cybergate | a42216ef87a5e2d2431fe4cf2d58a5880547f00aefac61ae0edf3c4d82caf27b

Analysis

max time kernel
150s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc5a0a357e82179b15207f49583cb539_JaffaCakes118.exe
Size

356KB
MD5

dc5a0a357e82179b15207f49583cb539
SHA1

f9e2cf394973e1477d878248f4b439aaa619be55
SHA256

a42216ef87a5e2d2431fe4cf2d58a5880547f00aefac61ae0edf3c4d82caf27b
SHA512

c2d8701d24824d9919bc8e2155dbb5cdc0075ae5378a00a73060d0f0851f29e830585c10ddf6becb53c8390a3c8bfbe8447a9ed30ed35d31764c6cd3955ad7a0
SSDEEP

6144:fINLokYJyrFv/euq6rfGpty9JjQDqDuLWm3odcrNLjCniqBHhLtYZFVcYceVDvgW:kEkYJyB82fGpUXckuCm3RqBBL6Z4MTj

Score

10^/10

cybergate cyber discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.01.0

Botnet

Cyber

slcert.no-ip.biz:82

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Winlog
install_file
Winlogon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
123456
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	server.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	Winlogon.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 62 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Windows\\system32\\Winlog\\Winlogon.exe Restart"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EQ8RF7EU-21U5-TJVM-ETT4-KV3D560MD340}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe Restart"	Winlogon.exe

Executes dropped EXE 31 IoCs

pid	Process
2764	server.exe
2816	WindowsApplication1.exe
604	Winlogon.exe
1976	Winlogon.exe
2100	Winlogon.exe
2292	Winlogon.exe
2884	Winlogon.exe
2812	Winlogon.exe
2648	Winlogon.exe
2380	Winlogon.exe
3048	Winlogon.exe
3000	Winlogon.exe
1648	Winlogon.exe
1096	Winlogon.exe
2612	Winlogon.exe
1896	Winlogon.exe
2148	Winlogon.exe
1356	Winlogon.exe
2256	Winlogon.exe
880	Winlogon.exe
2504	Winlogon.exe
3056	Winlogon.exe
2748	Winlogon.exe
2556	Winlogon.exe
2940	Winlogon.exe
2152	Winlogon.exe
1636	Winlogon.exe
2548	Winlogon.exe
2264	Winlogon.exe
2088	Winlogon.exe
2924	Winlogon.exe

Loads dropped DLL 58 IoCs

pid	Process
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe
2408	explorer.exe

UPX packed file 50 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012233-5.dat	upx
behavioral1/memory/2764-18-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2764-22-0x0000000024010000-0x0000000024070000-memory.dmp	upx
behavioral1/memory/604-619-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2764-625-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1976-630-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/604-636-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2100-641-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1976-646-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2100-656-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2292-667-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2812-674-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2884-679-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2648-686-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2812-691-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2380-698-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2648-702-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3048-710-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2380-714-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3000-723-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3048-727-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1648-737-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3000-742-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1096-752-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1648-757-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2612-768-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1096-774-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1896-783-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2612-787-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2148-797-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2408-801-0x00000000035C0000-0x0000000003615000-memory.dmp	upx
behavioral1/memory/1896-803-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1356-812-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2148-817-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2256-827-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/1356-832-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/880-842-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2256-846-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2408-857-0x00000000035C0000-0x0000000003615000-memory.dmp	upx
behavioral1/memory/2504-858-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/880-863-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3056-875-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2504-880-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2748-892-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/3056-897-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2556-910-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2748-914-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2940-926-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2556-932-0x0000000000400000-0x0000000000455000-memory.dmp	upx
behavioral1/memory/2152-944-0x0000000000400000-0x0000000000455000-memory.dmp	upx

Adds Run key to start application 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\Winlogon.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\Winlogon.exe"	Winlogon.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	server.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File created	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\Winlogon.exe	Winlogon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
604	Winlogon.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
604	Winlogon.exe
604	Winlogon.exe
604	Winlogon.exe
604	Winlogon.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
604	Winlogon.exe
604	Winlogon.exe
604	Winlogon.exe
604	Winlogon.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
604	Winlogon.exe
604	Winlogon.exe
604	Winlogon.exe
604	Winlogon.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
604	Winlogon.exe
604	Winlogon.exe
604	Winlogon.exe
604	Winlogon.exe
2764	server.exe
2764	server.exe
2764	server.exe
2764	server.exe
604	Winlogon.exe
604	Winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2764	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 2764	1348	dc5a0a357e82179b15207f49583cb539_JaffaCakes118.exe	30
PID 1348 wrote to memory of 2764	1348	dc5a0a357e82179b15207f49583cb539_JaffaCakes118.exe	30
PID 1348 wrote to memory of 2764	1348	dc5a0a357e82179b15207f49583cb539_JaffaCakes118.exe	30
PID 1348 wrote to memory of 2764	1348	dc5a0a357e82179b15207f49583cb539_JaffaCakes118.exe	30
PID 1348 wrote to memory of 2816	1348	dc5a0a357e82179b15207f49583cb539_JaffaCakes118.exe	31
PID 1348 wrote to memory of 2816	1348	dc5a0a357e82179b15207f49583cb539_JaffaCakes118.exe	31
PID 1348 wrote to memory of 2816	1348	dc5a0a357e82179b15207f49583cb539_JaffaCakes118.exe	31
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21
PID 2764 wrote to memory of 1264	2764	server.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\dc5a0a357e82179b15207f49583cb539_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\dc5a0a357e82179b15207f49583cb539_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1348
- - C:\Users\Admin\AppData\Local\Temp\server.exe
    "C:\Users\Admin\AppData\Local\Temp\server.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:2408
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:604
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1976
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2100
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2292
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2884
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2812
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2648
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2380
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3048
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3000
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1648
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1096
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2612
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1896
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2148
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1356
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2256
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:880
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2504
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3056
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2748
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2556
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2940
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2152
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1636
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2548
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2264
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2088
    - - C:\Windows\SysWOW64\Winlog\Winlogon.exe
        
