db9c35d6088d016516c3e22c016ca53f066602614e687d4916c2548783329f66

Analysis

max time kernel
150s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01/07/2024, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe
Size

529KB
MD5

1c3f1486a45a7ec2d748c31f7ff8d9d4
SHA1

c27b99d27d5d4d9e0dd9bb7b216f8f2c26e70e87
SHA256

db9c35d6088d016516c3e22c016ca53f066602614e687d4916c2548783329f66
SHA512

78a0c197023bcaa1bbd8336b24445191c3ac18b09504f11c55778c173470e5570cfe0f6911827b3d7fe1ad7612c3051f4853d1460349c2af064573e085eafc67
SSDEEP

6144:I1zPRFEkKpJ1zE4ZDTUSx6dp8hGuK4QfhrrNX8XKfVMddB07PNr+WBueJJqS:IlfCpJlEuXb6cK4QJrr186amIWge+S

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
4308	userinit.exe
564	system.exe
4140	system.exe
3308	system.exe
1820	system.exe
4596	system.exe
2424	system.exe
3140	system.exe
3800	system.exe
3576	system.exe
4624	system.exe
4620	system.exe
4880	system.exe
3212	system.exe
1668	system.exe
2312	system.exe
4932	system.exe
1040	system.exe
3152	system.exe
1672	system.exe
4660	system.exe
2328	system.exe
1256	system.exe
2196	system.exe
3728	system.exe
764	system.exe
4088	system.exe
4212	system.exe
2732	system.exe
1608	system.exe
3544	system.exe
3496	system.exe
4396	system.exe
564	system.exe
4432	system.exe
2948	system.exe
5100	system.exe
4636	system.exe
1328	system.exe
2708	system.exe
3912	system.exe
1472	system.exe
3968	system.exe
4624	system.exe
4608	system.exe
2052	system.exe
2436	system.exe
3868	system.exe
4664	system.exe
4544	system.exe
4912	system.exe
5040	system.exe
2160	system.exe
4836	system.exe
3164	system.exe
2580	system.exe
4428	system.exe
1300	system.exe
5116	system.exe
988	system.exe
4144	system.exe
2792	system.exe
764	system.exe
516	system.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3684	1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe
3684	1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe
4308	userinit.exe
4308	userinit.exe
4308	userinit.exe
4308	userinit.exe
564	system.exe
564	system.exe
4308	userinit.exe
4308	userinit.exe
4140	system.exe
4140	system.exe
4308	userinit.exe
4308	userinit.exe
3308	system.exe
3308	system.exe
4308	userinit.exe
4308	userinit.exe
1820	system.exe
1820	system.exe
4308	userinit.exe
4308	userinit.exe
4596	system.exe
4596	system.exe
4308	userinit.exe
4308	userinit.exe
2424	system.exe
2424	system.exe
4308	userinit.exe
4308	userinit.exe
3140	system.exe
3140	system.exe
4308	userinit.exe
4308	userinit.exe
3800	system.exe
3800	system.exe
4308	userinit.exe
4308	userinit.exe
3576	system.exe
3576	system.exe
4308	userinit.exe
4308	userinit.exe
4624	system.exe
4624	system.exe
4308	userinit.exe
4308	userinit.exe
4620	system.exe
4620	system.exe
4308	userinit.exe
4308	userinit.exe
4880	system.exe
4880	system.exe
4308	userinit.exe
4308	userinit.exe
3212	system.exe
3212	system.exe
4308	userinit.exe
4308	userinit.exe
1668	system.exe
1668	system.exe
4308	userinit.exe
4308	userinit.exe
2312	system.exe
2312	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4308	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3684	1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe
3684	1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe
4308	userinit.exe
4308	userinit.exe
564	system.exe
564	system.exe
4140	system.exe
4140	system.exe
3308	system.exe
3308	system.exe
1820	system.exe
1820	system.exe
4596	system.exe
4596	system.exe
2424	system.exe
2424	system.exe
3140	system.exe
3140	system.exe
3800	system.exe
3800	system.exe
3576	system.exe
3576	system.exe
4624	system.exe
4624	system.exe
4620	system.exe
4620	system.exe
4880	system.exe
4880	system.exe
3212	system.exe
3212	system.exe
1668	system.exe
1668	system.exe
2312	system.exe
2312	system.exe
4932	system.exe
4932	system.exe
1040	system.exe
1040	system.exe
3152	system.exe
3152	system.exe
1672	system.exe
1672	system.exe
4660	system.exe
4660	system.exe
2328	system.exe
2328	system.exe
1256	system.exe
1256	system.exe
