a840a47e67040c1070022d4bf772e2b0a7bf3b6b9856a2bff66df7cd0601b549

Analysis

max time kernel
150s
max time network
127s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe
Size

672KB
MD5

2b4846bc9f043bf38cd4e36fb852e48d
SHA1

73d54a031225e308691deb2a573816ad80b1e12e
SHA256

a840a47e67040c1070022d4bf772e2b0a7bf3b6b9856a2bff66df7cd0601b549
SHA512

cc021a277ff3ba5b906d0dd9580cd83a7e8fb13cff3bc8494f3b984d59190e7757dae8195a62aac869ac03609a8ddcef51df1b8ebbaa1542e9484d6d5934e1bc
SSDEEP

12288:7vehvlYuXb6cK4QJrr186amIWge+RCQdyIMA65xUlNqRC+NSK:7vehviuXbZKXJrr186amIWgVRFyIMX5h

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2448	userinit.exe
2748	system.exe
2804	system.exe
2964	system.exe
2524	system.exe
2980	system.exe
1372	system.exe
852	system.exe
1824	system.exe
1440	system.exe
576	system.exe
2852	system.exe
2428	system.exe
2400	system.exe
688	system.exe
1204	system.exe
900	system.exe
980	system.exe
1948	system.exe
112	system.exe
2124	system.exe
3036	system.exe
2116	system.exe
1284	system.exe
2716	system.exe
2632	system.exe
2652	system.exe
2752	system.exe
2664	system.exe
2592	system.exe
1944	system.exe
552	system.exe
1560	system.exe
1548	system.exe
1328	system.exe
2468	system.exe
2324	system.exe
2836	system.exe
2876	system.exe
2364	system.exe
432	system.exe
1448	system.exe
688	system.exe
1220	system.exe
768	system.exe
1308	system.exe
3048	system.exe
2148	system.exe
112	system.exe
2276	system.exe
1996	system.exe
1412	system.exe
1720	system.exe
2636	system.exe
2732	system.exe
2668	system.exe
2800	system.exe
2572	system.exe
2600	system.exe
2260	system.exe
956	system.exe
2976	system.exe
1460	system.exe
1548	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe
2448	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1908	2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe
2448	userinit.exe
2448	userinit.exe
2748	system.exe
2448	userinit.exe
2804	system.exe
2448	userinit.exe
2964	system.exe
2448	userinit.exe
2524	system.exe
2448	userinit.exe
2980	system.exe
2448	userinit.exe
1372	system.exe
2448	userinit.exe
852	system.exe
2448	userinit.exe
1824	system.exe
2448	userinit.exe
1440	system.exe
2448	userinit.exe
576	system.exe
2448	userinit.exe
2852	system.exe
2448	userinit.exe
2428	system.exe
2448	userinit.exe
2400	system.exe
2448	userinit.exe
688	system.exe
2448	userinit.exe
1204	system.exe
2448	userinit.exe
900	system.exe
2448	userinit.exe
980	system.exe
2448	userinit.exe
1948	system.exe
2448	userinit.exe
112	system.exe
2448	userinit.exe
2124	system.exe
2448	userinit.exe
3036	system.exe
2448	userinit.exe
2116	system.exe
2448	userinit.exe
1284	system.exe
2448	userinit.exe
2716	system.exe
2448	userinit.exe
2632	system.exe
2448	userinit.exe
2652	system.exe
2448	userinit.exe
2752	system.exe
2448	userinit.exe
2664	system.exe
2448	userinit.exe
2592	system.exe
2448	userinit.exe
1944	system.exe
2448	userinit.exe
552	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2448	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1908	2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe
1908	2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe
2448	userinit.exe
2448	userinit.exe
2748	system.exe
2748	system.exe
2804	system.exe
2804	system.exe
2964	system.exe
2964	system.exe
2524	system.exe
2524	system.exe
2980	system.exe
2980	system.exe
1372	system.exe
1372	system.exe
852	system.exe
852	system.exe
1824	system.exe
1824	system.exe
1440	system.exe
1440	system.exe
576	system.exe
576	system.exe
2852	system.exe
2852	system.exe
2428	system.exe
2428	system.exe
2400	system.exe
2400	system.exe
688	system.exe
688	system.exe
1204	system.exe
1204	system.exe
900	system.exe
900	system.exe
980	system.exe
980	system.exe
1948	system.exe
1948	system.exe
112	system.exe
112	system.exe
2124	system.exe
2124	system.exe
3036	system.exe
3036	system.exe
2116	system.exe
2116	system.exe
