e065f336ddbb5b9158db120c54764f0b54ebc26e8eff1942ec1ae3d4cb90b9f9

Analysis

max time kernel
150s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/01/2024, 01:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e8d0da6a94ba9cb94df5cecf900fb05.exe
Size

80KB
MD5

7e8d0da6a94ba9cb94df5cecf900fb05
SHA1

585da7f4b74e39d1231a39f1c4aa35c55b9d2221
SHA256

e065f336ddbb5b9158db120c54764f0b54ebc26e8eff1942ec1ae3d4cb90b9f9
SHA512

e3e596148f57effea84beae8af8eb60302378e9f60aca04f2c0311d0d5711f314e5a54f3f58d1d1f423b8a3a61a7b0008450c952914464960e034052077045bd
SSDEEP

1536:Q2NUjXVUvUUJaQAqZegptMBjaRhdsRRFC:/zzJapyfptM5ajKFC

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2700	userinit.exe
2724	system.exe
2988	system.exe
2704	system.exe
1336	system.exe
760	system.exe
2368	system.exe
2976	system.exe
2180	system.exe
2864	system.exe
2144	system.exe
676	system.exe
240	system.exe
1768	system.exe
844	system.exe
2336	system.exe
2416	system.exe
1016	system.exe
680	system.exe
1752	system.exe
1952	system.exe
1004	system.exe
2424	system.exe
1636	system.exe
884	system.exe
2000	system.exe
2308	system.exe
2840	system.exe
2752	system.exe
2980	system.exe
2988	system.exe
2488	system.exe
2904	system.exe
1248	system.exe
2568	system.exe
2104	system.exe
2264	system.exe
2920	system.exe
2152	system.exe
308	system.exe
1704	system.exe
240	system.exe
2228	system.exe
2428	system.exe
2268	system.exe
532	system.exe
644	system.exe
1096	system.exe
1528	system.exe
1008	system.exe
1932	system.exe
960	system.exe
1004	system.exe
460	system.exe
2028	system.exe
1308	system.exe
2000	system.exe
996	system.exe
2840	system.exe
2728	system.exe
2636	system.exe
2604	system.exe
2488	system.exe
2904	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe
2700	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	7e8d0da6a94ba9cb94df5cecf900fb05.exe
File opened for modification	C:\Windows\userinit.exe	7e8d0da6a94ba9cb94df5cecf900fb05.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2836	7e8d0da6a94ba9cb94df5cecf900fb05.exe
2700	userinit.exe
2700	userinit.exe
2724	system.exe
2700	userinit.exe
2988	system.exe
2700	userinit.exe
2704	system.exe
2700	userinit.exe
1336	system.exe
2700	userinit.exe
760	system.exe
2700	userinit.exe
2368	system.exe
2700	userinit.exe
2976	system.exe
2700	userinit.exe
2180	system.exe
2700	userinit.exe
2864	system.exe
2700	userinit.exe
2144	system.exe
2700	userinit.exe
676	system.exe
2700	userinit.exe
240	system.exe
2700	userinit.exe
1768	system.exe
2700	userinit.exe
844	system.exe
2700	userinit.exe
2336	system.exe
2700	userinit.exe
2416	system.exe
2700	userinit.exe
1016	system.exe
2700	userinit.exe
680	system.exe
2700	userinit.exe
1752	system.exe
2700	userinit.exe
1952	system.exe
2700	userinit.exe
1004	system.exe
2700	userinit.exe
2424	system.exe
2700	userinit.exe
1636	system.exe
2700	userinit.exe
884	system.exe
2700	userinit.exe
2700	userinit.exe
2308	system.exe
2700	userinit.exe
2840	system.exe
2700	userinit.exe
2752	system.exe
2700	userinit.exe
2980	system.exe
2700	userinit.exe
2988	system.exe
2700	userinit.exe
2488	system.exe
2700	userinit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2700	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2836	7e8d0da6a94ba9cb94df5cecf900fb05.exe
2836	7e8d0da6a94ba9cb94df5cecf900fb05.exe
2700	userinit.exe
2700	userinit.exe
2724	system.exe
2724	system.exe
2988	system.exe
2988	system.exe
2704	system.exe
2704	system.exe
1336	system.exe
1336	system.exe
760	system.exe
760	system.exe
2368	system.exe
2368	system.exe
2976	system.exe
2976	system.exe
2180	system.exe
2180	system.exe
2864	system.exe
2864	system.exe
2144	system.exe
2144	system.exe
676	system.exe
676	system.exe
240	system.exe
240	system.exe
1768	system.exe
1768	system.exe
844	system.exe
844	system.exe
2336	system.exe
2336	system.exe
2416	system.exe
2416	system.exe
1016	system.exe
1016	system.exe
680	system.exe
680	system.exe
1752	system.exe
1752	system.exe
