Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
17/12/2024, 22:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
17 signatures
150 seconds
Behavioral task
behavioral2
Sample
f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
18 signatures
150 seconds
General
-
Target
f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe
-
Size
809KB
-
MD5
f9125c9bee0155403e07299ead7217e5
-
SHA1
d4f4370b64b6447186554a0aa9b1a28db0793794
-
SHA256
e9802f475acad40c110201c262e83ad8fd737780cfe4bd235553eaa2552d442f
-
SHA512
fd0f6cbb759c9762bf8a5caaa5ee4032f029a064339d8e0c5bc4aed1a2b6256ea45e93e14bd7eab0a4cf93fe712ce377d9726470d78243fdb1e72b7953175320
-
SSDEEP
12288:kcocMkCvNda/bDPhUrCPxku3J8IMB5w3Rin3/iZl7DPosp5QjcfrP4+/AIC:kcozL0lUE1isig7hocj4DIC
Score
10/10
Malware Config
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe,C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe -
Checks BIOS information in registry 2 TTPs 46 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate winlogon.exe -
Checks computer location settings 2 TTPs 46 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation winlogon.exe -
Executes dropped EXE 64 IoCs
pid Process 2700 EINJECTOR.EXE 5024 winlogon.exe 3708 winlogon.exe 1548 EINJECTOR.EXE 4892 winlogon.exe 5052 winlogon.exe 3076 EINJECTOR.EXE 4756 winlogon.exe 2168 winlogon.exe 2124 EINJECTOR.EXE 1888 winlogon.exe 936 winlogon.exe 4036 EINJECTOR.EXE 4324 winlogon.exe 1960 winlogon.exe 3096 EINJECTOR.EXE 948 winlogon.exe 3804 winlogon.exe 4300 EINJECTOR.EXE 452 winlogon.exe 1112 winlogon.exe 2024 EINJECTOR.EXE 3488 winlogon.exe 2568 winlogon.exe 1204 EINJECTOR.EXE 4536 winlogon.exe 4596 winlogon.exe 2564 EINJECTOR.EXE 5076 winlogon.exe 4232 winlogon.exe 3264 EINJECTOR.EXE 1380 winlogon.exe 4616 winlogon.exe 2784 EINJECTOR.EXE 4852 winlogon.exe 3812 winlogon.exe 3472 EINJECTOR.EXE 3672 winlogon.exe 4548 winlogon.exe 3284 EINJECTOR.EXE 948 winlogon.exe 2404 winlogon.exe 4588 EINJECTOR.EXE 3596 winlogon.exe 3640 winlogon.exe 1212 EINJECTOR.EXE 2396 winlogon.exe 4888 winlogon.exe 1568 EINJECTOR.EXE 5048 winlogon.exe 5072 winlogon.exe 388 EINJECTOR.EXE 3492 winlogon.exe 1564 winlogon.exe 1724 EINJECTOR.EXE 4932 winlogon.exe 1780 winlogon.exe 1168 EINJECTOR.EXE 2884 winlogon.exe 404 winlogon.exe 948 EINJECTOR.EXE 3580 winlogon.exe 3884 winlogon.exe 4540 EINJECTOR.EXE -
Adds Run key to start application 2 TTPs 46 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\system32\\WinLogon\\winlogon.exe" winlogon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe File opened for modification C:\Windows\SysWOW64\WinLogon\ winlogon.exe File created C:\Windows\SysWOW64\WinLogon\winlogon.exe winlogon.exe -
Suspicious use of SetThreadContext 46 IoCs
description pid Process procid_target PID 1112 set thread context of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 5024 set thread context of 3708 5024 winlogon.exe 87 PID 4892 set thread context of 5052 4892 winlogon.exe 92 PID 4756 set thread context of 2168 4756 winlogon.exe 98 PID 1888 set thread context of 936 1888 winlogon.exe 101 PID 4324 set thread context of 1960 4324 winlogon.exe 104 PID 948 set thread context of 3804 948 winlogon.exe 107 PID 452 set thread context of 1112 452 winlogon.exe 110 PID 3488 set thread context of 2568 3488 winlogon.exe 113 PID 4536 set thread context of 4596 4536 winlogon.exe 117 PID 5076 set thread context of 4232 5076 winlogon.exe 121 PID 1380 set thread context of 4616 1380 winlogon.exe 124 PID 4852 set thread context of 3812 4852 winlogon.exe 127 PID 3672 set thread context of 4548 3672 winlogon.exe 130 PID 948 set thread context of 2404 948 winlogon.exe 133 PID 3596 set thread context of 3640 3596 winlogon.exe 136 PID 2396 set thread context of 4888 2396 winlogon.exe 139 PID 5048 set thread context of 5072 5048 winlogon.exe 142 PID 3492 set thread context of 1564 3492 winlogon.exe 145 PID 4932 set thread context of 1780 4932 winlogon.exe 148 PID 