cybergate | 963950f8322d5c8f7226d431a3f731e1ace9e3fcfdc98d499584d7df054323b7

Analysis

max time kernel
189s
max time network
182s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01/12/2022, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

963950f8322d5c8f7226d431a3f731e1ace9e3fcfdc98d499584d7df054323b7.exe
Size

905KB
MD5

f3e1125e3b5a5d17a47144b9ea3fbb74
SHA1

8f622a26c9362ae6a1f822f3d808da3eb0d6fc64
SHA256

963950f8322d5c8f7226d431a3f731e1ace9e3fcfdc98d499584d7df054323b7
SHA512

7edc89990d989e81c2c31819b4dde20170c17ee733f0e99355d3bb14e6eb97415f363d215e60febda64233eff90620fb4d79b013a2de16efcbf295dc4070953c
SSDEEP

12288:PBJHa4SSqrzuhQ88jIYSl10R/IqSBk58tKTGPM2Leov6uqoi2ARuqnK/PtuVnMqC:PrHaFSIR/998CGPMAeKXt0MB/v4mb

Score

10^/10

cybergate viko89 persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.01.0

Botnet

viko89

124.123.38.124:82

viko89.no-ip.biz:82

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Winlog
install_file
winlogonn.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
allahisgreat
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Crypted.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe

Executes dropped EXE 27 IoCs

pid	Process
1204	Crypted.exe
3472	winlogonn.exe
768	winlogonn.exe
3420	winlogonn.exe
3160	winlogonn.exe
5080	winlogonn.exe
4224	winlogonn.exe
1284	winlogonn.exe
960	winlogonn.exe
4276	winlogonn.exe
3524	winlogonn.exe
2216	winlogonn.exe
1624	winlogonn.exe
3384	winlogonn.exe
2484	winlogonn.exe
5028	winlogonn.exe
3060	winlogonn.exe
1924	winlogonn.exe
3852	winlogonn.exe
3940	winlogonn.exe
1456	winlogonn.exe
920	winlogonn.exe
3636	winlogonn.exe
4352	winlogonn.exe
3728	winlogonn.exe
3780	winlogonn.exe
904	winlogonn.exe

Modifies Installed Components in the registry 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Windows\\system32\\Winlog\\winlogonn.exe Restart"	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000000072f-134.dat	upx
behavioral2/files/0x000300000000072f-135.dat	upx
behavioral2/memory/1204-136-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1204-138-0x0000000024010000-0x0000000024070000-memory.dmp	upx
behavioral2/memory/1204-143-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral2/memory/1612-146-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral2/files/0x0005000000009dc6-148.dat	upx
behavioral2/memory/1612-149-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral2/memory/1204-150-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x0005000000009dc6-152.dat	upx
behavioral2/memory/3472-153-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x0005000000009dc6-155.dat	upx
behavioral2/memory/768-156-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x00070000000162a7-157.dat	upx
behavioral2/files/0x0005000000009dc6-160.dat	upx
behavioral2/memory/3472-161-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3420-162-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x00050000000162ad-163.dat	upx
behavioral2/files/0x0005000000009dc6-166.dat	upx
behavioral2/memory/768-167-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3160-168-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x0011000000016741-169.dat	upx
behavioral2/files/0x0005000000009dc6-172.dat	upx
behavioral2/memory/3420-173-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/5080-174-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x000200000001e726-175.dat	upx
behavioral2/files/0x0005000000009dc6-178.dat	upx
behavioral2/memory/3160-179-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4224-180-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x0012000000016741-181.dat	upx
behavioral2/files/0x0005000000009dc6-184.dat	upx
behavioral2/memory/5080-185-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1284-186-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x000500000001d9ef-187.dat	upx
behavioral2/files/0x0005000000009dc6-190.dat	upx
behavioral2/memory/4224-191-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/960-192-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x0013000000016741-193.dat	upx
behavioral2/files/0x0005000000009dc6-196.dat	upx
behavioral2/memory/1284-197-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/4276-198-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x000400000001e2c6-199.dat	upx
behavioral2/files/0x0005000000009dc6-202.dat	upx
behavioral2/memory/960-203-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3524-204-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x0014000000016741-205.dat	upx
behavioral2/files/0x0005000000009dc6-208.dat	upx
behavioral2/memory/4276-209-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2216-210-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x000500000001e2c6-211.dat	upx
behavioral2/files/0x0005000000009dc6-213.dat	upx
behavioral2/memory/3524-215-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/1624-216-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x0015000000016741-217.dat	upx
behavioral2/files/0x0005000000009dc6-220.dat	upx
behavioral2/memory/2216-221-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/3384-222-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x000600000001e2c6-223.dat	upx
behavioral2/files/0x0005000000009dc6-226.dat	upx
behavioral2/memory/1624-227-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2484-228-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/files/0x0016000000016741-229.dat	upx
behavioral2/files/0x0005000000009dc6-231.dat	upx
behavioral2/memory/3384-232-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	963950f8322d5c8f7226d431a3f731e1ace9e3fcfdc98d499584d7df054323b7.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Crypted.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe

Drops file in System32 directory 50 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	Crypted.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	Crypted.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe
1204	Crypted.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1204	Crypted.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 1204	4600	963950f8322d5c8f7226d431a3f731e1ace9e3fcfdc98d499584d7df054323b7.exe	82
PID 4600 wrote to memory of 1204	4600	963950f8322d5c8f7226d431a3f731e1ace9e3fcfdc98d499584d7df054323b7.exe	82
PID 4600 wrote to memory of 1204	4600	963950f8322d5c8f7226d431a3f731e1ace9e3fcfdc98d499584d7df054323b7.exe	82
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36
PID 1204 wrote to memory of 2180	1204	Crypted.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2180
- C:\Users\Admin\AppData\Local\Temp\963950f8322d5c8f7226d431a3f731e1ace9e3fcfdc98d499584d7df054323b7.exe
  "C:\Users\Admin\AppData\Local\Temp\963950f8322d5c8f7226d431a3f731e1ace9e3fcfdc98d499584d7df054323b7.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1204
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Adds policy Run key to start application
      Modifies Installed Components in the registry
      Adds Run key to start application
      PID:1612
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3472
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:768
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3420
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3160
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5080
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4224
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1284
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:960
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4276
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3524
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2216
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1624
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3384
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Executes dropped EXE
        Modifies Installed Components in the registry
        Drops file in System32 directory
        
        PID:2484
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:5028
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3060
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1924
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3852
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3940
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1456
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:920
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3636
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4352
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Executes dropped EXE
        Modifies Installed Components in the registry
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3728
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Executes dropped EXE
        
        PID:3780
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Executes dropped EXE
        
        PID:904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
89cbd2c0a5ebd2d32996e63e13e45bb7

SHA1
5b39d01ee67bae7bd5670f602a5d34d5d99f1118

SHA256
b30e4d219809b8f5c02889c58628d0f51af1ed6c84690aa888235b7f1d16a5d3

SHA512
fa1dd3d6406def05c7aaa9581a5fcb4caf07b505f2f854edcdb19e979f377f47df49a02dd1dcf434de7c7e5a4d6b5807c877904ca90bcc4a4148c06d837427ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
24610a0adcd16382b073276230e8ea6a

SHA1
ba4e51ab9bcc8ea363c72ab07ad7b2e931f94b3a

SHA256
5230955c5aea9d1c5cc156fff25f02b2fbb397bdf57128c37f32cd6c9bcf8148

SHA512
d4d0e74b7ac431d22f7a04cc21763a381258fc39048cec681a3cae3b9ecadde5b38162656c6ad1e31241a7c196979ff0bf009c314f93a4354d90757404d3e3d8

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Users\Admin\AppData\Roaming\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
C:\Windows\SysWOW64\Winlog\winlogonn.exe

Filesize
274KB

MD5
b11e30c990764876cc310039736d4843

SHA1
854310b2669f352734b6028af58c7921e13a9255

SHA256
db668f0494ce0318a29ccd3cffc074e7e460c0519e6164fc091e0b28d100e26d

SHA512
8b94294fdb9724653e212ec7dc5e0fefe0bc57d8e5589eb7c0d5acf0ee65281d67c69558f6a08b8f9369695bbde0f3dc93cb49ebfa60f4b57db704297adaa6e3

Download Submit
memory/768-156-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/768-167-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/920-270-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/920-276-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/960-203-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/960-192-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1204-136-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1204-150-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1204-143-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/1204-138-0x0000000024010000-0x0000000024070000-memory.dmp

Filesize
384KB

Download
memory/1284-186-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1284-197-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1456-273-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1456-264-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1612-146-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/1612-149-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/1624-216-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1624-227-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1924-257-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1924-245-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2216-210-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2216-221-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-242-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2484-228-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3060-251-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3060-239-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3160-179-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3160-168-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3384-232-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3384-222-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3420-162-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3420-173-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3472-161-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3472-153-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3524-204-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3524-215-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3636-279-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3636-274-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3728-285-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3728-280-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3780-283-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3852-263-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3852-252-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3940-258-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3940-269-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4224-191-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4224-180-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4276-209-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4276-198-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4352-277-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4352-282-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/4600-132-0x00007FFF24190000-0x00007FFF24BC6000-memory.dmp

Filesize
10.2MB

Download
memory/5028-248-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5028-233-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5080-174-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/5080-185-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download