7a2bec75af5d5c26bda8adb23f5b343a562d519ef6768122703b0944f88dde87

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-01-2024 17:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7510cc8e71f8cdfc4a2c76d55e674ecc.exe
Size

323KB
MD5

7510cc8e71f8cdfc4a2c76d55e674ecc
SHA1

a0ac932cdb109513c260448195b76fef90a48a42
SHA256

7a2bec75af5d5c26bda8adb23f5b343a562d519ef6768122703b0944f88dde87
SHA512

444eb2513e85473647d53bb9681f10d2ff658ab2b3aab01b1abac2f0cb7c5532f69d0a84f6de21390c8dce2700be8e1b77de54cd2e208955daf28fffa1e0be4a
SSDEEP

768:X1hrEe3BN7m/kwQ2L3tvQvTvXk56NQ+Zf1zBmQzTGfmgyqCx:lhn3r7mfQGKvDXkgQGf1zwQVgvCx

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

userinit.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

Processes:

userinit.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

pid	process
1052	userinit.exe
2912	system.exe
2536	system.exe
2616	system.exe
2528	system.exe
3016	system.exe
1176	system.exe
972	system.exe
1996	system.exe
2832	system.exe
1724	system.exe
1056	system.exe
1952	system.exe
2440	system.exe
1820	system.exe
2068	system.exe
2104	system.exe
632	system.exe
1868	system.exe
1328	system.exe
2324	system.exe
2036	system.exe
1520	system.exe
2088	system.exe
2608	system.exe
2300	system.exe
2676	system.exe
2804	system.exe
2668	system.exe
2480	system.exe
2652	system.exe
2992	system.exe
1512	system.exe
1652	system.exe
2724	system.exe
936	system.exe
1460	system.exe
1692	system.exe
1656	system.exe
1632	system.exe
1048	system.exe
1824	system.exe
1576	system.exe
760	system.exe
2068	system.exe
2408	system.exe
1012	system.exe
1556	system.exe
1336	system.exe
2360	system.exe
1316	system.exe
2076	system.exe
876	system.exe
2932	system.exe
3008	system.exe
1032	system.exe
2376	system.exe
2312	system.exe
2084	system.exe
2172	system.exe
2560	system.exe
2652	system.exe
2992	system.exe
1156	system.exe

Loads dropped DLL 64 IoCs

Processes:

userinit.exe

pid	process
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe
1052	userinit.exe

Drops file in System32 directory 2 IoCs

Processes:

userinit.exe

description ioc process

File created C:\Windows\SysWOW64\system.exe userinit.exe
File opened for modification C:\Windows\SysWOW64\system.exe userinit.exe

description	ioc	process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

Processes:

7510cc8e71f8cdfc4a2c76d55e674ecc.exeuserinit.exe

description	ioc	process
File opened for modification	C:\Windows\userinit.exe	7510cc8e71f8cdfc4a2c76d55e674ecc.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	7510cc8e71f8cdfc4a2c76d55e674ecc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

7510cc8e71f8cdfc4a2c76d55e674ecc.exeuserinit.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exesystem.exe

pid	process
1032	7510cc8e71f8cdfc4a2c76d55e674ecc.exe
1052	userinit.exe
1052	userinit.exe
2912	system.exe
1052	userinit.exe
2536	system.exe
1052	userinit.exe
2616	system.exe
1052	userinit.exe
2528	system.exe
1052	userinit.exe
3016	system.exe
1052	userinit.exe
1176	system.exe
1052	userinit.exe
972	system.exe
1052	userinit.exe
1996	system.exe
1052	userinit.exe
2832	system.exe
1052	userinit.exe
1724	system.exe
1052	userinit.exe
1056	system.exe
1052	userinit.exe
1952	system.exe
1052	userinit.exe
2440	system.exe
1052	userinit.exe
1820	system.exe
1052	userinit.exe
2068	system.exe
1052	userinit.exe
2104	system.exe
1052	userinit.exe
632	system.exe
1052	userinit.exe
1868	system.exe
1052	userinit.exe
1328	system.exe
1052	userinit.exe
2324	system.exe
1052	userinit.exe
2036	system.exe
1052	userinit.exe
1520	system.exe
1052	userinit.exe
2088	system.exe
1052	userinit.exe
2608	system.exe
1052	userinit.exe
2300	system.exe
1052	userinit.exe
2676	system.exe
1052	userinit.exe
2804	system.exe
1052	userinit.exe
2668	system.exe
1052	userinit.exe
2480	system.exe
1052	userinit.exe
2652	system.exe
1052	userinit.exe
2992	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