2884 set thread context of 404 2884 winlogon.exe 151 PID 3580 set thread context of 3884 3580 winlogon.exe 154 PID 640 set thread context of 2396 640 winlogon.exe 157 PID 1752 set thread context of 4744 1752 winlogon.exe 160 PID 412 set thread context of 4280 412 winlogon.exe 163 PID 4780 set thread context of 4860 4780 winlogon.exe 166 PID 4640 set thread context of 4024 4640 winlogon.exe 169 PID 3612 set thread context of 1364 3612 winlogon.exe 172 PID 3080 set thread context of 3928 3080 winlogon.exe 175 PID 3524 set thread context of 1332 3524 winlogon.exe 178 PID 4280 set thread context of 2652 4280 winlogon.exe 181 PID 2476 set thread context of 1708 2476 winlogon.exe 184 PID 3716 set thread context of 708 3716 winlogon.exe 187 PID 2008 set thread context of 208 2008 winlogon.exe 190 PID 1048 set thread context of 2380 1048 winlogon.exe 193 PID 1524 set thread context of 2540 1524 winlogon.exe 196 PID 3600 set thread context of 2456 3600 winlogon.exe 199 PID 784 set thread context of 4004 784 winlogon.exe 202 PID 3456 set thread context of 4972 3456 winlogon.exe 205 PID 1632 set thread context of 2632 1632 winlogon.exe 208 PID 1732 set thread context of 3316 1732 winlogon.exe 211 PID 2964 set thread context of 4640 2964 winlogon.exe 214 PID 3460 set thread context of 928 3460 winlogon.exe 217 PID 3124 set thread context of 1512 3124 winlogon.exe 220 PID 2300 set thread context of 1208 2300 winlogon.exe 223 PID 4420 set thread context of 3128 4420 winlogon.exe 226 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EINJECTOR.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winlogon.exe -
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString winlogon.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier winlogon.exe -
Enumerates system info in registry 2 TTPs 46 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier winlogon.exe -
Modifies registry class 46 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 2124 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 1548 EINJECTOR.EXE 2124 EINJECTOR.EXE 2700 EINJECTOR.EXE 4036 EINJECTOR.EXE 1548 EINJECTOR.EXE 2124 EINJECTOR.EXE 1548 EINJECTOR.EXE 2124 EINJECTOR.EXE 1548 EINJECTOR.EXE 2124 EINJECTOR.EXE 1548 EINJECTOR.EXE 2124 EINJECTOR.EXE 1548 EINJECTOR.EXE 2124 EINJECTOR.EXE 1548 EINJECTOR.EXE 2124 EINJECTOR.EXE 1548 EINJECTOR.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeSecurityPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeSystemtimePrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeBackupPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeRestorePrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeShutdownPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeDebugPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeUndockPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeManageVolumePrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeImpersonatePrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: 33 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: 34 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: 35 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: 36 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3708 winlogon.exe Token: SeSecurityPrivilege 3708 winlogon.exe Token: SeTakeOwnershipPrivilege 3708 winlogon.exe Token: SeLoadDriverPrivilege 3708 winlogon.exe Token: SeSystemProfilePrivilege 3708 winlogon.exe Token: SeSystemtimePrivilege 3708 winlogon.exe Token: SeProfSingleProcessPrivilege 3708 winlogon.exe Token: SeIncBasePriorityPrivilege 3708 winlogon.exe Token: SeCreatePagefilePrivilege 3708 winlogon.exe Token: SeBackupPrivilege 3708 winlogon.exe Token: SeRestorePrivilege 3708 winlogon.exe Token: SeShutdownPrivilege 3708 winlogon.exe Token: SeDebugPrivilege 3708 winlogon.exe Token: SeSystemEnvironmentPrivilege 3708 winlogon.exe Token: SeChangeNotifyPrivilege 3708 winlogon.exe Token: SeRemoteShutdownPrivilege 3708 