2196	system.exe
2196	system.exe
3728	system.exe
3728	system.exe
764	system.exe
764	system.exe
4088	system.exe
4088	system.exe
4212	system.exe
4212	system.exe
2732	system.exe
2732	system.exe
1608	system.exe
1608	system.exe
3544	system.exe
3544	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 4308	3684	1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe	81
PID 3684 wrote to memory of 4308	3684	1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe	81
PID 3684 wrote to memory of 4308	3684	1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe	81
PID 4308 wrote to memory of 564	4308	userinit.exe	82
PID 4308 wrote to memory of 564	4308	userinit.exe	82
PID 4308 wrote to memory of 564	4308	userinit.exe	82
PID 4308 wrote to memory of 4140	4308	userinit.exe	83
PID 4308 wrote to memory of 4140	4308	userinit.exe	83
PID 4308 wrote to memory of 4140	4308	userinit.exe	83
PID 4308 wrote to memory of 3308	4308	userinit.exe	84
PID 4308 wrote to memory of 3308	4308	userinit.exe	84
PID 4308 wrote to memory of 3308	4308	userinit.exe	84
PID 4308 wrote to memory of 1820	4308	userinit.exe	85
PID 4308 wrote to memory of 1820	4308	userinit.exe	85
PID 4308 wrote to memory of 1820	4308	userinit.exe	85
PID 4308 wrote to memory of 4596	4308	userinit.exe	86
PID 4308 wrote to memory of 4596	4308	userinit.exe	86
PID 4308 wrote to memory of 4596	4308	userinit.exe	86
PID 4308 wrote to memory of 2424	4308	userinit.exe	89
PID 4308 wrote to memory of 2424	4308	userinit.exe	89
PID 4308 wrote to memory of 2424	4308	userinit.exe	89
PID 4308 wrote to memory of 3140	4308	userinit.exe	92
PID 4308 wrote to memory of 3140	4308	userinit.exe	92
PID 4308 wrote to memory of 3140	4308	userinit.exe	92
PID 4308 wrote to memory of 3800	4308	userinit.exe	93
PID 4308 wrote to memory of 3800	4308	userinit.exe	93
PID 4308 wrote to memory of 3800	4308	userinit.exe	93
PID 4308 wrote to memory of 3576	4308	userinit.exe	94
PID 4308 wrote to memory of 3576	4308	userinit.exe	94
PID 4308 wrote to memory of 3576	4308	userinit.exe	94
PID 4308 wrote to memory of 4624	4308	userinit.exe	96
PID 4308 wrote to memory of 4624	4308	userinit.exe	96
PID 4308 wrote to memory of 4624	4308	userinit.exe	96
PID 4308 wrote to memory of 4620	4308	userinit.exe	97
PID 4308 wrote to memory of 4620	4308	userinit.exe	97
PID 4308 wrote to memory of 4620	4308	userinit.exe	97
PID 4308 wrote to memory of 4880	4308	userinit.exe	98
PID 4308 wrote to memory of 4880	4308	userinit.exe	98
PID 4308 wrote to memory of 4880	4308	userinit.exe	98
PID 4308 wrote to memory of 3212	4308	userinit.exe	101
PID 4308 wrote to memory of 3212	4308	userinit.exe	101
PID 4308 wrote to memory of 3212	4308	userinit.exe	101
PID 4308 wrote to memory of 1668	4308	userinit.exe	102
PID 4308 wrote to memory of 1668	4308	userinit.exe	102
PID 4308 wrote to memory of 1668	4308	userinit.exe	102
PID 4308 wrote to memory of 2312	4308	userinit.exe	103
PID 4308 wrote to memory of 2312	4308	userinit.exe	103
PID 4308 wrote to memory of 2312	4308	userinit.exe	103
PID 4308 wrote to memory of 4932	4308	userinit.exe	104
PID 4308 wrote to memory of 4932	4308	userinit.exe	104
PID 4308 wrote to memory of 4932	4308	userinit.exe	104
PID 4308 wrote to memory of 1040	4308	userinit.exe	105
PID 4308 wrote to memory of 1040	4308	userinit.exe	105
PID 4308 wrote to memory of 1040	4308	userinit.exe	105
PID 4308 wrote to memory of 3152	4308	userinit.exe	106
PID 4308 wrote to memory of 3152	4308	userinit.exe	106
PID 4308 wrote to memory of 3152	4308	userinit.exe	106
PID 4308 wrote to memory of 1672	4308	userinit.exe	107
PID 4308 wrote to memory of 1672	4308	userinit.exe	107
PID 4308 wrote to memory of 1672	4308	userinit.exe	107
PID 4308 wrote to memory of 4660	4308	userinit.exe	108
PID 4308 wrote to memory of 4660	4308	userinit.exe	108
PID 4308 wrote to memory of 4660	4308	userinit.exe	108
PID 4308 wrote to memory of 2328	4308	userinit.exe	109

