652	system.exe
2652	system.exe
2668	system.exe
2668	system.exe
2284	system.exe
2284	system.exe
1784	system.exe
1784	system.exe
2636	system.exe
2636	system.exe
1060	system.exe
1060	system.exe
1068	system.exe
1068	system.exe
1788	system.exe
1788	system.exe
580	system.exe
580	system.exe
1684	system.exe
1684	system.exe
1480	system.exe
1480	system.exe
2392	system.exe
2392	system.exe
3044	system.exe
3044	system.exe
2248	system.exe
2248	system.exe
908	system.exe
908	system.exe
2548	system.exe
2548	system.exe
288	system.exe
288	system.exe
868	system.exe
868	system.exe
568	system.exe
568	system.exe
2080	system.exe
2080	system.exe
976	system.exe
976	system.exe
2164	system.exe
2164	system.exe
1968	system.exe
1968	system.exe
2908	system.exe
2908	system.exe
2120	system.exe
2120	system.exe
3012	system.exe
3012	system.exe
2732	system.exe
2732	system.exe
2632	system.exe
2632	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2368	2984	738919a12ecfe3b6eaae65a7d600fc9a.exe	3
PID 2984 wrote to memory of 2368	2984	738919a12ecfe3b6eaae65a7d600fc9a.exe	3
PID 2984 wrote to memory of 2368	2984	738919a12ecfe3b6eaae65a7d600fc9a.exe	3
PID 2984 wrote to memory of 2368	2984	738919a12ecfe3b6eaae65a7d600fc9a.exe	3
PID 2368 wrote to memory of 2756	2368	userinit.exe	2
PID 2368 wrote to memory of 2756	2368	userinit.exe	2
PID 2368 wrote to memory of 2756	2368	userinit.exe	2
PID 2368 wrote to memory of 2756	2368	userinit.exe	2
PID 2368 wrote to memory of 2820	2368	userinit.exe	1
PID 2368 wrote to memory of 2820	2368	userinit.exe	1
PID 2368 wrote to memory of 2820	2368	userinit.exe	1
PID 2368 wrote to memory of 2820	2368	userinit.exe	1
PID 2368 wrote to memory of 2652	2368	userinit.exe	31
PID 2368 wrote to memory of 2652	2368	userinit.exe	31
PID 2368 wrote to memory of 2652	2368	userinit.exe	31
PID 2368 wrote to memory of 2652	2368	userinit.exe	31
PID 2368 wrote to memory of 2668	2368	userinit.exe	32
PID 2368 wrote to memory of 2668	2368	userinit.exe	32
PID 2368 wrote to memory of 2668	2368	userinit.exe	32
PID 2368 wrote to memory of 2668	2368	userinit.exe	32
PID 2368 wrote to memory of 2284	2368	userinit.exe	33
PID 2368 wrote to memory of 2284	2368	userinit.exe	33
PID 2368 wrote to memory of 2284	2368	userinit.exe	33
PID 2368 wrote to memory of 2284	2368	userinit.exe	33
PID 2368 wrote to memory of 1784	2368	userinit.exe	34
PID 2368 wrote to memory of 1784	2368	userinit.exe	34
PID 2368 wrote to memory of 1784	2368	userinit.exe	34
PID 2368 wrote to memory of 1784	2368	userinit.exe	34
PID 2368 wrote to memory of 2636	2368	userinit.exe	35
PID 2368 wrote to memory of 2636	2368	userinit.exe	35
PID 2368 wrote to memory of 2636	2368	userinit.exe	35
PID 2368 wrote to memory of 2636	2368	userinit.exe	35
PID 2368 wrote to memory of 1060	2368	userinit.exe	36
PID 2368 wrote to memory of 1060	2368	userinit.exe	36
PID 2368 wrote to memory of 1060	2368	userinit.exe	36
PID 2368 wrote to memory of 1060	2368	userinit.exe	36
PID 2368 wrote to memory of 1068	2368	userinit.exe	37
PID 2368 wrote to memory of 1068	2368	userinit.exe	37
PID 2368 wrote to memory of 1068	2368	userinit.exe	37
PID 2368 wrote to memory of 1068	2368	userinit.exe	37
PID 2368 wrote to memory of 1788	2368	userinit.exe	38
PID 2368 wrote to memory of 1788	2368	userinit.exe	38
PID 2368 wrote to memory of 1788	2368	userinit.exe	38
PID 2368 wrote to memory of 1788	2368	userinit.exe	38
PID 2368 wrote to memory of 580	2368	userinit.exe	39
PID 2368 wrote to memory of 580	2368	userinit.exe	39
PID 2368 wrote to memory of 580	2368	userinit.exe	39
PID 2368 wrote to memory of 580	2368	userinit.exe	39
PID 2368 wrote to memory of 1684	2368	userinit.exe	40
PID 2368 wrote to memory of 1684	2368	userinit.exe	40
PID 2368 wrote to memory of 1684	2368	userinit.exe	40
PID 2368 wrote to memory of 1684	2368	userinit.exe	40
PID 2368 wrote to memory of 1480	2368	userinit.exe	41
PID 2368 wrote to memory of 1480	2368	userinit.exe	41
PID 2368 wrote to memory of 1480	2368	userinit.exe	41
PID 2368 wrote to memory of 1480	2368	userinit.exe	41
PID 2368 wrote to memory of 2392	2368	userinit.exe	42
PID 2368 wrote to memory of 2392	2368	userinit.exe	42
PID 2368 wrote to memory of 2392	2368	userinit.exe	42
PID 2368 wrote to memory of 2392	2368	userinit.exe	42
PID 2368 wrote to memory of 3044	2368	userinit.exe	43
PID 2368 wrote to memory of 3044	2368	userinit.exe	43
PID 2368 wrote to memory of 3044	2368	userinit.exe	43
PID 2368 wrote to memory of 3044	2368	userinit.exe	43

