8e9b0ac556f162def50e16041a51df18cec63ba68231a23bcd3e9a3271a4f7ad

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
21/04/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
Size

73KB
MD5

fff741be9ac2a283f109525dcba874e2
SHA1

d11c4cae165dd1fcbe3ed9e0f5b1b882dc01f236
SHA256

8e9b0ac556f162def50e16041a51df18cec63ba68231a23bcd3e9a3271a4f7ad
SHA512

2b8cae474976df48ec1cdcc4395305dedf59f573986b22c650fbf0a0dab2f9d10448e2c3aea06f84abe4957fa8a01d90c3492296de37482d3c61042f6b4534e1
SSDEEP

1536:Q7hNyofWclu6z/GpzeiPazZ41wt0f1zwQVgvB0X:QNVWcpncaAS01zwLvBw

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2012	userinit.exe
2580	system.exe
2628	system.exe
2360	system.exe
552	system.exe
1660	system.exe
2200	system.exe
2060	system.exe
1560	system.exe
2968	system.exe
596	system.exe
1996	system.exe
1640	system.exe
2708	system.exe
2976	system.exe
3016	system.exe
2116	system.exe
2456	system.exe
2516	system.exe
2800	system.exe
572	system.exe
936	system.exe
768	system.exe
2044	system.exe
1436	system.exe
2908	system.exe
1084	system.exe
840	system.exe
1572	system.exe
976	system.exe
2688	system.exe
2816	system.exe
1716	system.exe
1720	system.exe
1732	system.exe
2476	system.exe
2772	system.exe
2100	system.exe
2104	system.exe
1128	system.exe
1452	system.exe
2212	system.exe
1140	system.exe
2052	system.exe
440	system.exe
1808	system.exe
2556	system.exe
1044	system.exe
2064	system.exe
1512	system.exe
2032	system.exe
2000	system.exe
3024	system.exe
2508	system.exe
2348	system.exe
2220	system.exe
1488	system.exe
572	system.exe
804	system.exe
768	system.exe
1468	system.exe
108	system.exe
2968	system.exe
844	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\WINDOWS\SysWOW64\SYSTEM.EXE	userinit.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\USERINIT.EXE	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File opened for modification	C:\WINDOWS\USERINIT.EXE	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2580	system.exe
2580	system.exe
2012	userinit.exe
2628	system.exe
2628	system.exe
2012	userinit.exe
2360	system.exe
2360	system.exe
2012	userinit.exe
552	system.exe
552	system.exe
2012	userinit.exe
1660	system.exe
1660	system.exe
2012	userinit.exe
2200	system.exe
2200	system.exe
2012	userinit.exe
2060	system.exe
2060	system.exe
2012	userinit.exe
1560	system.exe
1560	system.exe
2012	userinit.exe
2968	system.exe
2968	system.exe
2012	userinit.exe
596	system.exe
596	system.exe
2012	userinit.exe
1996	system.exe
1996	system.exe
2012	userinit.exe
1640	system.exe
1640	system.exe
2012	userinit.exe
2708	system.exe
2708	system.exe
2012	userinit.exe
2976	system.exe
2976	system.exe
2012	userinit.exe
2012	userinit.exe
2116	system.exe
2116	system.exe
2012	userinit.exe
2456	system.exe
2456	system.exe
2012	userinit.exe
2516	system.exe
2516	system.exe
2012	userinit.exe
2800	system.exe
2800	system.exe
2012	userinit.exe
572	system.exe
572	system.exe
2012	userinit.exe
936	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2012	userinit.exe

