64a46dd54740fb463dc7b254e80b809cffe96fa2244f41ed890bb5bbfb40bc1d

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 04:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
Size

236KB
MD5

33528e5530075c5fb0ef687a1df324c4
SHA1

45facc2de2970cc8c511956ae4ff904eb41b5f73
SHA256

64a46dd54740fb463dc7b254e80b809cffe96fa2244f41ed890bb5bbfb40bc1d
SHA512

cee66a505b1d8548f0d250c13783f2fcfcc2df01a54f3cca13be812e19b2869a307ddfada16ac3bfc5b12c63eeac58d36f8ed0a2da87756548143e484fd49f90
SSDEEP

1536:tf1zwQVggBBFJju8E+lDqxABWMkQw1bB45pjf1zwQVgvFL5+:91zwLQBFJju8E+OA5kQwM5pL1zwLvF

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
3068	userinit.exe
1280	system.exe
2560	system.exe
1952	system.exe
3796	system.exe
3784	system.exe
232	system.exe
2096	system.exe
3332	system.exe
5108	system.exe
3780	system.exe
1440	system.exe
2744	system.exe
4112	system.exe
3548	system.exe
4424	system.exe
4648	system.exe
2548	system.exe
628	system.exe
1016	system.exe
2180	system.exe
1520	system.exe
4908	system.exe
1412	system.exe
2044	system.exe
1804	system.exe
632	system.exe
3300	system.exe
2280	system.exe
4056	system.exe
5024	system.exe
4792	system.exe
4416	system.exe
4996	system.exe
2728	system.exe
4764	system.exe
1224	system.exe
4656	system.exe
3020	system.exe
436	system.exe
4040	system.exe
4976	system.exe
2740	system.exe
1980	system.exe
1808	system.exe
1196	system.exe
2124	system.exe
1104	system.exe
4860	system.exe
3940	system.exe
3948	system.exe
4628	system.exe
4652	system.exe
2744	system.exe
220	system.exe
3296	system.exe
1456	system.exe
916	system.exe
628	system.exe
2116	system.exe
4032	system.exe
2336	system.exe
2492	system.exe
1080	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
864	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
864	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
3068	userinit.exe
3068	userinit.exe
3068	userinit.exe
3068	userinit.exe
1280	system.exe
1280	system.exe
3068	userinit.exe
3068	userinit.exe
2560	system.exe
2560	system.exe
3068	userinit.exe
3068	userinit.exe
1952	system.exe
1952	system.exe
3068	userinit.exe
3068	userinit.exe
3796	system.exe
3796	system.exe
3068	userinit.exe
3068	userinit.exe
3784	system.exe
3784	system.exe
3068	userinit.exe
3068	userinit.exe
232	system.exe
232	system.exe
3068	userinit.exe
3068	userinit.exe
2096	system.exe
2096	system.exe
3068	userinit.exe
3068	userinit.exe
3332	system.exe
3332	system.exe
3068	userinit.exe
3068	userinit.exe
5108	system.exe
5108	system.exe
3068	userinit.exe
3068	userinit.exe
3780	system.exe
3780	system.exe
3068	userinit.exe
3068	userinit.exe
1440	system.exe
1440	system.exe
3068	userinit.exe
3068	userinit.exe
2744	system.exe
2744	system.exe
3068	userinit.exe
3068	userinit.exe
4112	system.exe
4112	system.exe
3068	userinit.exe
3068	userinit.exe
3548	system.exe
3548	system.exe
3068	userinit.exe
3068	userinit.exe
4424	system.exe
4424	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3068	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
864	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
864	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
3068	userinit.exe
3068	userinit.exe
1280	system.exe
1280	system.exe
2560	system.exe
2560	system.exe
1952	system.exe
1952	system.exe
3796	system.exe
3796	system.exe
3784	system.exe
3784	system.exe
232	system.exe
232	system.exe
2096	system.exe
2096	system.exe
3332	system.exe
3332	system.exe
5108	system.exe
5108	system.exe
3780	system.exe
3780	system.exe
1440	system.exe
1440	system.exe
2744	system.exe
2744	system.exe
4112	system.exe
4112	system.exe
3548	system.exe
3548	system.exe
4424	system.exe
4424	system.exe
4648	system.exe
4648	system.exe
2548	system.exe
2548	system.exe
628	system.exe
628	system.exe
1016	system.exe
1016	system.exe
2180	system.exe
2180	system.exe
1520	system.exe
1520	system.exe
4908	system.exe
4908	system.exe
1412	system.exe