C:\Users\Admin\AppData\Local\Temp\1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1c3f1486a45a7ec2d748c31f7ff8d9d4_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1820
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2312
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1672
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3496
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:564
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3968
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4624
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2436
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3164
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:5116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:988
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:4144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:100
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4508
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1172
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3228
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:940
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2396
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2248
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4884
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3212
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3088
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1264
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1300
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2196
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1476
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1444
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1880
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3084
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2712
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:5096
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:4856
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1532
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
529KB

MD5
1c3f1486a45a7ec2d748c31f7ff8d9d4

SHA1
c27b99d27d5d4d9e0dd9bb7b216f8f2c26e70e87

SHA256
db9c35d6088d016516c3e22c016ca53f066602614e687d4916c2548783329f66

SHA512
78a0c197023bcaa1bbd8336b24445191c3ac18b09504f11c55778c173470e5570cfe0f6911827b3d7fe1ad7612c3051f4853d1460349c2af064573e085eafc67

Download Submit
memory/100-331-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/440-450-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/516-327-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/564-182-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/564-25-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/764-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/764-323-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/940-395-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/988-309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1040-104-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1172-367-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1256-127-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1300-299-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1328-207-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-222-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1544-469-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1608-162-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-461-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1628-399-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1668-91-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1728-359-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1820-41-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1876-386-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1928-339-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1948-351-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2052-240-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2160-275-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2196-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2248-407-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2320-423-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2328-122-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2396-403-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2424-51-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2436-245-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2580-290-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2708-212-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-343-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2732-157-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2764-473-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2792-319-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2864-363-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2948-192-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3012-415-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3052-477-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3088-443-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3140-56-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3152-109-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3164-285-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3212-86-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3212-427-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3228-374-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3308-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3496-172-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3544-167-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3576-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3684-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3684-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3728-137-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3800-61-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3868-250-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3912-217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3968-227-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4048-335-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4088-147-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4140-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4140-29-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4144-314-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4212-152-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4308-391-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4308-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4340-454-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4396-177-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4432-187-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4460-378-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4472-439-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4508-355-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4520-382-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4544-260-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4596-46-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4604-431-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4620-76-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4624-71-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4636-202-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4636-390-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4652-465-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4664-255-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4812-347-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4836-280-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4880-81-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4884-419-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4888-435-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4912-265-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5040-270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5096-411-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5100-197-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5116-304-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download