a49142513a1fd3b312ba2b86f117e5b4e1befd63ed56cef6c5bfb69d11e894a9

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15-07-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
Size

428KB
MD5

481fa29327f38adb2545429e7751ed7a
SHA1

3fd07c2d0243eff077bf00916c440945a81d3461
SHA256

a49142513a1fd3b312ba2b86f117e5b4e1befd63ed56cef6c5bfb69d11e894a9
SHA512

69dd6c476951db834a1e229fac3d6f49f012b375fd5f046c57a90ce38f279356ac398b8397b92401af441f3b183f11356e7e3cf461656945b206daf064f94ca9
SSDEEP

3072:V1zwLll0u6EJdCqk+7gpf1zwLv2N+eG15R7HM:V1zEl3cqkDpf1zGeG15FHM

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Executes dropped EXE 64 IoCs

pid	Process
2808	userinit.exe
2600	system.exe
2736	system.exe
2596	system.exe
2852	system.exe
1736	system.exe
2992	system.exe
2652	system.exe
1292	system.exe
108	system.exe
2888	system.exe
320	system.exe
2200	system.exe
2128	system.exe
1256	system.exe
1076	system.exe
1580	system.exe
952	system.exe
1760	system.exe
1660	system.exe
1716	system.exe
2316	system.exe
2036	system.exe
2024	system.exe
1744	system.exe
1704	system.exe
2716	system.exe
552	system.exe
2976	system.exe
2620	system.exe
2684	system.exe
288	system.exe
2936	system.exe
2928	system.exe
660	system.exe
808	system.exe
1488	system.exe
2788	system.exe
2912	system.exe
1932	system.exe
1768	system.exe
2140	system.exe
2136	system.exe
1256	system.exe
1984	system.exe
608	system.exe
2516	system.exe
924	system.exe
1740	system.exe
1732	system.exe
3052	system.exe
2352	system.exe
3008	system.exe
1816	system.exe
324	system.exe
1596	system.exe
2812	system.exe
1720	system.exe
2588	system.exe
2976	system.exe
1032	system.exe
2144	system.exe
2220	system.exe
2872	system.exe