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2820

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2756

C:\Windows\userinit.exe
C:\Windows\userinit.exe
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2652
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2668
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2284
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1784
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2636
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1060
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1068
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1788
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:580
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1684
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1480
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2392
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3044
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2248
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:908
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2548
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:288
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:868
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:568
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2080
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:976
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2164
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1968
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2908
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2120
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3012
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2732
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:3008
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1640
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1612
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:656
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1628
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2516
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1132
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:936
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2136
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2640
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2648
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1964
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1764
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1312
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:328
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1188
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2032
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2924
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:764
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1628
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2400
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1648
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2656
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2292
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:3044
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2248
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2452
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2504
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1376
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1864
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1872
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1760
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:3052
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2324
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1348
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:884
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1604
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2744
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2836
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2704
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2896
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2736
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2592
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2640
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2672
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1704
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1960
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1224
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1828
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1940
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1068
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1064
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1368
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1476
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2524
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1680
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2416
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2668
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2292
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1852
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2472
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2448
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:824
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1100
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1756
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1520
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:856
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2240
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:888
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2956
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2276
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:1608
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2908
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:3012
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2756
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2788
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:3008
- C:\Windows\SysWOW64\system.exe
  C:\Windows\system32\system.exe
  2⤵
  PID:2848

C:\Users\Admin\AppData\Local\Temp\738919a12ecfe3b6eaae65a7d600fc9a.exe
"C:\Users\Admin\AppData\Local\Temp\738919a12ecfe3b6eaae65a7d600fc9a.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
73KB

MD5
738919a12ecfe3b6eaae65a7d600fc9a

SHA1
04f8d380c2c1040429438ecd10b1fea3f3fcdb92

SHA256
2cf0276f8e4c2d4fcc7478eb9e4b3736928d6cf0e902a7bacacd5d4649577b82

SHA512
b9fa077caa7b1b198d71244cd6df5d5ec874af4f61297def58753d7fca3eb422654aec8c23684e1af94f10c5b429018f1974e705465f943026287654bb741717

Download Submit
memory/288-253-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/580-161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/828-522-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-265-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/868-269-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/908-229-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/908-233-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/940-544-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/976-295-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1060-126-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1068-134-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1132-530-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1480-184-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-476-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1584-472-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1612-409-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-463-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1628-467-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1640-381-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-169-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1684-173-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1784-101-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-146-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1788-150-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1844-400-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1872-557-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-439-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1956-437-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1968-611-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2120-327-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-631-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2120-634-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2136-585-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2164-303-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2284-90-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-32-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-122-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-228-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-121-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-629-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-627-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-108-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-46-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-86-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-85-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-609-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-600-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-45-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-584-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-581-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-572-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-377-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-571-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-386-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-553-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-405-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-446-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-414-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-415-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-424-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-426-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-434-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-435-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-17-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2368-511-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-543-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-59-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-509-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-500-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2368-15-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2368-483-0x00000000002F0000-0x0000000000324000-memory.dmp

Filesize
208KB

Download
memory/2392-192-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2408-491-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2516-486-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2548-241-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2632-356-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2636-113-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-64-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2652-60-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2668-72-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2668-74-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2668-77-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2732-344-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2756-36-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-51-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-48-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2820-49-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2908-322-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2908-319-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2984-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2984-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2984-13-0x00000000005D0000-0x0000000000604000-memory.dmp

Filesize
208KB

Download
memory/3044-207-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download