cybergate | 94e0f075db7451b35bdad550b9a373a785aa84930d2d8d4a2aafcdc167c91d9c

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
21-01-2024 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c1edc720b1bd7afd48cd10289cdce01.exe
Size

338KB
MD5

6c1edc720b1bd7afd48cd10289cdce01
SHA1

5518949ce29e9c5cf6f5b3389ca5d158c8caf8cf
SHA256

94e0f075db7451b35bdad550b9a373a785aa84930d2d8d4a2aafcdc167c91d9c
SHA512

697dae2bb8a768ad06598997a9b364f95c5acb9a368d70702157e629a70c79119f4600326722b94afe3a2a8fec05303cfd499bdefbf0a38dd0be31a289526bf2
SSDEEP

6144:Pd/G0N63UDkJ8uszQAzrUnYkxezUT9inFj9PShCpDiTxu3g9yLzwEI4V:Nx6Ausyn3okGFj59gK8Q

Score

10^/10

cybergate cyber persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.01.0

Botnet

cyber

lewisxi.no-ip.biz:5150

Mutex

Updater

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Winlog
install_file
winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
12345
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exeexplorer.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe6c1edc720b1bd7afd48cd10289cdce01.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	6c1edc720b1bd7afd48cd10289cdce01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\winlogon.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe

Modifies Installed Components in the registry 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exe6c1edc720b1bd7afd48cd10289cdce01.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exeexplorer.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Windows\\system32\\Winlog\\winlogon.exe Restart"	6c1edc720b1bd7afd48cd10289cdce01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Windows\\system32\\Winlog\\winlogon.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	6c1edc720b1bd7afd48cd10289cdce01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe Restart"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{P68JR4Q4-ILX0-8XDX-Y5L1-YK271A05VQ4G}	winlogon.exe

Executes dropped EXE 29 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

pid	process
1932	winlogon.exe
1204	winlogon.exe
1660	winlogon.exe
916	winlogon.exe
864	winlogon.exe
1632	winlogon.exe
1904	winlogon.exe
836	winlogon.exe
2420	winlogon.exe
1772	winlogon.exe
1624	winlogon.exe
2260	winlogon.exe
2684	winlogon.exe
2796	winlogon.exe
2736	winlogon.exe
2748	winlogon.exe
2648	winlogon.exe
3024	winlogon.exe
2032	winlogon.exe
2916	winlogon.exe
772	winlogon.exe
1800	winlogon.exe
1640	winlogon.exe
2072	winlogon.exe
2100	winlogon.exe
1636	winlogon.exe
1888	winlogon.exe
436	winlogon.exe
2112	winlogon.exe

Loads dropped DLL 58 IoCs

Processes:

explorer.exe

pid	process
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe
2104	explorer.exe

UPX packed file 36 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/3004-0-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2104-535-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
C:\Windows\SysWOW64\Winlog\winlogon.exe	upx
behavioral1/memory/3004-538-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1932-544-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1204-551-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2104-558-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral1/memory/1660-561-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2104-560-0x00000000037A0000-0x00000000037F6000-memory.dmp	upx
behavioral1/memory/1932-566-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/916-572-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1204-576-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/864-580-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1660-586-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2104-591-0x00000000037A0000-0x00000000037F6000-memory.dmp	upx
behavioral1/memory/1632-592-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/916-596-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1904-601-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/864-606-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/836-611-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1632-621-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2420-620-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1904-630-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1772-632-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1624-639-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/836-644-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2260-649-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2420-654-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2684-659-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1772-663-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2796-668-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1624-672-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2736-673-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2260-678-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2748-679-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2684-683-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Adds Run key to start application 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe6c1edc720b1bd7afd48cd10289cdce01.exewinlogon.exeexplorer.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\winlogon.exe"	6c1edc720b1bd7afd48cd10289cdce01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\winlogon.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\winlogon.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\winlogon.exe"	6c1edc720b1bd7afd48cd10289cdce01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogon.exe"	winlogon.exe

Drops file in System32 directory 60 IoCs

Processes:

winlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe6c1edc720b1bd7afd48cd10289cdce01.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exewinlogon.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	6c1edc720b1bd7afd48cd10289cdce01.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	6c1edc720b1bd7afd48cd10289cdce01.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogon.exe	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6c1edc720b1bd7afd48cd10289cdce01.exewinlogon.exe

pid	process
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
1932	winlogon.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
1932	winlogon.exe
1932	winlogon.exe
1932	winlogon.exe
1932	winlogon.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
1932	winlogon.exe
1932	winlogon.exe
1932	winlogon.exe
1932	winlogon.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
1932	winlogon.exe
1932	winlogon.exe
1932	winlogon.exe
1932	winlogon.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
1932	winlogon.exe
1932	winlogon.exe
1932	winlogon.exe
1932	winlogon.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
3004	6c1edc720b1bd7afd48cd10289cdce01.exe
1932	winlogon.exe
1932	winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