1284	system.exe
1284	system.exe
2716	system.exe
2716	system.exe
2632	system.exe
2632	system.exe
2652	system.exe
2652	system.exe
2752	system.exe
2752	system.exe
2664	system.exe
2664	system.exe
2592	system.exe
2592	system.exe
1944	system.exe
1944	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2448	1908	2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2448	1908	2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2448	1908	2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe	31
PID 1908 wrote to memory of 2448	1908	2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe	31
PID 2448 wrote to memory of 2748	2448	userinit.exe	32
PID 2448 wrote to memory of 2748	2448	userinit.exe	32
PID 2448 wrote to memory of 2748	2448	userinit.exe	32
PID 2448 wrote to memory of 2748	2448	userinit.exe	32
PID 2448 wrote to memory of 2804	2448	userinit.exe	33
PID 2448 wrote to memory of 2804	2448	userinit.exe	33
PID 2448 wrote to memory of 2804	2448	userinit.exe	33
PID 2448 wrote to memory of 2804	2448	userinit.exe	33
PID 2448 wrote to memory of 2964	2448	userinit.exe	34
PID 2448 wrote to memory of 2964	2448	userinit.exe	34
PID 2448 wrote to memory of 2964	2448	userinit.exe	34
PID 2448 wrote to memory of 2964	2448	userinit.exe	34
PID 2448 wrote to memory of 2524	2448	userinit.exe	35
PID 2448 wrote to memory of 2524	2448	userinit.exe	35
PID 2448 wrote to memory of 2524	2448	userinit.exe	35
PID 2448 wrote to memory of 2524	2448	userinit.exe	35
PID 2448 wrote to memory of 2980	2448	userinit.exe	36
PID 2448 wrote to memory of 2980	2448	userinit.exe	36
PID 2448 wrote to memory of 2980	2448	userinit.exe	36
PID 2448 wrote to memory of 2980	2448	userinit.exe	36
PID 2448 wrote to memory of 1372	2448	userinit.exe	37
PID 2448 wrote to memory of 1372	2448	userinit.exe	37
PID 2448 wrote to memory of 1372	2448	userinit.exe	37
PID 2448 wrote to memory of 1372	2448	userinit.exe	37
PID 2448 wrote to memory of 852	2448	userinit.exe	38
PID 2448 wrote to memory of 852	2448	userinit.exe	38
PID 2448 wrote to memory of 852	2448	userinit.exe	38
PID 2448 wrote to memory of 852	2448	userinit.exe	38
PID 2448 wrote to memory of 1824	2448	userinit.exe	39
PID 2448 wrote to memory of 1824	2448	userinit.exe	39
PID 2448 wrote to memory of 1824	2448	userinit.exe	39
PID 2448 wrote to memory of 1824	2448	userinit.exe	39
PID 2448 wrote to memory of 1440	2448	userinit.exe	40
PID 2448 wrote to memory of 1440	2448	userinit.exe	40
PID 2448 wrote to memory of 1440	2448	userinit.exe	40
PID 2448 wrote to memory of 1440	2448	userinit.exe	40
PID 2448 wrote to memory of 576	2448	userinit.exe	41
PID 2448 wrote to memory of 576	2448	userinit.exe	41
PID 2448 wrote to memory of 576	2448	userinit.exe	41
PID 2448 wrote to memory of 576	2448	userinit.exe	41
PID 2448 wrote to memory of 2852	2448	userinit.exe	42
PID 2448 wrote to memory of 2852	2448	userinit.exe	42
PID 2448 wrote to memory of 2852	2448	userinit.exe	42
PID 2448 wrote to memory of 2852	2448	userinit.exe	42
PID 2448 wrote to memory of 2428	2448	userinit.exe	43
PID 2448 wrote to memory of 2428	2448	userinit.exe	43
PID 2448 wrote to memory of 2428	2448	userinit.exe	43
PID 2448 wrote to memory of 2428	2448	userinit.exe	43
PID 2448 wrote to memory of 2400	2448	userinit.exe	44
PID 2448 wrote to memory of 2400	2448	userinit.exe	44
PID 2448 wrote to memory of 2400	2448	userinit.exe	44
PID 2448 wrote to memory of 2400	2448	userinit.exe	44
PID 2448 wrote to memory of 688	2448	userinit.exe	45
PID 2448 wrote to memory of 688	2448	userinit.exe	45
PID 2448 wrote to memory of 688	2448	userinit.exe	45
PID 2448 wrote to memory of 688	2448	userinit.exe	45
PID 2448 wrote to memory of 1204	2448	userinit.exe	46
PID 2448 wrote to memory of 1204	2448	userinit.exe	46
PID 2448 wrote to memory of 1204	2448	userinit.exe	46
PID 2448 wrote to memory of 1204	2448	userinit.exe	46