userinit.exe

pid process

1052 userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1032	7510cc8e71f8cdfc4a2c76d55e674ecc.exe
1032	7510cc8e71f8cdfc4a2c76d55e674ecc.exe
1052	userinit.exe
1052	userinit.exe
2912	system.exe
2912	system.exe
2536	system.exe
2536	system.exe
2616	system.exe
2616	system.exe
2528	system.exe
2528	system.exe
3016	system.exe
3016	system.exe
1176	system.exe
1176	system.exe
972	system.exe
972	system.exe
1996	system.exe
1996	system.exe
2832	system.exe
2832	system.exe
1724	system.exe
1724	system.exe
1056	system.exe
1056	system.exe
1952	system.exe
1952	system.exe
2440	system.exe
2440	system.exe
1820	system.exe
1820	system.exe
2068	system.exe
2068	system.exe
2104	system.exe
2104	system.exe
632	system.exe
632	system.exe
1868	system.exe
1868	system.exe
1328	system.exe
1328	system.exe
2324	system.exe
2324	system.exe
2036	system.exe
2036	system.exe
1520	system.exe
1520	system.exe
2088	system.exe
2088	system.exe
2608	system.exe
2608	system.exe
2300	system.exe
2300	system.exe
2676	system.exe
2676	system.exe
2804	system.exe
2804	system.exe
2668	system.exe
2668	system.exe
2480	system.exe
2480	system.exe
2652	system.exe
2652	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7510cc8e71f8cdfc4a2c76d55e674ecc.exeuserinit.exe

description	pid	process	target process
PID 1032 wrote to memory of 1052	1032	7510cc8e71f8cdfc4a2c76d55e674ecc.exe	userinit.exe
PID 1032 wrote to memory of 1052	1032	7510cc8e71f8cdfc4a2c76d55e674ecc.exe	userinit.exe
PID 1032 wrote to memory of 1052	1032	7510cc8e71f8cdfc4a2c76d55e674ecc.exe	userinit.exe
PID 1032 wrote to memory of 1052	1032	7510cc8e71f8cdfc4a2c76d55e674ecc.exe	userinit.exe
PID 1052 wrote to memory of 2912	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2912	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2912	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2912	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2536	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2536	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2536	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2536	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2616	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2616	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2616	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2616	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2528	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2528	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2528	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2528	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 3016	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 3016	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 3016	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 3016	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1176	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1176	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1176	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1176	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 972	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 972	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 972	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 972	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1996	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1996	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1996	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1996	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2832	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2832	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2832	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2832	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1724	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1724	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1724	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1724	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1056	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1056	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1056	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1056	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1952	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1952	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1952	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1952	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2440	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2440	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2440	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2440	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1820	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1820	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1820	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 1820	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2068	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2068	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2068	1052	userinit.exe	system.exe
PID 1052 wrote to memory of 2068	1052	userinit.exe	system.exe

C:\Users\Admin\AppData\Local\Temp\7510cc8e71f8cdfc4a2c76d55e674ecc.exe
"C:\Users\Admin\AppData\Local\Temp\7510cc8e71f8cdfc4a2c76d55e674ecc.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\userinit.exe
C:\Windows\userinit.exe
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2912