1412	system.exe
2044	system.exe
2044	system.exe
1804	system.exe
1804	system.exe
632	system.exe
632	system.exe
3300	system.exe
3300	system.exe
2280	system.exe
2280	system.exe
4056	system.exe
4056	system.exe
5024	system.exe
5024	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 3068	864	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe	83
PID 864 wrote to memory of 3068	864	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe	83
PID 864 wrote to memory of 3068	864	33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe	83
PID 3068 wrote to memory of 1280	3068	userinit.exe	85
PID 3068 wrote to memory of 1280	3068	userinit.exe	85
PID 3068 wrote to memory of 1280	3068	userinit.exe	85
PID 3068 wrote to memory of 2560	3068	userinit.exe	86
PID 3068 wrote to memory of 2560	3068	userinit.exe	86
PID 3068 wrote to memory of 2560	3068	userinit.exe	86
PID 3068 wrote to memory of 1952	3068	userinit.exe	87
PID 3068 wrote to memory of 1952	3068	userinit.exe	87
PID 3068 wrote to memory of 1952	3068	userinit.exe	87
PID 3068 wrote to memory of 3796	3068	userinit.exe	88
PID 3068 wrote to memory of 3796	3068	userinit.exe	88
PID 3068 wrote to memory of 3796	3068	userinit.exe	88
PID 3068 wrote to memory of 3784	3068	userinit.exe	89
PID 3068 wrote to memory of 3784	3068	userinit.exe	89
PID 3068 wrote to memory of 3784	3068	userinit.exe	89
PID 3068 wrote to memory of 232	3068	userinit.exe	90
PID 3068 wrote to memory of 232	3068	userinit.exe	90
PID 3068 wrote to memory of 232	3068	userinit.exe	90
PID 3068 wrote to memory of 2096	3068	userinit.exe	91
PID 3068 wrote to memory of 2096	3068	userinit.exe	91
PID 3068 wrote to memory of 2096	3068	userinit.exe	91
PID 3068 wrote to memory of 3332	3068	userinit.exe	92
PID 3068 wrote to memory of 3332	3068	userinit.exe	92
PID 3068 wrote to memory of 3332	3068	userinit.exe	92
PID 3068 wrote to memory of 5108	3068	userinit.exe	93
PID 3068 wrote to memory of 5108	3068	userinit.exe	93
PID 3068 wrote to memory of 5108	3068	userinit.exe	93
PID 3068 wrote to memory of 3780	3068	userinit.exe	94
PID 3068 wrote to memory of 3780	3068	userinit.exe	94
PID 3068 wrote to memory of 3780	3068	userinit.exe	94
PID 3068 wrote to memory of 1440	3068	userinit.exe	95
PID 3068 wrote to memory of 1440	3068	userinit.exe	95
PID 3068 wrote to memory of 1440	3068	userinit.exe	95
PID 3068 wrote to memory of 2744	3068	userinit.exe	96
PID 3068 wrote to memory of 2744	3068	userinit.exe	96
PID 3068 wrote to memory of 2744	3068	userinit.exe	96
PID 3068 wrote to memory of 4112	3068	userinit.exe	97
PID 3068 wrote to memory of 4112	3068	userinit.exe	97
PID 3068 wrote to memory of 4112	3068	userinit.exe	97
PID 3068 wrote to memory of 3548	3068	userinit.exe	98
PID 3068 wrote to memory of 3548	3068	userinit.exe	98
PID 3068 wrote to memory of 3548	3068	userinit.exe	98
PID 3068 wrote to memory of 4424	3068	userinit.exe	99
PID 3068 wrote to memory of 4424	3068	userinit.exe	99
PID 3068 wrote to memory of 4424	3068	userinit.exe	99
PID 3068 wrote to memory of 4648	3068	userinit.exe	100
PID 3068 wrote to memory of 4648	3068	userinit.exe	100
PID 3068 wrote to memory of 4648	3068	userinit.exe	100
PID 3068 wrote to memory of 2548	3068	userinit.exe	101
PID 3068 wrote to memory of 2548	3068	userinit.exe	101
PID 3068 wrote to memory of 2548	3068	userinit.exe	101
PID 3068 wrote to memory of 628	3068	userinit.exe	102
PID 3068 wrote to memory of 628	3068	userinit.exe	102
PID 3068 wrote to memory of 628	3068	userinit.exe	102
PID 3068 wrote to memory of 1016	3068	userinit.exe	103
PID 3068 wrote to memory of 1016	3068	userinit.exe	103
PID 3068 wrote to memory of 1016	3068	userinit.exe	103
PID 3068 wrote to memory of 2180	3068	userinit.exe	104
PID 3068 wrote to memory of 2180	3068	userinit.exe	104
PID 3068 wrote to memory of 2180	3068	userinit.exe	104
PID 3068 wrote to memory of 1520	3068	userinit.exe	105