C:\Users\Admin\AppData\Local\Temp\2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b4846bc9f043bf38cd4e36fb852e48d_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2748
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1824
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2428
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2124
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2632
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2664
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1328
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2876
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2364
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:432
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1448
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1308
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2148
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:112
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2276
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1996
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1412
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2668
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2572
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2260
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1460
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2468
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2216
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2900
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2360
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2384
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2284
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3060
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2548
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2544
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1152
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1524
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:556
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:576
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2420
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:592
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1204
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1500
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1920
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:944
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2068
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2332
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2896
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2520
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1696
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1848
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2040
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1640
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
672KB

MD5
2b4846bc9f043bf38cd4e36fb852e48d

SHA1
73d54a031225e308691deb2a573816ad80b1e12e

SHA256
a840a47e67040c1070022d4bf772e2b0a7bf3b6b9856a2bff66df7cd0601b549

SHA512
cc021a277ff3ba5b906d0dd9580cd83a7e8fb13cff3bc8494f3b984d59190e7757dae8195a62aac869ac03609a8ddcef51df1b8ebbaa1542e9484d6d5934e1bc

Download Submit
memory/112-561-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/112-260-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/576-151-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/688-499-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/768-522-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/852-114-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/980-235-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1204-209-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1220-512-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1284-306-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1308-532-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1372-102-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1440-138-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1548-412-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1548-410-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1560-400-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1824-126-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1908-9-0x0000000001CC0000-0x0000000001D2A000-memory.dmp

Filesize
424KB

Download
memory/1908-1-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1908-22-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1908-21-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/1908-0-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1944-377-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/1996-581-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2116-295-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2124-273-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2324-441-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2364-475-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2400-182-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2400-187-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2448-331-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-399-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-218-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-230-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-229-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-158-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-245-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-255-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-254-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-145-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-268-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-267-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-146-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-281-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-280-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-290-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-291-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-134-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-301-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-302-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-297-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2448-121-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2448-312-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-311-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-587-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-321-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-322-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-15-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2448-332-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-110-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-568-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-342-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-343-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-352-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-355-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-569-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-363-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-364-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-374-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-373-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-96-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-384-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-385-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-394-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2448-397-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-217-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2448-85-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-408-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-409-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-567-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2448-14-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2448-417-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-418-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-427-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-428-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-437-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-557-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-440-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-448-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-450-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2448-449-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-548-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-459-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-547-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-462-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-541-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-471-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-33-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-480-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2448-482-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-498-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-530-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-511-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2448-521-0x0000000002700000-0x000000000276A000-memory.dmp

Filesize
424KB

Download
memory/2524-73-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2632-326-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2636-610-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2652-337-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2664-356-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2716-316-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2748-39-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2748-40-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2804-48-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2804-53-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2804-49-0x0000000000020000-0x0000000000023000-memory.dmp

Filesize
12KB

Download
memory/2836-454-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2876-463-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2876-466-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download
memory/2964-65-0x0000000000400000-0x000000000046A000-memory.dmp

Filesize
424KB

Download