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2536

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2616

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3016

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:972

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2832

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1056

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2440

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1820

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2068

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2104

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:632

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1868

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1328

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2036

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1520

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2088

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2608

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2300

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2668

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2652

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2992

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1512

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1652

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2724

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:936

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1460

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1692

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1656

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1632

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1048

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1824

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1576

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:760

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2068

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2408

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1012

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1556

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1336

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2360

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1316

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2076

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:876

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2932

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:3008

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1032

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2376

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2312

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2084

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2172

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2560

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2652

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:2992

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
- Executes dropped EXE
PID:1156

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:948

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1332

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2736

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1264

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1208

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2016

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1988

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2440

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1844

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1040

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:488

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2128

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2056

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1336

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2060

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2208

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:892

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1520

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1716

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2944

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:928

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2688

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2816

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2376

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:804

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2616

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:436

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1532

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2988

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:868

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2836

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2132

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:848

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2044

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1600

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1968

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1744

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2352

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2568

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2956

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:588

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:3044

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1944

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:844

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1020

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:3060

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1472

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:940

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:1296

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2088

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2876

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:3052

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2760

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2816

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2700

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2084

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2216

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2028

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2652

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2508

C:\Windows\SysWOW64\system.exe
C:\Windows\system32\system.exe
3⤵
PID:2512

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe
Filesize
323KB

MD5
7510cc8e71f8cdfc4a2c76d55e674ecc

SHA1
a0ac932cdb109513c260448195b76fef90a48a42

SHA256
7a2bec75af5d5c26bda8adb23f5b343a562d519ef6768122703b0944f88dde87

SHA512
444eb2513e85473647d53bb9681f10d2ff658ab2b3aab01b1abac2f0cb7c5532f69d0a84f6de21390c8dce2700be8e1b77de54cd2e208955daf28fffa1e0be4a

Download Submit
\Windows\SysWOW64\system.exe
Filesize
256KB

MD5
22914c5adcdf10a2fdb4d6e526551eb6

SHA1
a1fe491e4e1406a4de2601b7a70bbc474d11bf77

SHA256
9a36d229c4c94b3a94133960d8eeb7f750b018d78b6bb9b8bb5a132dee13b91d

SHA512
67cdf7608b468de2c98d0929dbc5a30dd828c7a6f9b693ed6573c4c1a64a366d7b0bf537c65c9941d5c3190a5c47e363b10e4e81671933fe4d5cc65aff285b90

Download Submit
memory/632-236-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/632-232-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/632-237-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/936-435-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/972-107-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/972-103-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1032-14-0x0000000002C00000-0x0000000002C88000-memory.dmp

Filesize
544KB

Download
memory/1032-20-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1032-0-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1032-12-0x0000000002C00000-0x0000000002C88000-memory.dmp

Filesize
544KB

Download
memory/1032-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1052-359-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-348-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-402-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-401-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-414-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-57-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-109-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1052-117-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-394-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1052-389-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-314-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1052-388-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-379-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-175-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-370-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-368-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-188-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-315-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-201-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-203-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-358-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-208-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1052-216-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-218-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-350-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-412-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-472-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1052-230-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-555-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1052-234-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-642-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1052-26-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-339-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-246-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-244-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-258-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-15-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1052-336-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-271-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-273-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-327-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-284-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-293-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-294-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-325-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-303-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-305-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1052-316-0x0000000002420000-0x00000000024A8000-memory.dmp

Filesize
544KB

Download
memory/1056-155-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1328-261-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1328-264-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1512-404-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1512-406-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1520-298-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1576-497-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1632-470-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1656-462-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1692-453-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1724-140-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1724-144-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1820-193-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1868-247-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1952-167-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/1952-164-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2068-206-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2068-516-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2088-307-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2104-220-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2104-222-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2300-329-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2324-277-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2360-567-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2440-177-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2440-179-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2480-372-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2480-374-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2528-73-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2528-69-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2536-49-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2536-45-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2616-61-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2668-363-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2676-342-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2676-337-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2804-351-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2912-37-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download
memory/2912-33-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/3016-84-0x0000000000400000-0x0000000000488000-memory.dmp

Filesize
544KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads