e3aaf570c1cd1cb809d7cce76bcbe60468c17be0d73eea8394d1436c6f7ca07d

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12-03-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2fcbf70696315646a34d27ce9906d55.exe
Size

80KB
MD5

c2fcbf70696315646a34d27ce9906d55
SHA1

feed301fe84a4b87aa94218d25cfcf33d268db9c
SHA256

e3aaf570c1cd1cb809d7cce76bcbe60468c17be0d73eea8394d1436c6f7ca07d
SHA512

351e6d082fb5141c06ee97e9f6916d302541b5c38c81e64c2719854b4c55602abcd52783da8a6302abbc26d2b2e3030b3d7851187ab7b167add753a9dbd88653
SSDEEP

1536:Jdkf22gypebgdFwgXfu+xW2zRk5If4aRhdsRRkF:nkepys/+xW2zRk5IwajKkF

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2192	userinit.exe
2584	system.exe
2504	system.exe
2408	system.exe
2560	system.exe
2492	system.exe
2704	system.exe
2752	system.exe
2888	system.exe
2264	system.exe
1440	system.exe
776	system.exe
852	system.exe
2324	system.exe
2232	system.exe
2468	system.exe
1424	system.exe
1976	system.exe
2044	system.exe
1708	system.exe
1224	system.exe
608	system.exe
1632	system.exe
564	system.exe
976	system.exe
2156	system.exe
2992	system.exe
2964	system.exe
2856	system.exe
2604	system.exe
2708	system.exe
2504	system.exe
2400	system.exe
2436	system.exe
1780	system.exe
2924	system.exe
2696	system.exe
1488	system.exe
2264	system.exe
2620	system.exe
1720	system.exe
1344	system.exe
2932	system.exe
2100	system.exe
2208	system.exe
2356	system.exe
856	system.exe
2332	system.exe
2816	system.exe
1276	system.exe
1248	system.exe
2112	system.exe
1860	system.exe
2348	system.exe
1992	system.exe
2124	system.exe
2464	system.exe
2580	system.exe
2584	system.exe
2804	system.exe
304	system.exe
2384	system.exe
2448	system.exe
2092	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe
2192	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	c2fcbf70696315646a34d27ce9906d55.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	c2fcbf70696315646a34d27ce9906d55.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2856	c2fcbf70696315646a34d27ce9906d55.exe
2192	userinit.exe
2192	userinit.exe
2584	system.exe
2192	userinit.exe
2504	system.exe
2192	userinit.exe
2408	system.exe
2192	userinit.exe
2560	system.exe
2192	userinit.exe
2492	system.exe
2192	userinit.exe
2704	system.exe
2192	userinit.exe
2752	system.exe
2192	userinit.exe
2888	system.exe
2192	userinit.exe
2264	system.exe
2192	userinit.exe
1440	system.exe
2192	userinit.exe
776	system.exe
2192	userinit.exe
852	system.exe
2192	userinit.exe
2324	system.exe
2192	userinit.exe
2232	system.exe
2192	userinit.exe
2468	system.exe
2192	userinit.exe
1424	system.exe
2192	userinit.exe
1976	system.exe
2192	userinit.exe
2044	system.exe
2192	userinit.exe
1708	system.exe
2192	userinit.exe
1224	system.exe
2192	userinit.exe
608	system.exe
2192	userinit.exe
1632	system.exe
2192	userinit.exe
564	system.exe
2192	userinit.exe
976	system.exe
2192	userinit.exe
2156	system.exe
2192	userinit.exe
2992	system.exe
2192	userinit.exe
2964	system.exe
2192	userinit.exe
2856	system.exe
2192	userinit.exe
2604	system.exe
2192	userinit.exe
2708	system.exe
2192	userinit.exe
2504	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2192	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2856	c2fcbf70696315646a34d27ce9906d55.exe
2856	c2fcbf70696315646a34d27ce9906d55.exe
2192	userinit.exe
2192	userinit.exe
2584	system.exe
2584	system.exe
2504	system.exe
2504	system.exe
2408	system.exe
2408	system.exe
2560	system.exe
2560	system.exe
2492	system.exe
2492	system.exe
2704	system.exe
2704	system.exe
2752	system.exe
2752	system.exe
2888	system.exe
2888	system.exe
2264	system.exe
2264	system.exe
1440	system.exe
1440	system.exe
776	system.exe
776	system.exe
852	system.exe
852	system.exe
2324	system.exe
2324	system.exe
2232	system.exe
2232	system.exe
2468	system.exe
2468	system.exe
1424	system.exe
1424	system.exe
1976	system.exe
1976	system.exe
2044	system.exe
2044	system.exe
1708	system.exe
1708	system.exe
1224	system.exe
1224	system.exe
608	system.exe
608	system.exe
1632	system.exe
1632	system.exe
564	system.exe
564	system.exe
976	system.exe
976	system.exe
2156	system.exe
2156	system.exe
2992	system.exe
2992	system.exe
2964	system.exe
2964	system.exe
2856	system.exe
2856	system.exe
2604	system.exe
2604	system.exe
2708	system.exe
2708	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2192	2856	c2fcbf70696315646a34d27ce9906d55.exe	28
PID 2856 wrote to memory of 2192	2856	c2fcbf70696315646a34d27ce9906d55.exe	28
PID 2856 wrote to memory of 2192	2856	c2fcbf70696315646a34d27ce9906d55.exe	28
PID 2856 wrote to memory of 2192	2856	c2fcbf70696315646a34d27ce9906d55.exe	28
PID 2192 wrote to memory of 2584	2192	userinit.exe	29
PID 2192 wrote to memory of 2584	2192	userinit.exe	29
PID 2192 wrote to memory of 2584	2192	userinit.exe	29
PID 2192 wrote to memory of 2584	2192	userinit.exe	29
PID 2192 wrote to memory of 2504	2192	userinit.exe	30
PID 2192 wrote to memory of 2504	2192	userinit.exe	30
PID 2192 wrote to memory of 2504	2192	userinit.exe	30
PID 2192 wrote to memory of 2504	2192	userinit.exe	30
PID 2192 wrote to memory of 2408	2192	userinit.exe	31
PID 2192 wrote to memory of 2408	2192	userinit.exe	31
PID 2192 wrote to memory of 2408	2192	userinit.exe	31
PID 2192 wrote to memory of 2408	2192	userinit.exe	31
PID 2192 wrote to memory of 2560	2192	userinit.exe	32
PID 2192 wrote to memory of 2560	2192	userinit.exe	32
PID 2192 wrote to memory of 2560	2192	userinit.exe	32
PID 2192 wrote to memory of 2560	2192	userinit.exe	32
PID 2192 wrote to memory of 2492	2192	userinit.exe	33
PID 2192 wrote to memory of 2492	2192	userinit.exe	33
PID 2192 wrote to memory of 2492	2192	userinit.exe	33
PID 2192 wrote to memory of 2492	2192	userinit.exe	33
PID 2192 wrote to memory of 2704	2192	userinit.exe	34
PID 2192 wrote to memory of 2704	2192	userinit.exe	34
PID 2192 wrote to memory of 2704	2192	userinit.exe	34
PID 2192 wrote to memory of 2704	2192	userinit.exe	34
PID 2192 wrote to memory of 2752	2192	userinit.exe	35
PID 2192 wrote to memory of 2752	2192	userinit.exe	35
PID 2192 wrote to memory of 2752	2192	userinit.exe	35
PID 2192 wrote to memory of 2752	2192	userinit.exe	35
PID 2192 wrote to memory of 2888	2192	userinit.exe	36
PID 2192 wrote to memory of 2888	2192	userinit.exe	36
PID 2192 wrote to memory of 2888	2192	userinit.exe	36
PID 2192 wrote to memory of 2888	2192	userinit.exe	36
PID 2192 wrote to memory of 2264	2192	userinit.exe	37
PID 2192 wrote to memory of 2264	2192	userinit.exe	37
PID 2192 wrote to memory of 2264	2192	userinit.exe	37
PID 2192 wrote to memory of 2264	2192	userinit.exe	37
PID 2192 wrote to memory of 1440	2192	userinit.exe	38
PID 2192 wrote to memory of 1440	2192	userinit.exe	38
PID 2192 wrote to memory of 1440	2192	userinit.exe	38
PID 2192 wrote to memory of 1440	2192	userinit.exe	38
PID 2192 wrote to memory of 776	2192	userinit.exe	39
PID 2192 wrote to memory of 776	2192	userinit.exe	39
PID 2192 wrote to memory of 776	2192	userinit.exe	39
PID 2192 wrote to memory of 776	2192	userinit.exe	39
PID 2192 wrote to memory of 852	2192	userinit.exe	40
PID 2192 wrote to memory of 852	2192	userinit.exe	40
PID 2192 wrote to memory of 852	2192	userinit.exe	40
PID 2192 wrote to memory of 852	2192	userinit.exe	40
PID 2192 wrote to memory of 2324	2192	userinit.exe	41
PID 2192 wrote to memory of 2324	2192	userinit.exe	41
PID 2192 wrote to memory of 2324	2192	userinit.exe	41
PID 2192 wrote to memory of 2324	2192	userinit.exe	41
PID 2192 wrote to memory of 2232	2192	userinit.exe	42
PID 2192 wrote to memory of 2232	2192	userinit.exe	42
PID 2192 wrote to memory of 2232	2192	userinit.exe	42
PID 2192 wrote to memory of 2232	2192	userinit.exe	42
PID 2192 wrote to memory of 2468	2192	userinit.exe	43
PID 2192 wrote to memory of 2468	2192	userinit.exe	43
PID 2192 wrote to memory of 2468	2192	userinit.exe	43
PID 2192 wrote to memory of 2468	2192	userinit.exe	43

C:\Users\Admin\AppData\Local\Temp\c2fcbf70696315646a34d27ce9906d55.exe
"C:\Users\Admin\AppData\Local\Temp\c2fcbf70696315646a34d27ce9906d55.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2356
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2452
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
80KB

MD5
c2fcbf70696315646a34d27ce9906d55

SHA1
feed301fe84a4b87aa94218d25cfcf33d268db9c

SHA256
e3aaf570c1cd1cb809d7cce76bcbe60468c17be0d73eea8394d1436c6f7ca07d

SHA512
351e6d082fb5141c06ee97e9f6916d302541b5c38c81e64c2719854b4c55602abcd52783da8a6302abbc26d2b2e3030b3d7851187ab7b167add753a9dbd88653

Download Submit
\Windows\SysWOW64\system.exe

Filesize
35KB

MD5
9634cd4d926beefd5328bb5372633b78

SHA1
90f583a9813dfae535552a3aca3c163592944c9f

SHA256
5dcc0476b5ac4f4725f056164106231ad76814d00c70707d7b0df069d0bd85c2

SHA512
d85446efd08cb2e1961e6fbe43b482500383a622e1d4ecf687353954faff8a80e70765b71fb5b2c7666acefc03bbada94c5ceea52656c11d82574b09ed42e482

Download Submit
memory/564-297-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/608-281-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/776-157-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/852-170-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/852-174-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/976-305-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1224-271-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1276-559-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1344-474-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1424-223-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1440-149-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1440-145-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1632-289-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1780-398-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1976-237-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1976-233-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1976-231-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2044-245-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2156-313-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2192-409-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-354-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-481-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-472-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-470-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-461-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-460-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-450-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-133-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2192-448-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-438-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-437-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-428-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-169-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-82-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-427-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-418-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-417-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-408-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-195-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-96-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-14-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2192-208-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-396-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-395-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-385-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-57-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-56-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-384-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-375-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-374-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-365-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-31-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-364-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2192-355-0x0000000000270000-0x00000000002AD000-memory.dmp

Filesize
244KB

Download
memory/2232-198-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2232-200-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2264-137-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2264-439-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2324-182-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2324-187-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2324-184-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2332-539-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2400-379-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2408-58-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2408-62-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2464-633-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2492-88-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2492-86-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2492-85-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2504-48-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2504-44-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2504-43-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2560-70-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2560-74-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2584-35-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2620-452-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2620-453-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2620-455-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2704-100-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2752-109-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2752-108-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2752-113-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2816-549-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2856-12-0x00000000002C0000-0x00000000002FD000-memory.dmp

Filesize
244KB

Download
memory/2856-19-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2856-337-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2856-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2856-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2856-341-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2888-121-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2888-125-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2924-411-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2964-330-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2992-318-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download