6c1edc720b1bd7afd48cd10289cdce01.exe

pid process

3004 6c1edc720b1bd7afd48cd10289cdce01.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6c1edc720b1bd7afd48cd10289cdce01.exe

description	pid	process	target process
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE
PID 3004 wrote to memory of 1272	3004	6c1edc720b1bd7afd48cd10289cdce01.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1272

C:\Users\Admin\AppData\Local\Temp\6c1edc720b1bd7afd48cd10289cdce01.exe
"C:\Users\Admin\AppData\Local\Temp\6c1edc720b1bd7afd48cd10289cdce01.exe"
2⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3004

C:\Windows\SysWOW64\explorer.exe
explorer.exe
3⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Loads dropped DLL
- Adds Run key to start application
PID:2104

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1204

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1660

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:916

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:864

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1632

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1904

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:836

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2420

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1772

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1624

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2260

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2684

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2796

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2736

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2748

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2648

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:3024

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2032

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2916

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:772

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1800

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1640

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2072

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2100

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1636

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1888

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:436

C:\Windows\SysWOW64\Winlog\winlogon.exe
"C:\Windows\system32\Winlog\winlogon.exe"
4⤵
- Adds policy Run key to start application
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2112

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
227KB

MD5
ec4d57a8668b0378a00a736845881ea0

SHA1
0ba845ecb6d60b5b5af7d8696c099dd0e91740b8

SHA256
912679bea0e841ba4e5b82bc42fea37a63d5bcbdaa08c440330026a9a521165e

SHA512
183a4c484177bc45c240f1f5e5ea59d83f2824ce2d8e7639475578c5197a2253df66607e2e0ca83f65261ad38c889ece799e40f0fda14d2e98fa27ad1196b262

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
227KB

MD5
9701d9bbb4f5a495cd6a255517e4e1f0

SHA1
367d32f999d2ab8f95ca816e09938e268e924c48

SHA256
1d9b052ec6019521cdd65ea1470489acc89596af6d21cb560ccaa0a88cee70cf

SHA512
25782c4d6f31dcd9fac0253437d053d59f7cd805d8aaaa79ec51785d1765a869823212c0f1b7cf51f38ea6f2d1ea31b8acadc90673ae7f4d4f5e73b600e0b743

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
Filesize
227KB

MD5
8e1f9540679b6d71329922eb40c68026

SHA1
7fdec864f35b748a3301b99c88151f6ca595873e

SHA256
2f70a0d4e5e2027f50aab06ed41f1234e706907810371b0edc05f20913477bde

SHA512
7b25b3e87e202ff31674d0f4f3a976c11c2835b444fb173b0bb4aee9414cc3ce69f77b4f729d997d93f18d6b06fbbba897c1ed9c54a052fff889f25ac949577d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\SysWOW64\Winlog\winlogon.exe
Filesize
338KB

MD5
6c1edc720b1bd7afd48cd10289cdce01

SHA1
5518949ce29e9c5cf6f5b3389ca5d158c8caf8cf

SHA256
94e0f075db7451b35bdad550b9a373a785aa84930d2d8d4a2aafcdc167c91d9c

SHA512
697dae2bb8a768ad06598997a9b364f95c5acb9a368d70702157e629a70c79119f4600326722b94afe3a2a8fec05303cfd499bdefbf0a38dd0be31a289526bf2

Download Submit
memory/836-644-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/836-611-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/864-580-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/864-606-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/916-596-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/916-572-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1204-551-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1204-576-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1272-4-0x0000000001DB0000-0x0000000001DB1000-memory.dmp

Filesize
4KB

Download
memory/1624-672-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1624-639-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1632-621-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1632-592-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1660-561-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1660-586-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1772-663-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1772-632-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1904-601-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1904-630-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1932-544-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1932-566-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2104-600-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-631-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-584-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-590-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-591-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-571-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-569-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-684-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-565-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-605-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-559-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-610-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-560-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-558-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/2104-615-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-619-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-549-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-682-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-628-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-629-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-543-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-585-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-542-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-677-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-643-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-535-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/2104-648-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-676-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-653-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-253-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2104-667-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-658-0x00000000037A0000-0x00000000037F6000-memory.dmp

Filesize
344KB

Download
memory/2104-255-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2260-649-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2260-678-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2420-654-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2420-620-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2684-659-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2684-683-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2736-673-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2748-679-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2796-668-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3004-538-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3004-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads