a49142513a1fd3b312ba2b86f117e5b4e1befd63ed56cef6c5bfb69d11e894a9

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
Size

428KB
MD5

481fa29327f38adb2545429e7751ed7a
SHA1

3fd07c2d0243eff077bf00916c440945a81d3461
SHA256

a49142513a1fd3b312ba2b86f117e5b4e1befd63ed56cef6c5bfb69d11e894a9
SHA512

69dd6c476951db834a1e229fac3d6f49f012b375fd5f046c57a90ce38f279356ac398b8397b92401af441f3b183f11356e7e3cf461656945b206daf064f94ca9
SSDEEP

3072:V1zwLll0u6EJdCqk+7gpf1zwLv2N+eG15R7HM:V1zEl3cqkDpf1zGeG15FHM

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2696	userinit.exe
4776	system.exe
2252	system.exe
1896	system.exe
2028	system.exe
4856	system.exe
5076	system.exe
4304	system.exe
1512	system.exe
2988	system.exe
1592	system.exe
4252	system.exe
656	system.exe
3004	system.exe
536	system.exe
1284	system.exe
780	system.exe
4148	system.exe
2276	system.exe
3488	system.exe
2588	system.exe
2632	system.exe
2416	system.exe
3836	system.exe
1168	system.exe
2112	system.exe
3308	system.exe
1352	system.exe
2708	system.exe
2104	system.exe
2868	system.exe
4516	system.exe
3800	system.exe
4556	system.exe
2144	system.exe
3528	system.exe
5044	system.exe
4640	system.exe
1812	system.exe
2852	system.exe
1960	system.exe
1016	system.exe
4184	system.exe
1636	system.exe
772	system.exe
1176	system.exe
2980	system.exe
1376	system.exe
632	system.exe
4908	system.exe
1780	system.exe
784	system.exe
1776	system.exe
2976	system.exe
4504	system.exe
1648	system.exe
1980	system.exe
1692	system.exe
2176	system.exe
3420	system.exe
5064	system.exe
3992	system.exe
2952	system.exe
2868	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\kdcoms.dll	userinit.exe
File created	C:\Windows\userinit.exe	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1072	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
1072	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
2696	userinit.exe
2696	userinit.exe
2696	userinit.exe
2696	userinit.exe
4776	system.exe
4776	system.exe
2696	userinit.exe
2696	userinit.exe
2252	system.exe
2252	system.exe
2696	userinit.exe
2696	userinit.exe
1896	system.exe
1896	system.exe
2696	userinit.exe
2696	userinit.exe
2028	system.exe
2028	system.exe
2696	userinit.exe
2696	userinit.exe
4856	system.exe
4856	system.exe
2696	userinit.exe
2696	userinit.exe
5076	system.exe
5076	system.exe
2696	userinit.exe
2696	userinit.exe
4304	system.exe
4304	system.exe
2696	userinit.exe
2696	userinit.exe
1512	system.exe
1512	system.exe
2696	userinit.exe
2696	userinit.exe
2988	system.exe
2988	system.exe
2696	userinit.exe
2696	userinit.exe
1592	system.exe
1592	system.exe
2696	userinit.exe
2696	userinit.exe
4252	system.exe
4252	system.exe
2696	userinit.exe
2696	userinit.exe
656	system.exe
656	system.exe
2696	userinit.exe
2696	userinit.exe
3004	system.exe
3004	system.exe
2696	userinit.exe
2696	userinit.exe
536	system.exe
536	system.exe
2696	userinit.exe
2696	userinit.exe
1284	system.exe
1284	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2696	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1072	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
1072	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
2696	userinit.exe
2696	userinit.exe
4776	system.exe
4776	system.exe
2252	system.exe
2252	system.exe
1896	system.exe
1896	system.exe
2028	system.exe
2028	system.exe
4856	system.exe
4856	system.exe
5076	system.exe
5076	system.exe
4304	system.exe
4304	system.exe
1512	system.exe
1512	system.exe
2988	system.exe
2988	system.exe
1592	system.exe
1592	system.exe
4252	system.exe
4252	system.exe
656	system.exe
656	system.exe
3004	system.exe
3004	system.exe
536	system.exe
536	system.exe
1284	system.exe
1284	system.exe
780	system.exe
780	system.exe
4148	system.exe
4148	system.exe
2276	system.exe
2276	system.exe
3488	system.exe
3488	system.exe
2588	system.exe
2588	system.exe
2632	system.exe
2632	system.exe
2416	system.exe
2416	system.exe
3836	system.exe
3836	system.exe
1168	system.exe
1168	system.exe
2112	system.exe
2112	system.exe
3308	system.exe
3308	system.exe
1352	system.exe
1352	system.exe
2708	system.exe
2708	system.exe
2104	system.exe
2104	system.exe
2868	system.exe
2868	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2696	1072	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe	85
PID 1072 wrote to memory of 2696	1072	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe	85
PID 1072 wrote to memory of 2696	1072	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe	85
PID 2696 wrote to memory of 4776	2696	userinit.exe	87
PID 2696 wrote to memory of 4776	2696	userinit.exe	87
PID 2696 wrote to memory of 4776	2696	userinit.exe	87
PID 2696 wrote to memory of 2252	2696	userinit.exe	88
PID 2696 wrote to memory of 2252	2696	userinit.exe	88
PID 2696 wrote to memory of 2252	2696	userinit.exe	88
PID 2696 wrote to memory of 1896	2696	userinit.exe	89
PID 2696 wrote to memory of 1896	2696	userinit.exe	89
PID 2696 wrote to memory of 1896	2696	userinit.exe	89
PID 2696 wrote to memory of 2028	2696	userinit.exe	90
PID 2696 wrote to memory of 2028	2696	userinit.exe	90
PID 2696 wrote to memory of 2028	2696	userinit.exe	90
PID 2696 wrote to memory of 4856	2696	userinit.exe	91
PID 2696 wrote to memory of 4856	2696	userinit.exe	91
PID 2696 wrote to memory of 4856	2696	userinit.exe	91
PID 2696 wrote to memory of 5076	2696	userinit.exe	92
PID 2696 wrote to memory of 5076	2696	userinit.exe	92
PID 2696 wrote to memory of 5076	2696	userinit.exe	92
PID 2696 wrote to memory of 4304	2696	userinit.exe	93
PID 2696 wrote to memory of 4304	2696	userinit.exe	93
PID 2696 wrote to memory of 4304	2696	userinit.exe	93
PID 2696 wrote to memory of 1512	2696	userinit.exe	94
PID 2696 wrote to memory of 1512	2696	userinit.exe	94
PID 2696 wrote to memory of 1512	2696	userinit.exe	94
PID 2696 wrote to memory of 2988	2696	userinit.exe	95
PID 2696 wrote to memory of 2988	2696	userinit.exe	95
PID 2696 wrote to memory of 2988	2696	userinit.exe	95
PID 2696 wrote to memory of 1592	2696	userinit.exe	96
PID 2696 wrote to memory of 1592	2696	userinit.exe	96
PID 2696 wrote to memory of 1592	2696	userinit.exe	96
PID 2696 wrote to memory of 4252	2696	userinit.exe	97
PID 2696 wrote to memory of 4252	2696	userinit.exe	97
PID 2696 wrote to memory of 4252	2696	userinit.exe	97
PID 2696 wrote to memory of 656	2696	userinit.exe	98
PID 2696 wrote to memory of 656	2696	userinit.exe	98
PID 2696 wrote to memory of 656	2696	userinit.exe	98
PID 2696 wrote to memory of 3004	2696	userinit.exe	99
PID 2696 wrote to memory of 3004	2696	userinit.exe	99
PID 2696 wrote to memory of 3004	2696	userinit.exe	99
PID 2696 wrote to memory of 536	2696	userinit.exe	100
PID 2696 wrote to memory of 536	2696	userinit.exe	100
PID 2696 wrote to memory of 536	2696	userinit.exe	100
PID 2696 wrote to memory of 1284	2696	userinit.exe	101
PID 2696 wrote to memory of 1284	2696	userinit.exe	101
PID 2696 wrote to memory of 1284	2696	userinit.exe	101
PID 2696 wrote to memory of 780	2696	userinit.exe	102
PID 2696 wrote to memory of 780	2696	userinit.exe	102
PID 2696 wrote to memory of 780	2696	userinit.exe	102
PID 2696 wrote to memory of 4148	2696	userinit.exe	103
PID 2696 wrote to memory of 4148	2696	userinit.exe	103
PID 2696 wrote to memory of 4148	2696	userinit.exe	103
PID 2696 wrote to memory of 2276	2696	userinit.exe	104
PID 2696 wrote to memory of 2276	2696	userinit.exe	104
PID 2696 wrote to memory of 2276	2696	userinit.exe	104
PID 2696 wrote to memory of 3488	2696	userinit.exe	105
PID 2696 wrote to memory of 3488	2696	userinit.exe	105
PID 2696 wrote to memory of 3488	2696	userinit.exe	105
PID 2696 wrote to memory of 2588	2696	userinit.exe	106
PID 2696 wrote to memory of 2588	2696	userinit.exe	106
PID 2696 wrote to memory of 2588	2696	userinit.exe	106
PID 2696 wrote to memory of 2632	2696	userinit.exe	107

C:\Users\Admin\AppData\Local\Temp\481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:5076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4304
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3004
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:536
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2104
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3528
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5044
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4184
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1376
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1780
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5064
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2192
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3080
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4168
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4504
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1656
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4016
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4648
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2772
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1700
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2828
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3132
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2092
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3280
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4796
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
428KB

MD5
481fa29327f38adb2545429e7751ed7a

SHA1
3fd07c2d0243eff077bf00916c440945a81d3461

SHA256
a49142513a1fd3b312ba2b86f117e5b4e1befd63ed56cef6c5bfb69d11e894a9

SHA512
69dd6c476951db834a1e229fac3d6f49f012b375fd5f046c57a90ce38f279356ac398b8397b92401af441f3b183f11356e7e3cf461656945b206daf064f94ca9

Download Submit
memory/244-385-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/536-90-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/632-260-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/656-80-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/772-240-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/780-100-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/784-275-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1016-225-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1072-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1072-0-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1140-366-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1152-414-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1168-140-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1176-245-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1284-95-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1352-155-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1376-255-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1468-406-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1512-60-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1592-70-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1636-235-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1648-295-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1692-305-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1776-280-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1780-270-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1784-418-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1792-362-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1812-210-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1896-35-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1960-220-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1980-300-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2028-40-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2088-434-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2096-410-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2104-165-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2112-145-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2144-190-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2176-310-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2192-350-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2252-30-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2276-110-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2328-422-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2416-130-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2588-120-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2596-442-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2632-125-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2660-374-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2696-10-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2696-394-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2708-160-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2748-358-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2784-450-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2852-215-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2868-170-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2868-333-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2924-338-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2928-346-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2952-329-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2960-402-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2976-285-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2980-250-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2988-65-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3004-85-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3080-370-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3148-381-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3284-337-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3308-150-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3420-315-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3488-115-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3528-195-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3800-342-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3800-180-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3836-135-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/3992-325-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4148-105-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4184-230-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4252-75-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4284-389-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4300-398-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4304-55-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4344-354-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4464-438-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4504-290-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4516-175-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4556-185-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4636-446-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4640-205-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4720-426-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4776-25-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4824-430-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4856-45-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/4908-265-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5044-200-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5056-393-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5064-320-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/5076-50-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download