Loads dropped DLL 64 IoCs

pid	Process
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe
2808	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\userinit.exe	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
File opened for modification	C:\Windows\userinit.exe	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1792	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
2808	userinit.exe
2808	userinit.exe
2600	system.exe
2808	userinit.exe
2736	system.exe
2808	userinit.exe
2596	system.exe
2808	userinit.exe
2852	system.exe
2808	userinit.exe
1736	system.exe
2808	userinit.exe
2992	system.exe
2808	userinit.exe
2652	system.exe
2808	userinit.exe
1292	system.exe
2808	userinit.exe
108	system.exe
2808	userinit.exe
2888	system.exe
2808	userinit.exe
320	system.exe
2808	userinit.exe
2200	system.exe
2808	userinit.exe
2128	system.exe
2808	userinit.exe
1256	system.exe
2808	userinit.exe
1076	system.exe
2808	userinit.exe
1580	system.exe
2808	userinit.exe
952	system.exe
2808	userinit.exe
1760	system.exe
2808	userinit.exe
1660	system.exe
2808	userinit.exe
1716	system.exe
2808	userinit.exe
2316	system.exe
2808	userinit.exe
2036	system.exe
2808	userinit.exe
2024	system.exe
2808	userinit.exe
1744	system.exe
2808	userinit.exe
1704	system.exe
2808	userinit.exe
2716	system.exe
2808	userinit.exe
552	system.exe
2808	userinit.exe
2976	system.exe
2808	userinit.exe
2620	system.exe
2808	userinit.exe
2684	system.exe
2808	userinit.exe
288	system.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2808	userinit.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1792	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
1792	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
2808	userinit.exe
2808	userinit.exe
2600	system.exe
2600	system.exe
2736	system.exe
2736	system.exe
2596	system.exe
2596	system.exe
2852	system.exe
2852	system.exe
1736	system.exe
1736	system.exe
2992	system.exe
2992	system.exe
2652	system.exe
2652	system.exe
1292	system.exe
1292	system.exe
108	system.exe
108	system.exe
2888	system.exe
2888	system.exe
320	system.exe
320	system.exe
2200	system.exe
2200	system.exe
2128	system.exe
2128	system.exe
1256	system.exe
1256	system.exe
1076	system.exe
1076	system.exe
1580	system.exe
1580	system.exe
952	system.exe
952	system.exe
1760	system.exe
1760	system.exe
1660	system.exe
1660	system.exe
1716	system.exe
1716	system.exe
2316	system.exe
2316	system.exe
2036	system.exe
2036	system.exe
2024	system.exe
2024	system.exe
1744	system.exe
1744	system.exe
1704	system.exe
1704	system.exe
2716	system.exe
2716	system.exe
552	system.exe
552	system.exe
2976	system.exe
2976	system.exe
2620	system.exe
2620	system.exe
2684	system.exe
2684	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 2808	1792	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe	31
PID 1792 wrote to memory of 2808	1792	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe	31
PID 1792 wrote to memory of 2808	1792	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe	31
PID 1792 wrote to memory of 2808	1792	481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe	31
PID 2808 wrote to memory of 2600	2808	userinit.exe	32
PID 2808 wrote to memory of 2600	2808	userinit.exe	32
PID 2808 wrote to memory of 2600	2808	userinit.exe	32
PID 2808 wrote to memory of 2600	2808	userinit.exe	32
PID 2808 wrote to memory of 2736	2808	userinit.exe	33
PID 2808 wrote to memory of 2736	2808	userinit.exe	33
PID 2808 wrote to memory of 2736	2808	userinit.exe	33
PID 2808 wrote to memory of 2736	2808	userinit.exe	33
PID 2808 wrote to memory of 2596	2808	userinit.exe	34
PID 2808 wrote to memory of 2596	2808	userinit.exe	34
PID 2808 wrote to memory of 2596	2808	userinit.exe	34
PID 2808 wrote to memory of 2596	2808	userinit.exe	34
PID 2808 wrote to memory of 2852	2808	userinit.exe	35
PID 2808 wrote to memory of 2852	2808	userinit.exe	35
PID 2808 wrote to memory of 2852	2808	userinit.exe	35
PID 2808 wrote to memory of 2852	2808	userinit.exe	35
PID 2808 wrote to memory of 1736	2808	userinit.exe	36
PID 2808 wrote to memory of 1736	2808	userinit.exe	36
PID 2808 wrote to memory of 1736	2808	userinit.exe	36
PID 2808 wrote to memory of 1736	2808	userinit.exe	36
PID 2808 wrote to memory of 2992	2808	userinit.exe	37
PID 2808 wrote to memory of 2992	2808	userinit.exe	37
PID 2808 wrote to memory of 2992	2808	userinit.exe	37
PID 2808 wrote to memory of 2992	2808	userinit.exe	37
PID 2808 wrote to memory of 2652	2808	userinit.exe	38
PID 2808 wrote to memory of 2652	2808	userinit.exe	38
PID 2808 wrote to memory of 2652	2808	userinit.exe	38
PID 2808 wrote to memory of 2652	2808	userinit.exe	38
PID 2808 wrote to memory of 1292	2808	userinit.exe	39
PID 2808 wrote to memory of 1292	2808	userinit.exe	39
PID 2808 wrote to memory of 1292	2808	userinit.exe	39
PID 2808 wrote to memory of 1292	2808	userinit.exe	39
PID 2808 wrote to memory of 108	2808	userinit.exe	40
PID 2808 wrote to memory of 108	2808	userinit.exe	40
PID 2808 wrote to memory of 108	2808	userinit.exe	40
PID 2808 wrote to memory of 108	2808	userinit.exe	40
PID 2808 wrote to memory of 2888	2808	userinit.exe	41
PID 2808 wrote to memory of 2888	2808	userinit.exe	41
PID 2808 wrote to memory of 2888	2808	userinit.exe	41
PID 2808 wrote to memory of 2888	2808	userinit.exe	41
PID 2808 wrote to memory of 320	2808	userinit.exe	42
PID 2808 wrote to memory of 320	2808	userinit.exe	42
PID 2808 wrote to memory of 320	2808	userinit.exe	42
PID 2808 wrote to memory of 320	2808	userinit.exe	42
PID 2808 wrote to memory of 2200	2808	userinit.exe	43
PID 2808 wrote to memory of 2200	2808	userinit.exe	43
PID 2808 wrote to memory of 2200	2808	userinit.exe	43
PID 2808 wrote to memory of 2200	2808	userinit.exe	43
PID 2808 wrote to memory of 2128	2808	userinit.exe	44
PID 2808 wrote to memory of 2128	2808	userinit.exe	44
PID 2808 wrote to memory of 2128	2808	userinit.exe	44
PID 2808 wrote to memory of 2128	2808	userinit.exe	44
PID 2808 wrote to memory of 1256	2808	userinit.exe	45
PID 2808 wrote to memory of 1256	2808	userinit.exe	45
PID 2808 wrote to memory of 1256	2808	userinit.exe	45
PID 2808 wrote to memory of 1256	2808	userinit.exe	45
PID 2808 wrote to memory of 1076	2808	userinit.exe	46
PID 2808 wrote to memory of 1076	2808	userinit.exe	46
PID 2808 wrote to memory of 1076	2808	userinit.exe	46
PID 2808 wrote to memory of 1076	2808	userinit.exe	46

C:\Users\Admin\AppData\Local\Temp\481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\481fa29327f38adb2545429e7751ed7a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\userinit.exe
  C:\Windows\userinit.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2600
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2852
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1292
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:108
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2888
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2128
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1076
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1580
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:952
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1760
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2316
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2036
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2024
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1744
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:552
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2684
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:288
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2936
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2928
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:660
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2788
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2912
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1768
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2140
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1984
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:608
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2516
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1732
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3052
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2352
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:3008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1816
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1596
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1720
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2588
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:1032
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2144
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2220
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    - Executes dropped EXE
    PID:2872
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1736
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1676
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:348
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2924
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1136
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2200
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:408
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1512
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1652
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1560
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1740
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:236
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2256
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1416
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1000
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3008
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:840
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1244
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:916
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2764
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2716
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2464
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2964
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2804
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1812
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2628
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1864
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1680
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2160
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2072
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2784
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:808
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1484
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2792
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2948
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1836
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2540
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3028
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2400
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2116
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1800
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1340
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:956
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:844
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2472
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2488
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1724
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1992
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:3048
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2324
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:868
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1756
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1252
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2776
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2688
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:1616
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:908
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2704
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2320
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2728
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2620
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:976
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2980
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2604
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2012
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:2176
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:584
- - C:\Windows\SysWOW64\system.exe
    C:\Windows\system32\system.exe
    3⤵
    PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\userinit.exe

Filesize
428KB

MD5
481fa29327f38adb2545429e7751ed7a

SHA1
3fd07c2d0243eff077bf00916c440945a81d3461

SHA256
a49142513a1fd3b312ba2b86f117e5b4e1befd63ed56cef6c5bfb69d11e894a9

SHA512
69dd6c476951db834a1e229fac3d6f49f012b375fd5f046c57a90ce38f279356ac398b8397b92401af441f3b183f11356e7e3cf461656945b206daf064f94ca9

Download Submit
memory/108-130-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/552-331-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/552-332-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/808-413-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/808-411-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/952-222-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1256-189-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1256-188-0x00000000001B0000-0x00000000001C0000-memory.dmp

Filesize
64KB

Download
memory/1292-117-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1704-311-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1716-260-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1736-80-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1744-301-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1760-235-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1792-2-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1792-19-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1792-12-0x00000000026E0000-0x000000000274B000-memory.dmp

Filesize
428KB

Download
memory/1792-13-0x00000000026E0000-0x000000000274B000-memory.dmp

Filesize
428KB

Download
memory/2036-282-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2036-280-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2596-57-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2600-35-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2620-353-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2652-105-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2684-363-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2716-321-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2736-46-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2788-432-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2808-150-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-391-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-173-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-174-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-207-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-217-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-161-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-231-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-230-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-149-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-238-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-244-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-256-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-255-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-440-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-268-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-267-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-276-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-137-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-279-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-124-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-291-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-290-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-297-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-296-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-125-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-310-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-309-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-112-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-317-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-316-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-99-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-328-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-100-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-438-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-330-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-429-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-340-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-339-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-431-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-87-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-352-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-351-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-359-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-358-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-75-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-371-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-372-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-379-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-377-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-14-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2808-390-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-418-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-184-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-420-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-399-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-398-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-30-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-410-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2808-409-0x0000000001EB0000-0x0000000001F1B000-memory.dmp

Filesize
428KB

Download
memory/2852-68-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2888-142-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2912-441-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2928-393-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2928-392-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2936-382-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2976-343-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2976-341-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2992-92-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download