        "C:\Windows\system32\Winlog\Winlogon.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2924
- - C:\Users\Admin\AppData\Local\Temp\WindowsApplication1.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsApplication1.exe"
    3⤵
    - Executes dropped EXE
    PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WindowsApplication1.exe

Filesize
70KB

MD5
ad84cb52c41bf267e6a497d8b9f5597c

SHA1
7fa25dd0208fb98f2d67a08633927b683422d69b

SHA256
1683a1503d19c1bc87d9fa53fedc30ce8cb98bfe84fe77c1ab8a04710fab2d59

SHA512
d57ebe90cf53d40538ebffb1d053af2eed717f7a44eb7828729dc6c3aef5bb340de192b965deccd227d82e70268c1ff28530f3af01084352ef0bc36a0ffa61b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
f92d4cf13854cff039a3eb7058d815fc

SHA1
2b32b85e705c26366ede6805ffa7ac01db343bc3

SHA256
6b14808117922fb1dcc680c2dd6ee6b4c1bfad554d7c370b92cdcf3f8f29786e

SHA512
132037538027fe833e3851d403c744a4da67d7851769baaaa84e263df799a3d3c7bdb9f29931d9c9cf3dfac69f03c79899edfcd93618b1073a952495e560c274

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
f715c471f310c693fbda28cb4a9ccb01

SHA1
cecfc8d37d8fb42c4687a7d936ca1e94295cea7d

SHA256
8def7896a0d13c7df31d11626d5586acbc3b083c85d078f327dce425e676b14a

SHA512
0a3ad745c99a51371ad45cab7e912c4a9ab8a7d5730a65961c7fc5bd536bfc7ff22af7c7523a9318b8578b5ccf41ac973ffc2844b04cca83baea6ba1979cf9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
f97f86352aaa8723f19e5b1563e7ac28

SHA1
c729e6ef42c318bf369377b3319c1936161101ab

SHA256
697ddd75caf1496bfe7788e6cb3e7c771a5e6cc3fcb23fdf52a93492904abfc0

SHA512
f0fd816a7874d57faf1de5857e129cb14f1e1e28534cd9bb1e5990b899ee1df975378e702f9352a5d6808c2589b0584ce3214e8fb2c75ac4a7d2f7542c05d290

Download Submit
C:\Users\Admin\AppData\Local\Temp\server.exe

Filesize
270KB

MD5
6396fd7eb87d28080aff95cb1f77d8bc

SHA1
8f11e331f88ba4061e8e907b58a28e7c4e15c722

SHA256
5ea76f76a6fb848d3008ddc6a1c4396edfe94b286a8f9ce6860cdcfa5992be73

SHA512
93877c74c715768ed4a7910f74f9d0bb997dd67d6c78fe091080f42f74fa9c57ed267fbc5226c481695f7e9dc946fcccc1ac49cd159d92e6ebb3fce530e7548a

Download Submit
memory/604-619-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/604-636-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/880-863-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/880-842-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1096-752-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1096-774-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1264-23-0x0000000002A30000-0x0000000002A31000-memory.dmp

Filesize
4KB

Download
memory/1348-14-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/1348-622-0x000007FEF4F1E000-0x000007FEF4F1F000-memory.dmp

Filesize
4KB

Download
memory/1348-13-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/1348-618-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/1348-0-0x000007FEF4F1E000-0x000007FEF4F1F000-memory.dmp

Filesize
4KB

Download
memory/1356-812-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1356-832-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1648-737-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1648-757-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1896-803-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1896-783-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1976-646-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1976-630-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-656-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2100-641-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2148-797-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2148-817-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2152-944-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2256-846-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2256-827-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2292-667-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2380-714-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2380-698-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2408-767-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-816-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-931-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-930-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-913-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-908-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-678-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-909-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-896-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-891-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-736-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-879-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-673-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-751-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-756-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-665-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-878-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-652-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-773-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-650-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-635-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-782-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-786-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-873-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-634-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-796-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-795-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-801-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-628-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-802-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-811-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-874-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-815-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-862-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-857-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-826-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-616-0x0000000003BB0000-0x0000000003C05000-memory.dmp

Filesize
340KB

Download
memory/2408-831-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-856-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-845-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2408-841-0x00000000035C0000-0x0000000003615000-memory.dmp

Filesize
340KB

Download
memory/2504-880-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2504-858-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2556-910-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2556-932-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2612-787-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2612-768-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2648-686-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2648-702-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2748-914-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2748-892-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2764-625-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2764-22-0x0000000024010000-0x0000000024070000-memory.dmp

Filesize
384KB

Download
memory/2764-18-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2812-691-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2812-674-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2816-16-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-17-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-623-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2816-15-0x000007FEF4C60000-0x000007FEF55FD000-memory.dmp

Filesize
9.6MB

Download
memory/2884-679-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2940-926-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3000-723-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3000-742-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3048-727-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3048-710-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3056-897-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/3056-875-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download