55982ee9b3225fedb2c2ffed0884da1f4c99443bfd94402f2097f98ebc0c18c6

Analysis

max time kernel
150s
max time network
119s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
14-03-2024 12:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8a7b930072f7ca7d8e7df988e03d951.exe
Size

684KB
MD5

c8a7b930072f7ca7d8e7df988e03d951
SHA1

a5ce715a12de27c714ae81ed9c31cb24e037832f
SHA256

55982ee9b3225fedb2c2ffed0884da1f4c99443bfd94402f2097f98ebc0c18c6
SHA512

40126527ead3d5a0966c457e5f33566a0a208112b2fb1ac1187f36ff25fdbd67a945a6726bf7a9caa970f19c8f04ae072c804c529c0351da196eeda8c0bd8608
SSDEEP

1536:cOaxhd8R9NeUl6EbRDbeY5uIaRhdsRxOVhnd:FaD0NeUlnRDKGTajLV

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2588	userinit.exe
2620	system.exe
2540	system.exe
2548	system.exe
2408	system.exe
2056	system.exe
2676	system.exe
2728	system.exe
2672	system.exe
780	system.exe
824	system.exe
2448	system.exe
648	system.exe
2096	system.exe
2748	system.exe
612	system.exe
2820	system.exe
1120	system.exe
3036	system.exe
2000	system.exe
1324	system.exe
272	system.exe
2908	system.exe
1160	system.exe
2020	system.exe
1980	system.exe
2300	system.exe
2952	system.exe
2576	system.exe
2812	system.exe
2760	system.exe
2420	system.exe
2456	system.exe
1688	system.exe
1912	system.exe
2688	system.exe
472	system.exe
2256	system.exe
320	system.exe
1256	system.exe
1876	system.exe
1432	system.exe
1276	system.exe
2212	system.exe
2200	system.exe
1420	system.exe
1260	system.exe
716	system.exe
972	system.exe
2000	system.exe
1640	system.exe
804	system.exe
2332	system.exe
2132	system.exe
1604	system.exe
1520	system.exe
2664	system.exe
2524	system.exe
2504	system.exe
2800	system.exe
2656	system.exe
2388	system.exe
2880	system.exe
1576	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2520	Regsvr32.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe
2588	userinit.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	c8a7b930072f7ca7d8e7df988e03d951.exe
File created	C:\Windows\userinit.exe	c8a7b930072f7ca7d8e7df988e03d951.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	c8a7b930072f7ca7d8e7df988e03d951.exe
2588	userinit.exe
2588	userinit.exe
2620	system.exe
2588	userinit.exe
2540	system.exe
2588	userinit.exe
2548	system.exe
2588	userinit.exe
2408	system.exe
2588	userinit.exe
2056	system.exe
2588	userinit.exe
2676	system.exe
2588	userinit.exe
2728	system.exe
2588	userinit.exe
2672	system.exe
2588	userinit.exe
780	system.exe
2588	userinit.exe
824	system.exe
2588	userinit.exe
2448	system.exe
2588	userinit.exe
648	system.exe
2588	userinit.exe
2096	system.exe
2588	userinit.exe
2748	system.exe
2588	userinit.exe
612	system.exe
2588	userinit.exe
2820	system.exe
2588	userinit.exe
1120	system.exe
2588	userinit.exe
3036	system.exe
2588	userinit.exe
2000	system.exe
2588	userinit.exe
1324	system.exe
2588	userinit.exe
272	system.exe
2588	userinit.exe
2908	system.exe
2588	userinit.exe
1160	system.exe
2588	userinit.exe
2020	system.exe
2588	userinit.exe
1980	system.exe
2588	userinit.exe
2300	system.exe
2588	userinit.exe
2952	system.exe
2588	userinit.exe
2576	system.exe
2588	userinit.exe
2812	system.exe
2588	userinit.exe
2760	system.exe
2588	userinit.exe
2420	system.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2276	c8a7b930072f7ca7d8e7df988e03d951.exe
2276	c8a7b930072f7ca7d8e7df988e03d951.exe
2588	userinit.exe
2588	userinit.exe
2620	system.exe
2620	system.exe
2540	system.exe
2540	system.exe
2548	system.exe
2548	system.exe
2408	system.exe
2408	system.exe
2056	system.exe
2056	system.exe
2676	system.exe
2676	system.exe
2728	system.exe
2728	system.exe
2672	system.exe
2672	system.exe
780	system.exe
780	system.exe
824	system.exe
824	system.exe
2448	system.exe
2448	system.exe
648	system.exe
648	system.exe
2096	system.exe
2096	system.exe
2748	system.exe
2748	system.exe
612	system.exe
612	system.exe
2820	system.exe
2820	system.exe
1120	system.exe
1120	system.exe
3036	system.exe
3036	system.exe
2000	system.exe
2000	system.exe
1324	system.exe
1324	system.exe
272	system.exe
272	system.exe
2908	system.exe
2908	system.exe
1160	system.exe
1160	system.exe
2020	system.exe
2020	system.exe
1980	system.exe
1980	system.exe
2300	system.exe
2300	system.exe
2952	system.exe
2952	system.exe
2576	system.exe
2576	system.exe
2812	system.exe
2812	system.exe
2760	system.exe
2760	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2588	2276	c8a7b930072f7ca7d8e7df988e03d951.exe	28
PID 2276 wrote to memory of 2588	2276	c8a7b930072f7ca7d8e7df988e03d951.exe	28
PID 2276 wrote to memory of 2588	2276	c8a7b930072f7ca7d8e7df988e03d951.exe	28
PID 2276 wrote to memory of 2588	2276	c8a7b930072f7ca7d8e7df988e03d951.exe	28
PID 2588 wrote to memory of 2520	2588	userinit.exe	29
PID 2588 wrote to memory of 2520	2588	userinit.exe	29
PID 2588 wrote to memory of 2520	2588	userinit.exe	29
PID 2588 wrote to memory of 2520	2588	userinit.exe	29
PID 2588 wrote to memory of 2520	2588	userinit.exe	29
PID 2588 wrote to memory of 2520	2588	userinit.exe	29
PID 2588 wrote to memory of 2520	2588	userinit.exe	29
PID 2588 wrote to memory of 2620	2588	userinit.exe	30
PID 2588 wrote to memory of 2620	2588	userinit.exe	30
PID 2588 wrote to memory of 2620	2588	userinit.exe	30
PID 2588 wrote to memory of 2620	2588	userinit.exe	30
PID 2588 wrote to memory of 2540	2588	userinit.exe	31
PID 2588 wrote to memory of 2540	2588	userinit.exe	31
PID 2588 wrote to memory of 2540	2588	userinit.exe	31
PID 2588 wrote to memory of 2540	2588	userinit.exe	31
PID 2588 wrote to memory of 2548	2588	userinit.exe	32
PID 2588 wrote to memory of 2548	2588	userinit.exe	32
PID 2588 wrote to memory of 2548	2588	userinit.exe	32
PID 2588 wrote to memory of 2548	2588	userinit.exe	32
PID 2588 wrote to memory of 2408	2588	userinit.exe	33
PID 2588 wrote to memory of 2408	2588	userinit.exe	33
PID 2588 wrote to memory of 2408	2588	userinit.exe	33
PID 2588 wrote to memory of 2408	2588	userinit.exe	33
PID 2588 wrote to memory of 2056	2588	userinit.exe	34
PID 2588 wrote to memory of 2056	2588	userinit.exe	34
PID 2588 wrote to memory of 2056	2588	userinit.exe	34
PID 2588 wrote to memory of 2056	2588	userinit.exe	34
PID 2588 wrote to memory of 2676	2588	userinit.exe	35
PID 2588 wrote to memory of 2676	2588	userinit.exe	35
PID 2588 wrote to memory of 2676	2588	userinit.exe	35
PID 2588 wrote to memory of 2676	2588	userinit.exe	35
PID 2588 wrote to memory of 2728	2588	userinit.exe	36
PID 2588 wrote to memory of 2728	2588	userinit.exe	36
PID 2588 wrote to memory of 2728	2588	userinit.exe	36
PID 2588 wrote to memory of 2728	2588	userinit.exe	36
PID 2588 wrote to memory of 2672	2588	userinit.exe	37
PID 2588 wrote to memory of 2672	2588	userinit.exe	37
PID 2588 wrote to memory of 2672	2588	userinit.exe	37
PID 2588 wrote to memory of 2672	2588	userinit.exe	37
PID 2588 wrote to memory of 780	2588	userinit.exe	38
PID 2588 wrote to memory of 780	2588	userinit.exe	38
PID 2588 wrote to memory of 780	2588	userinit.exe	38
PID 2588 wrote to memory of 780	2588	userinit.exe	38
PID 2588 wrote to memory of 824	2588	userinit.exe	39
PID 2588 wrote to memory of 824	2588	userinit.exe	39
PID 2588 wrote to memory of 824	2588	userinit.exe	39
PID 2588 wrote to memory of 824	2588	userinit.exe	39
PID 2588 wrote to memory of 2448	2588	userinit.exe	40
PID 2588 wrote to memory of 2448	2588	userinit.exe	40
PID 2588 wrote to memory of 2448	2588	userinit.exe	40
PID 2588 wrote to memory of 2448	2588	userinit.exe	40
PID 2588 wrote to memory of 648	2588	userinit.exe	41
PID 2588 wrote to memory of 648	2588	userinit.exe	41
PID 2588 wrote to memory of 648	2588	userinit.exe	41
PID 2588 wrote to memory of 648	2588	userinit.exe	41
PID 2588 wrote to memory of 2096	2588	userinit.exe	42
PID 2588 wrote to memory of 2096	2588	userinit.exe	42
PID 2588 wrote to memory of 2096	2588	userinit.exe	42
PID 2588 wrote to memory of 2096	2588	userinit.exe	42
PID 2588 wrote to memory of 2748	2588	userinit.exe	43