C:\Users\Admin\AppData\Local\Temp\33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\33528e5530075c5fb0ef687a1df324c4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:232
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2180
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1224
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3020
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4860
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3296
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1456
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2336
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:60
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2268
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4208
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3188
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1240
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4480
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:388
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
236KB

MD5
33528e5530075c5fb0ef687a1df324c4

SHA1
45facc2de2970cc8c511956ae4ff904eb41b5f73

SHA256
64a46dd54740fb463dc7b254e80b809cffe96fa2244f41ed890bb5bbfb40bc1d

SHA512
cee66a505b1d8548f0d250c13783f2fcfcc2df01a54f3cca13be812e19b2869a307ddfada16ac3bfc5b12c63eeac58d36f8ed0a2da87756548143e484fd49f90

Download Submit
memory/60-389-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/220-289-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/232-50-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/388-336-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/436-214-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/628-110-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/628-309-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/632-150-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/668-438-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/864-14-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/864-0-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/916-304-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/936-426-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1008-414-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1016-115-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1080-332-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1104-254-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1164-450-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1196-244-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1224-199-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1252-465-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1280-24-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1288-454-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1412-135-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1440-75-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1456-299-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1520-125-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1560-461-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1700-377-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1804-344-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1804-145-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1808-239-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1824-418-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1880-398-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1952-422-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1952-35-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1980-234-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2044-140-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2096-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2116-314-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2124-249-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2180-120-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2280-159-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2280-358-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2336-324-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2492-328-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2544-406-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2548-105-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2560-30-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2560-26-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2728-189-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2740-434-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2740-229-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2744-80-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/2744-284-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3020-209-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3044-385-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3068-394-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3120-369-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3168-340-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3296-294-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3332-60-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3548-90-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3560-365-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3572-446-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3680-442-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3772-373-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3780-70-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3784-45-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3796-40-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3876-430-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3940-264-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/3948-269-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4032-319-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4040-219-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4056-164-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4112-85-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4384-381-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4416-179-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4424-95-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4436-393-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4616-348-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4628-274-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4648-100-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4652-279-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4656-204-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4660-402-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4764-194-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4792-174-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4860-259-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4908-130-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4952-410-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4976-224-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4996-184-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5024-169-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/5108-65-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download