Suspicious behavior: MapViewOfSection 64 IoCs

pid	Process
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2012	userinit.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe
2580	system.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
Token: SeDebugPrivilege	2012	userinit.exe
Token: SeDebugPrivilege	2580	system.exe
Token: SeDebugPrivilege	2628	system.exe
Token: SeDebugPrivilege	2360	system.exe
Token: SeDebugPrivilege	552	system.exe
Token: SeDebugPrivilege	1660	system.exe
Token: SeDebugPrivilege	2200	system.exe
Token: SeDebugPrivilege	2060	system.exe
Token: SeDebugPrivilege	1560	system.exe
Token: SeDebugPrivilege	2968	system.exe
Token: SeDebugPrivilege	596	system.exe
Token: SeDebugPrivilege	1996	system.exe
Token: SeDebugPrivilege	1640	system.exe
Token: SeDebugPrivilege	2708	system.exe
Token: SeDebugPrivilege	2976	system.exe
Token: SeDebugPrivilege	2116	system.exe
Token: SeDebugPrivilege	2456	system.exe
Token: SeDebugPrivilege	2516	system.exe
Token: SeDebugPrivilege	2800	system.exe
Token: SeDebugPrivilege	572	system.exe
Token: SeDebugPrivilege	936	system.exe
Token: SeDebugPrivilege	768	system.exe
Token: SeDebugPrivilege	2044	system.exe
Token: SeDebugPrivilege	1436	system.exe
Token: SeDebugPrivilege	2908	system.exe
Token: SeDebugPrivilege	1084	system.exe
Token: SeDebugPrivilege	840	system.exe
Token: SeDebugPrivilege	1572	system.exe
Token: SeDebugPrivilege	976	system.exe
Token: SeDebugPrivilege	2688	system.exe
Token: SeDebugPrivilege	2816	system.exe
Token: SeDebugPrivilege	1716	system.exe
Token: SeDebugPrivilege	1720	system.exe
Token: SeDebugPrivilege	1732	system.exe
Token: SeDebugPrivilege	2476	system.exe
Token: SeDebugPrivilege	2772	system.exe
Token: SeDebugPrivilege	2100	system.exe
Token: SeDebugPrivilege	2104	system.exe
Token: SeDebugPrivilege	1128	system.exe
Token: SeDebugPrivilege	1452	system.exe
Token: SeDebugPrivilege	2212	system.exe
Token: SeDebugPrivilege	1140	system.exe
Token: SeDebugPrivilege	2052	system.exe
Token: SeDebugPrivilege	440	system.exe
Token: SeDebugPrivilege	1808	system.exe
Token: SeDebugPrivilege	2556	system.exe
Token: SeDebugPrivilege	1044	system.exe
Token: SeDebugPrivilege	2064	system.exe
Token: SeDebugPrivilege	1512	system.exe
Token: SeDebugPrivilege	2032	system.exe
Token: SeDebugPrivilege	2000	system.exe
Token: SeDebugPrivilege	3024	system.exe
Token: SeDebugPrivilege	2508	system.exe
Token: SeDebugPrivilege	2348	system.exe
Token: SeDebugPrivilege	2220	system.exe
Token: SeDebugPrivilege	1488	system.exe
Token: SeDebugPrivilege	572	system.exe
Token: SeDebugPrivilege	804	system.exe
Token: SeDebugPrivilege	768	system.exe
Token: SeDebugPrivilege	1468	system.exe
Token: SeDebugPrivilege	108	system.exe
Token: SeDebugPrivilege	2968	system.exe
Token: SeDebugPrivilege	844	system.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
2012	userinit.exe
2012	userinit.exe
2580	system.exe
2580	system.exe
2628	system.exe
2628	system.exe
2360	system.exe
2360	system.exe
552	system.exe
552	system.exe
1660	system.exe
1660	system.exe
2200	system.exe
2200	system.exe
2060	system.exe
2060	system.exe
1560	system.exe
1560	system.exe
2968	system.exe
2968	system.exe
596	system.exe
596	system.exe
1996	system.exe
1996	system.exe
1640	system.exe
1640	system.exe
2708	system.exe
2708	system.exe
2976	system.exe
2976	system.exe
2116	system.exe
2116	system.exe
2456	system.exe
2456	system.exe
2516	system.exe
2516	system.exe
2800	system.exe
2800	system.exe
572	system.exe
572	system.exe
936	system.exe
936	system.exe
768	system.exe
768	system.exe
2044	system.exe
2044	system.exe
1436	system.exe
1436	system.exe
2908	system.exe
2908	system.exe
1084	system.exe
1084	system.exe
840	system.exe
840	system.exe
1572	system.exe
1572	system.exe
976	system.exe
976	system.exe
2688	system.exe
2688	system.exe
2816	system.exe
2816	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 372	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	3
PID 1100 wrote to memory of 372	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	3
PID 1100 wrote to memory of 372	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	3
PID 1100 wrote to memory of 388	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	4
PID 1100 wrote to memory of 388	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	4
PID 1100 wrote to memory of 388	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	4
PID 1100 wrote to memory of 424	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	5
PID 1100 wrote to memory of 424	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	5
PID 1100 wrote to memory of 424	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	5
PID 1100 wrote to memory of 468	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	6
PID 1100 wrote to memory of 468	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	6
PID 1100 wrote to memory of 468	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	6
PID 1100 wrote to memory of 484	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	7
PID 1100 wrote to memory of 484	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	7
PID 1100 wrote to memory of 484	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	7
PID 1100 wrote to memory of 492	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	8
PID 1100 wrote to memory of 492	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	8
PID 1100 wrote to memory of 492	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	8
PID 1100 wrote to memory of 604	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	9
PID 1100 wrote to memory of 604	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	9
PID 1100 wrote to memory of 604	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	9
PID 1100 wrote to memory of 680	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	10
PID 1100 wrote to memory of 680	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	10
PID 1100 wrote to memory of 680	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	10
PID 1100 wrote to memory of 756	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	11
PID 1100 wrote to memory of 756	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	11
PID 1100 wrote to memory of 756	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	11
PID 1100 wrote to memory of 820	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	12
PID 1100 wrote to memory of 820	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	12
PID 1100 wrote to memory of 820	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	12
PID 1100 wrote to memory of 860	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	13
PID 1100 wrote to memory of 860	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	13
PID 1100 wrote to memory of 860	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	13
PID 1100 wrote to memory of 1000	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	15
PID 1100 wrote to memory of 1000	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	15
PID 1100 wrote to memory of 1000	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	15
PID 1100 wrote to memory of 304	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	16
PID 1100 wrote to memory of 304	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	16
PID 1100 wrote to memory of 304	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	16
PID 1100 wrote to memory of 460	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	17
PID 1100 wrote to memory of 460	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	17
PID 1100 wrote to memory of 460	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	17
PID 1100 wrote to memory of 1052	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	18
PID 1100 wrote to memory of 1052	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	18
PID 1100 wrote to memory of 1052	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	18
PID 1100 wrote to memory of 1204	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	19
PID 1100 wrote to memory of 1204	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	19
PID 1100 wrote to memory of 1204	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	19
PID 1100 wrote to memory of 1300	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	20
PID 1100 wrote to memory of 1300	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	20
PID 1100 wrote to memory of 1300	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	20
PID 1100 wrote to memory of 1352	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	21
PID 1100 wrote to memory of 1352	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	21
PID 1100 wrote to memory of 1352	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	21
PID 1100 wrote to memory of 2096	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	23
PID 1100 wrote to memory of 2096	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	23
PID 1100 wrote to memory of 2096	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	23
PID 1100 wrote to memory of 2860	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	24
PID 1100 wrote to memory of 2860	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	24
PID 1100 wrote to memory of 2860	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	24
PID 1100 wrote to memory of 3044	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	25
PID 1100 wrote to memory of 3044	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	25
PID 1100 wrote to memory of 3044	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	25
PID 1100 wrote to memory of 3016	1100	fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe	26

C:\Windows\system32\wininit.exe
wininit.exe
1⤵
PID:372
- C:\Windows\system32\services.exe
  C:\Windows\system32\services.exe
  2⤵
  PID:468
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch
    3⤵
    PID:604
  - - C:\Windows\system32\DllHost.exe
      C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
      4⤵
      PID:2096
  - - C:\Windows\system32\wbem\wmiprvse.exe
      C:\Windows\system32\wbem\wmiprvse.exe -Embedding
      4⤵
      PID:2452
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k RPCSS
    3⤵
    PID:680
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    3⤵
    PID:756
- - C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    3⤵
    PID:820
  - - C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      4⤵
      PID:1300
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs
    3⤵
    PID:860
  - - C:\Windows\system32\wbem\WMIADAP.EXE
      wmiadap.exe /F /T /R
      4⤵
      PID:2580
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService
    3⤵
    PID:1000
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k NetworkService
    3⤵
    PID:304
- - C:\Windows\System32\spoolsv.exe
    C:\Windows\System32\spoolsv.exe
    3⤵
    PID:460
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
    3⤵
    PID:1052
- - C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    3⤵
    PID:1204
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    3⤵
    PID:2860
- - C:\Windows\system32\sppsvc.exe
    C:\Windows\system32\sppsvc.exe
    3⤵
    PID:3044
- C:\Windows\system32\lsass.exe
  C:\Windows\system32\lsass.exe
  2⤵
  PID:484
- C:\Windows\system32\lsm.exe
  C:\Windows\system32\lsm.exe
  2⤵
  PID:492

