64a46dd54740fb463dc7b254e80b809cffe96fa2244f41ed890bb5bbfb40bc1d

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
10-07-2024 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
Size

236KB
MD5

33528e5530075c5fb0ef687a1df324c4
SHA1

45facc2de2970cc8c511956ae4ff904eb41b5f73
SHA256

64a46dd54740fb463dc7b254e80b809cffe96fa2244f41ed890bb5bbfb40bc1d
SHA512

cee66a505b1d8548f0d250c13783f2fcfcc2df01a54f3cca13be812e19b2869a307ddfada16ac3bfc5b12c63eeac58d36f8ed0a2da87756548143e484fd49f90
SSDEEP

1536:tf1zwQVggBBFJju8E+lDqxABWMkQw1bB45pjf1zwQVgvFL5+:91zwLQBFJju8E+OA5kQwM5pL1zwLvF

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2232	userinit.exe
2360	system.exe
2744	system.exe
2800	system.exe
2716	system.exe
2628	system.exe
2676	system.exe
1072	system.exe
2836	system.exe
1600	system.exe
2136	system.exe
1528	system.exe
1752	system.exe
2988	system.exe
1920	system.exe
2364	system.exe
1036	system.exe
708	system.exe
804	system.exe
2852	system.exe
1120	system.exe
2392	system.exe
2924	system.exe
2512	system.exe
2432	system.exe
2288	system.exe
2448	system.exe
2108	system.exe
2576	system.exe
1032	system.exe
2812	system.exe
2732	system.exe
2892	system.exe
2640	system.exe
2600	system.exe
1996	system.exe
2504	system.exe
2860	system.exe
2848	system.exe
1860	system.exe
2160	system.exe
1972	system.exe
2944	system.exe
2444	system.exe
1168	system.exe
1676	system.exe
2652	system.exe
844	system.exe
344	system.exe
484	system.exe
916	system.exe
596	system.exe
1156	system.exe
1492	system.exe
1360	system.exe
1684	system.exe
1928	system.exe
2168	system.exe
3016	system.exe
2556	system.exe
2816	system.exe
2880	system.exe
2192	system.exe
2772	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe
2232	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1380	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
2232	userinit.exe
2232	userinit.exe
2360	system.exe
2232	userinit.exe
2744	system.exe
2232	userinit.exe
2800	system.exe
2232	userinit.exe
2716	system.exe
2232	userinit.exe
2628	system.exe
2232	userinit.exe
2676	system.exe
2232	userinit.exe
1072	system.exe
2232	userinit.exe
2836	system.exe
2232	userinit.exe
1600	system.exe
2232	userinit.exe
2136	system.exe
2232	userinit.exe
1528	system.exe
2232	userinit.exe
1752	system.exe
2232	userinit.exe
2988	system.exe
2232	userinit.exe
1920	system.exe
2232	userinit.exe
2364	system.exe
2232	userinit.exe
1036	system.exe
2232	userinit.exe
708	system.exe
2232	userinit.exe
804	system.exe
2232	userinit.exe
2852	system.exe
2232	userinit.exe
1120	system.exe
2232	userinit.exe
2392	system.exe
2232	userinit.exe
2924	system.exe
2232	userinit.exe
2512	system.exe
2232	userinit.exe
2432	system.exe
2232	userinit.exe
2288	system.exe
2232	userinit.exe
2448	system.exe
2232	userinit.exe
2108	system.exe
2232	userinit.exe
2576	system.exe
2232	userinit.exe
1032	system.exe
2232	userinit.exe
2812	system.exe
2232	userinit.exe
2732	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2232	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1380	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
1380	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
2232	userinit.exe
2232	userinit.exe
2360	system.exe
2360	system.exe
2744	system.exe
2744	system.exe
2800	system.exe
2800	system.exe
2716	system.exe
2716	system.exe
2628	system.exe
2628	system.exe
2676	system.exe
2676	system.exe
1072	system.exe
1072	system.exe
2836	system.exe
2836	system.exe
1600	system.exe
1600	system.exe
2136	system.exe
2136	system.exe
1528	system.exe
1528	system.exe
1752	system.exe
1752	system.exe
2988	system.exe
2988	system.exe
1920	system.exe
1920	system.exe
2364	system.exe
2364	system.exe
1036	system.exe
1036	system.exe
708	system.exe
708	system.exe
804	system.exe
804	system.exe
2852	system.exe
2852	system.exe
1120	system.exe
1120	system.exe
2392	system.exe
2392	system.exe
2924	system.exe
2924	system.exe
2512	system.exe
2512	system.exe
2432	system.exe
2432	system.exe
2288	system.exe
2288	system.exe
2448	system.exe
2448	system.exe
2108	system.exe
2108	system.exe
2576	system.exe
2576	system.exe
1032	system.exe
1032	system.exe
2812	system.exe
2812	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 2232	1380	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe	30
PID 1380 wrote to memory of 2232	1380	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe	30
PID 1380 wrote to memory of 2232	1380	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe	30
PID 1380 wrote to memory of 2232	1380	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2360	2232	userinit.exe	31
PID 2232 wrote to memory of 2360	2232	userinit.exe	31
PID 2232 wrote to memory of 2360	2232	userinit.exe	31
PID 2232 wrote to memory of 2360	2232	userinit.exe	31
PID 2232 wrote to memory of 2744	2232	userinit.exe	32
PID 2232 wrote to memory of 2744	2232	userinit.exe	32
PID 2232 wrote to memory of 2744	2232	userinit.exe	32
PID 2232 wrote to memory of 2744	2232	userinit.exe	32
PID 2232 wrote to memory of 2800	2232	userinit.exe	33
PID 2232 wrote to memory of 2800	2232	userinit.exe	33
PID 2232 wrote to memory of 2800	2232	userinit.exe	33
PID 2232 wrote to memory of 2800	2232	userinit.exe	33
PID 2232 wrote to memory of 2716	2232	userinit.exe	34
PID 2232 wrote to memory of 2716	2232	userinit.exe	34
PID 2232 wrote to memory of 2716	2232	userinit.exe	34
PID 2232 wrote to memory of 2716	2232	userinit.exe	34
PID 2232 wrote to memory of 2628	2232	userinit.exe	35
PID 2232 wrote to memory of 2628	2232	userinit.exe	35
PID 2232 wrote to memory of 2628	2232	userinit.exe	35
PID 2232 wrote to memory of 2628	2232	userinit.exe	35
PID 2232 wrote to memory of 2676	2232	userinit.exe	37
PID 2232 wrote to memory of 2676	2232	userinit.exe	37
PID 2232 wrote to memory of 2676	2232	userinit.exe	37
PID 2232 wrote to memory of 2676	2232	userinit.exe	37
PID 2232 wrote to memory of 1072	2232	userinit.exe	38
PID 2232 wrote to memory of 1072	2232	userinit.exe	38
PID 2232 wrote to memory of 1072	2232	userinit.exe	38
PID 2232 wrote to memory of 1072	2232	userinit.exe	38
PID 2232 wrote to memory of 2836	2232	userinit.exe	39
PID 2232 wrote to memory of 2836	2232	userinit.exe	39
PID 2232 wrote to memory of 2836	2232	userinit.exe	39
PID 2232 wrote to memory of 2836	2232	userinit.exe	39
PID 2232 wrote to memory of 1600	2232	userinit.exe	40
PID 2232 wrote to memory of 1600	2232	userinit.exe	40
PID 2232 wrote to memory of 1600	2232	userinit.exe	40
PID 2232 wrote to memory of 1600	2232	userinit.exe	40
PID 2232 wrote to memory of 2136	2232	userinit.exe	41
PID 2232 wrote to memory of 2136	2232	userinit.exe	41
PID 2232 wrote to memory of 2136	2232	userinit.exe	41
PID 2232 wrote to memory of 2136	2232	userinit.exe	41
PID 2232 wrote to memory of 1528	2232	userinit.exe	42
PID 2232 wrote to memory of 1528	2232	userinit.exe	42
PID 2232 wrote to memory of 1528	2232	userinit.exe	42
PID 2232 wrote to memory of 1528	2232	userinit.exe	42
PID 2232 wrote to memory of 1752	2232	userinit.exe	43
PID 2232 wrote to memory of 1752	2232	userinit.exe	43
PID 2232 wrote to memory of 1752	2232	userinit.exe	43
PID 2232 wrote to memory of 1752	2232	userinit.exe	43
PID 2232 wrote to memory of 2988	2232	userinit.exe	44
PID 2232 wrote to memory of 2988	2232	userinit.exe	44
PID 2232 wrote to memory of 2988	2232	userinit.exe	44
PID 2232 wrote to memory of 2988	2232	userinit.exe	44
PID 2232 wrote to memory of 1920	2232	userinit.exe	45
PID 2232 wrote to memory of 1920	2232	userinit.exe	45
PID 2232 wrote to memory of 1920	2232	userinit.exe	45
PID 2232 wrote to memory of 1920	2232	userinit.exe	45
PID 2232 wrote to memory of 2364	2232	userinit.exe	46
PID 2232 wrote to memory of 2364	2232	userinit.exe	46
PID 2232 wrote to memory of 2364	2232	userinit.exe	46
PID 2232 wrote to memory of 2364	2232	userinit.exe	46

C:\Users\Admin\AppData\Local\Temp\33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2392
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2892
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1972
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
236KB

MD5
33528e5530075c5fb0ef687a1df324c4

SHA1
45facc2de2970cc8c511956ae4ff904eb41b5f73

SHA256
64a46dd54740fb463dc7b254e80b809cffe96fa2244f41ed890bb5bbfb40bc1d

SHA512
cee66a505b1d8548f0d250c13783f2fcfcc2df01a54f3cca13be812e19b2869a307ddfada16ac3bfc5b12c63eeac58d36f8ed0a2da87756548143e484fd49f90

Download Submit
memory/344-510-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/344-511-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/708-218-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/804-229-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/844-499-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1032-326-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1072-106-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1380-12-0x0000000002490000-0x00000000024CB000-memory.dmp

Filesize
236KB

Download
memory/1380-13-0x0000000002490000-0x00000000024CB000-memory.dmp

Filesize
236KB

Download
memory/1380-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1380-18-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1528-152-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1600-130-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1676-480-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1752-163-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1860-421-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1920-186-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1972-442-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1996-384-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2136-140-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2160-431-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2232-341-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-451-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-518-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-114-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-25-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-182-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-100-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-508-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-101-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-509-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-31-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-496-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-498-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-487-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-486-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-477-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-479-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-298-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-467-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-317-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-468-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-78-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-324-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-459-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-457-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-342-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-79-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-126-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-449-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-354-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-352-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-361-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-362-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-371-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-370-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-380-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-379-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-55-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-389-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-390-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-398-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-399-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-438-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-410-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-409-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-418-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-437-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-420-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-428-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-53-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2232-430-0x0000000000270000-0x00000000002AB000-memory.dmp

Filesize
236KB

Download
memory/2288-293-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2288-292-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2360-35-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2364-197-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2392-260-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2432-284-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2444-462-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2448-302-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2512-276-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2576-318-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2676-93-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2716-70-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2732-346-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2744-46-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2800-59-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2812-336-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2812-335-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2836-118-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2848-412-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2852-240-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2892-355-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2924-268-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2944-452-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2988-174-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download