1952	system.exe
1952	system.exe
1004	system.exe
1004	system.exe
2424	system.exe
2424	system.exe
1636	system.exe
1636	system.exe
884	system.exe
884	system.exe
2308	system.exe
2308	system.exe
2840	system.exe
2840	system.exe
2752	system.exe
2752	system.exe
2980	system.exe
2980	system.exe
2988	system.exe
2988	system.exe
2488	system.exe
2488	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 2700	2836	7e8d0da6a94ba9cb94df5cecf900fb05.exe	28
PID 2836 wrote to memory of 2700	2836	7e8d0da6a94ba9cb94df5cecf900fb05.exe	28
PID 2836 wrote to memory of 2700	2836	7e8d0da6a94ba9cb94df5cecf900fb05.exe	28
PID 2836 wrote to memory of 2700	2836	7e8d0da6a94ba9cb94df5cecf900fb05.exe	28
PID 2700 wrote to memory of 2724	2700	userinit.exe	29
PID 2700 wrote to memory of 2724	2700	userinit.exe	29
PID 2700 wrote to memory of 2724	2700	userinit.exe	29
PID 2700 wrote to memory of 2724	2700	userinit.exe	29
PID 2700 wrote to memory of 2988	2700	userinit.exe	30
PID 2700 wrote to memory of 2988	2700	userinit.exe	30
PID 2700 wrote to memory of 2988	2700	userinit.exe	30
PID 2700 wrote to memory of 2988	2700	userinit.exe	30
PID 2700 wrote to memory of 2704	2700	userinit.exe	31
PID 2700 wrote to memory of 2704	2700	userinit.exe	31
PID 2700 wrote to memory of 2704	2700	userinit.exe	31
PID 2700 wrote to memory of 2704	2700	userinit.exe	31
PID 2700 wrote to memory of 1336	2700	userinit.exe	32
PID 2700 wrote to memory of 1336	2700	userinit.exe	32
PID 2700 wrote to memory of 1336	2700	userinit.exe	32
PID 2700 wrote to memory of 1336	2700	userinit.exe	32
PID 2700 wrote to memory of 760	2700	userinit.exe	33
PID 2700 wrote to memory of 760	2700	userinit.exe	33
PID 2700 wrote to memory of 760	2700	userinit.exe	33
PID 2700 wrote to memory of 760	2700	userinit.exe	33
PID 2700 wrote to memory of 2368	2700	userinit.exe	34
PID 2700 wrote to memory of 2368	2700	userinit.exe	34
PID 2700 wrote to memory of 2368	2700	userinit.exe	34
PID 2700 wrote to memory of 2368	2700	userinit.exe	34
PID 2700 wrote to memory of 2976	2700	userinit.exe	35
PID 2700 wrote to memory of 2976	2700	userinit.exe	35
PID 2700 wrote to memory of 2976	2700	userinit.exe	35
PID 2700 wrote to memory of 2976	2700	userinit.exe	35
PID 2700 wrote to memory of 2180	2700	userinit.exe	36
PID 2700 wrote to memory of 2180	2700	userinit.exe	36
PID 2700 wrote to memory of 2180	2700	userinit.exe	36
PID 2700 wrote to memory of 2180	2700	userinit.exe	36
PID 2700 wrote to memory of 2864	2700	userinit.exe	37
PID 2700 wrote to memory of 2864	2700	userinit.exe	37
PID 2700 wrote to memory of 2864	2700	userinit.exe	37
PID 2700 wrote to memory of 2864	2700	userinit.exe	37
PID 2700 wrote to memory of 2144	2700	userinit.exe	38
PID 2700 wrote to memory of 2144	2700	userinit.exe	38
PID 2700 wrote to memory of 2144	2700	userinit.exe	38
PID 2700 wrote to memory of 2144	2700	userinit.exe	38
PID 2700 wrote to memory of 676	2700	userinit.exe	39
PID 2700 wrote to memory of 676	2700	userinit.exe	39
PID 2700 wrote to memory of 676	2700	userinit.exe	39
PID 2700 wrote to memory of 676	2700	userinit.exe	39
PID 2700 wrote to memory of 240	2700	userinit.exe	40
PID 2700 wrote to memory of 240	2700	userinit.exe	40
PID 2700 wrote to memory of 240	2700	userinit.exe	40
PID 2700 wrote to memory of 240	2700	userinit.exe	40
PID 2700 wrote to memory of 1768	2700	userinit.exe	41
PID 2700 wrote to memory of 1768	2700	userinit.exe	41
PID 2700 wrote to memory of 1768	2700	userinit.exe	41
PID 2700 wrote to memory of 1768	2700	userinit.exe	41
PID 2700 wrote to memory of 844	2700	userinit.exe	42
PID 2700 wrote to memory of 844	2700	userinit.exe	42
PID 2700 wrote to memory of 844	2700	userinit.exe	42
PID 2700 wrote to memory of 844	2700	userinit.exe	42
PID 2700 wrote to memory of 2336	2700	userinit.exe	43
PID 2700 wrote to memory of 2336	2700	userinit.exe	43
PID 2700 wrote to memory of 2336	2700	userinit.exe	43
PID 2700 wrote to memory of 2336	2700	userinit.exe	43