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:388

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1352
- C:\Users\Admin\AppData\Local\Temp\fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\fff741be9ac2a283f109525dcba874e2_JaffaCakes118.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\userinit.exe
    C:\Windows\userinit.exe
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2012
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2580
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2628
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2360
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:552
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1660
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2200
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2060
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1560
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2968
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:596
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1996
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1640
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2708
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      PID:3016
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2116
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2456
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2516
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2800
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:572
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:936
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:768
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2044
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1436
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2908
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1084
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:840
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1572
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2688
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2816
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1720
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1732
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2476
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2772
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2100
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2104
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1128
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1452
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2212
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1140
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2052
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:440
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1808
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2556
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1044
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2064
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1512
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2032
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2000
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2508
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2348
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2220
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1488
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:572
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:804
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:768
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1468
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:108
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2968
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:844
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:912
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:3028
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2856
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2872
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1728
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2616
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2468
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2764
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1256
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1316
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2324
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1924
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1140
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2040
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2004
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2128
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:904
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2748
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2884
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:872
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2272
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2436
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2612
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2628
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2400
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:764
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1828
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1480
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1944
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1624
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2672
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1520
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1988
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2580
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1572
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2080
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1484
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1144
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2256
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2632
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2588
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:920
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:552
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1132
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:944
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1544
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2644
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2908
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:596
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2420
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2880
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1932
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1736
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2088

C:\Users\Admin\AppData\Local\Temp\3465683314\zmstage.exe
C:\Users\Admin\AppData\Local\Temp\3465683314\zmstage.exe
1⤵
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
73KB

MD5
fff741be9ac2a283f109525dcba874e2

SHA1
d11c4cae165dd1fcbe3ed9e0f5b1b882dc01f236

SHA256
8e9b0ac556f162def50e16041a51df18cec63ba68231a23bcd3e9a3271a4f7ad

SHA512
2b8cae474976df48ec1cdcc4395305dedf59f573986b22c650fbf0a0dab2f9d10448e2c3aea06f84abe4957fa8a01d90c3492296de37482d3c61042f6b4534e1

Download Submit
memory/440-865-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/552-119-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/572-447-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/596-240-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/840-569-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/976-604-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1100-24-0x00000000003A0000-0x00000000003D9000-memory.dmp

Filesize
228KB

Download
memory/1100-1-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/1100-32-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/1100-30-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/1100-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1100-3-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/1100-31-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1100-2-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/1436-515-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1488-1066-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1560-201-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/1560-195-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/1640-278-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/1660-140-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1660-135-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/1996-258-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2012-223-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-304-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-25-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2012-120-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-121-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-101-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-982-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2012-139-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-141-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-159-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-41-0x00000000005B0000-0x00000000005E9000-memory.dmp

Filesize
228KB

Download
memory/2012-160-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-173-0x00000000005B0000-0x00000000005E9000-memory.dmp

Filesize
228KB

Download
memory/2012-835-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2012-180-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-181-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-82-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2012-200-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-81-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-202-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2012-203-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-677-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2012-534-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2012-222-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-73-0x00000000005B0000-0x00000000005E9000-memory.dmp

Filesize
228KB

Download
memory/2012-241-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-79-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-242-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-256-0x00000000005B0000-0x00000000005E9000-memory.dmp

Filesize
228KB

Download
memory/2012-400-0x00000000005B0000-0x00000000005E9000-memory.dmp

Filesize
228KB

Download
memory/2012-262-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-263-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-277-0x00000000005B0000-0x00000000005E9000-memory.dmp

Filesize
228KB

Download
memory/2012-385-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-283-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-284-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-298-0x00000000005B0000-0x00000000005E9000-memory.dmp

Filesize
228KB

Download
memory/2012-102-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-303-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-383-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-382-0x00000000005B0000-0x00000000005E9000-memory.dmp

Filesize
228KB

Download
memory/2012-322-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-323-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-367-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2012-365-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-356-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2012-357-0x00000000005B0000-0x00000000005E9000-memory.dmp

Filesize
228KB

Download
memory/2012-358-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2012-359-0x0000000077700000-0x0000000077701000-memory.dmp

Filesize
4KB

Download
memory/2012-364-0x00000000776FF000-0x0000000077700000-memory.dmp

Filesize
4KB

Download
memory/2032-966-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2060-175-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2116-363-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2200-158-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2360-100-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2360-96-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2456-387-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2476-709-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2516-406-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2580-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2580-55-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2580-54-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2628-75-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2628-80-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2628-74-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2688-622-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2708-302-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2772-726-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2800-426-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2968-217-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2968-221-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2976-318-0x0000000000030000-0x0000000000033000-memory.dmp

Filesize
12KB

Download
memory/2976-324-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3016-338-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download