C:\Users\Admin\AppData\Local\Temp\c8a7b930072f7ca7d8e7df988e03d951.exe
"C:\Users\Admin\AppData\Local\Temp\c8a7b930072f7ca7d8e7df988e03d951.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\Regsvr32.exe
    Regsvr32 C:\Windows\system32\MSWINSCK.OCX /s
    3⤵
    - Loads dropped DLL
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2612
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2568
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
19514e83ff7b391e5d6a3876a4aa535b

SHA1
de2c08563550d331049de540ddd931c0e88e30c1

SHA256
f330826e0a60474a6f2cf1095b45fc05845d01845ab5bfb282e10750ec270abf

SHA512
2c8c825f60cceac36027968081f7a9f84ee2260a6559d507855e8fa0629c368737d71c700b5a09c049f2f74443495b435517f54dba3ace0176e80eacfa0cb32b

Download Submit
C:\Windows\SysWOW64\system.exe

Filesize
462KB

MD5
12d28996bff9c5be93740f938792b24e

SHA1
c298be7ed0c82b7ba3df67eaa74f771c696f508a

SHA256
3da53eeb0d278bae24ac0c04391f863a50de922767134f51b87fb173eb87ef42

SHA512
460f939e27e4ae0b5fe00d4c9dfe5d4fed8e7f0ef1790132dcbdcf349306925a2f786dea3c7a744fb04c4bed9aed3b0e4994638755c0f5dda790abccdb069074

Download Submit
C:\Windows\userinit.exe

Filesize
684KB

MD5
c8a7b930072f7ca7d8e7df988e03d951

SHA1
a5ce715a12de27c714ae81ed9c31cb24e037832f

SHA256
55982ee9b3225fedb2c2ffed0884da1f4c99443bfd94402f2097f98ebc0c18c6

SHA512
40126527ead3d5a0966c457e5f33566a0a208112b2fb1ac1187f36ff25fdbd67a945a6726bf7a9caa970f19c8f04ae072c804c529c0351da196eeda8c0bd8608

Download Submit
memory/272-273-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/272-272-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/612-201-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/780-126-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/824-138-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1160-292-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1324-262-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1980-312-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/1980-310-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2000-249-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2020-302-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2056-81-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2056-83-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2096-176-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2276-2-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2276-12-0x0000000003860000-0x000000000390B000-memory.dmp

Filesize
684KB

Download
memory/2276-20-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2300-322-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2408-71-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2448-151-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2540-48-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2548-60-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2588-329-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-258-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-171-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-185-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-184-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-337-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-198-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-34-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-210-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-209-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-222-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-234-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-39-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-160-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-245-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-247-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-158-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-318-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-257-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-146-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-269-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-270-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-147-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-134-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-279-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-280-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-289-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-290-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-330-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-299-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-298-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-172-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-308-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-56-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-232-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2588-317-0x0000000003890000-0x000000000393B000-memory.dmp

Filesize
684KB

Download
memory/2620-36-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2676-94-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2728-105-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2748-189-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2952-332-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3036-237-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download