C:\Users\Admin\AppData\Local\Temp\7e8d0da6a94ba9cb94df5cecf900fb05.exe
"C:\Users\Admin\AppData\Local\Temp\7e8d0da6a94ba9cb94df5cecf900fb05.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2368
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:644
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2904
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\system.exe

Filesize
42KB

MD5
5dd7d48c6d8d90617cb84c1b20521b75

SHA1
fe3e0b75794fb8210fca3e9e776f6622d68e1935

SHA256
ebc46e4f51b4ff3a212ca3a029359f4fd45639358d7e94a4d9b244942f94c974

SHA512
8173d835f42cfb453652293a0eeb732c347dcc3f2f456e5aa6548097a7fa23c08f40ebc11fd15986f8f2d779466e9dceed8d670c069b3e8056efc1e384c15f1a

Download Submit
C:\Windows\userinit.exe

Filesize
80KB

MD5
7e8d0da6a94ba9cb94df5cecf900fb05

SHA1
585da7f4b74e39d1231a39f1c4aa35c55b9d2221

SHA256
e065f336ddbb5b9158db120c54764f0b54ebc26e8eff1942ec1ae3d4cb90b9f9

SHA512
e3e596148f57effea84beae8af8eb60302378e9f60aca04f2c0311d0d5711f314e5a54f3f58d1d1f423b8a3a61a7b0008450c952914464960e034052077045bd

Download Submit
memory/240-170-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/240-465-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/644-508-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/676-155-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/680-243-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/760-81-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/844-190-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/884-303-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/884-299-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/884-298-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1004-275-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1004-566-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1008-539-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1336-73-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1636-289-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1704-452-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1768-182-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1768-178-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1932-544-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1952-265-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2000-308-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2000-311-0x00000000029C0000-0x0000000002AD0000-memory.dmp

Filesize
1.1MB

Download
memory/2000-600-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2028-585-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2104-407-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2144-143-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2152-434-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2180-118-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2180-119-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2180-123-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2228-474-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2264-417-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2264-418-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2264-420-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2268-489-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2268-493-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2308-320-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2368-95-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2368-98-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2416-216-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2416-213-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2424-280-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2424-284-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2488-366-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2488-370-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2700-365-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-32-0x0000000003920000-0x000000000395D000-memory.dmp

Filesize
244KB

Download
memory/2700-562-0x0000000003920000-0x000000000395D000-memory.dmp

Filesize
244KB

Download
memory/2700-553-0x0000000003920000-0x000000000395D000-memory.dmp

Filesize
244KB

Download
memory/2700-15-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2700-335-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-535-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-344-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-526-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-351-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-355-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-361-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-480-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-130-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2700-582-0x0000000003920000-0x000000000395D000-memory.dmp

Filesize
244KB

Download
memory/2700-372-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-517-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-571-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-385-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-387-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-395-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-225-0x0000000003920000-0x000000000395D000-memory.dmp

Filesize
244KB

Download
memory/2700-415-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-238-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2700-93-0x0000000003920000-0x000000000395D000-memory.dmp

Filesize
244KB

Download
memory/2700-68-0x0000000003920000-0x000000000395D000-memory.dmp

Filesize
244KB

Download
memory/2700-425-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-499-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-479-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-443-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-56-0x0000000003920000-0x000000000395D000-memory.dmp

Filesize
244KB

Download
memory/2700-461-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2700-240-0x0000000003920000-0x000000000395D000-memory.dmp

Filesize
244KB

Download
memory/2700-470-0x0000000003DF0000-0x0000000003E2D000-memory.dmp

Filesize
244KB

Download
memory/2704-61-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-37-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2724-33-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2752-339-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2836-14-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2836-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2836-20-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2836-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2836-9-0x0000000000440000-0x000000000047D000-memory.dmp

Filesize
244KB

Download
memory/2840-327-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2864-135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2904-380-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2904-376-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2920-429-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2976-106-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2976-110-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2980-345-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2988-45-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2988-49-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download