winlogon.exe Token: SeUndockPrivilege 3708 winlogon.exe Token: SeManageVolumePrivilege 3708 winlogon.exe Token: SeImpersonatePrivilege 3708 winlogon.exe Token: SeCreateGlobalPrivilege 3708 winlogon.exe Token: 33 3708 winlogon.exe Token: 34 3708 winlogon.exe Token: 35 3708 winlogon.exe Token: 36 3708 winlogon.exe Token: SeDebugPrivilege 1548 EINJECTOR.EXE Token: SeIncreaseQuotaPrivilege 5052 winlogon.exe Token: SeSecurityPrivilege 5052 winlogon.exe Token: SeTakeOwnershipPrivilege 5052 winlogon.exe Token: SeLoadDriverPrivilege 5052 winlogon.exe Token: SeSystemProfilePrivilege 5052 winlogon.exe Token: SeSystemtimePrivilege 5052 winlogon.exe Token: SeProfSingleProcessPrivilege 5052 winlogon.exe Token: SeIncBasePriorityPrivilege 5052 winlogon.exe Token: SeCreatePagefilePrivilege 5052 winlogon.exe Token: SeBackupPrivilege 5052 winlogon.exe Token: SeRestorePrivilege 5052 winlogon.exe Token: SeShutdownPrivilege 5052 winlogon.exe Token: SeDebugPrivilege 5052 winlogon.exe Token: SeSystemEnvironmentPrivilege 5052 winlogon.exe Token: SeChangeNotifyPrivilege 5052 winlogon.exe -
Suspicious use of SetWindowsHookEx 46 IoCs
pid Process 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 5024 winlogon.exe 4892 winlogon.exe 4756 winlogon.exe 1888 winlogon.exe 4324 winlogon.exe 948 winlogon.exe 452 winlogon.exe 3488 winlogon.exe 4536 winlogon.exe 5076 winlogon.exe 1380 winlogon.exe 4852 winlogon.exe 3672 winlogon.exe 948 winlogon.exe 3596 winlogon.exe 2396 winlogon.exe 5048 winlogon.exe 3492 winlogon.exe 4932 winlogon.exe 2884 winlogon.exe 3580 winlogon.exe 640 winlogon.exe 1752 winlogon.exe 412 winlogon.exe 4780 winlogon.exe 4640 winlogon.exe 3612 winlogon.exe 3080 winlogon.exe 3524 winlogon.exe 4280 winlogon.exe 2476 winlogon.exe 3716 winlogon.exe 2008 winlogon.exe 1048 winlogon.exe 1524 winlogon.exe 3600 winlogon.exe 784 winlogon.exe 3456 winlogon.exe 1632 winlogon.exe 1732 winlogon.exe 2964 winlogon.exe 3460 winlogon.exe 3124 winlogon.exe 2300 winlogon.exe 4420 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1112 wrote to memory of 1608 1112 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 82 PID 1608 wrote to memory of 2700 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 83 PID 1608 wrote to memory of 2700 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 83 PID 1608 wrote to memory of 2700 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 83 PID 1608 wrote to memory of 5024 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 84 PID 1608 wrote to memory of 5024 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 84 PID 1608 wrote to memory of 5024 1608 f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe 84 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 5024 wrote to memory of 3708 5024 winlogon.exe 87 PID 3708 wrote to memory of 1548 3708 winlogon.exe 89 PID 3708 wrote to memory of 1548 3708 winlogon.exe 89 PID 3708 wrote to memory of 1548 3708 winlogon.exe 89 PID 3708 wrote to memory of 4892 3708 winlogon.exe 91 PID 3708 wrote to memory of 4892 3708 winlogon.exe 91 PID 3708 wrote to memory of 4892 3708 winlogon.exe 91 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 4892 wrote to memory of 5052 4892 winlogon.exe 92 PID 5052 wrote to memory of 3076 5052 winlogon.exe 94 PID 5052 wrote to memory of 3076 5052 winlogon.exe 94 PID 5052 wrote to memory of 3076 5052 winlogon.exe 94 PID 5052 wrote to memory of 4756 5052 winlogon.exe 95 PID 5052 wrote to memory of 4756 5052 winlogon.exe 95 PID 5052 wrote to memory of 4756 5052 winlogon.exe 95 PID 4756 wrote to memory of 2168 4756 winlogon.exe 98 PID 4756 wrote to memory of 2168 4756 winlogon.exe 98 PID 4756 wrote to memory of 2168 4756 winlogon.exe 98 PID 4756 wrote to memory of 2168 4756 winlogon.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f9125c9bee0155403e07299ead7217e5_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5024 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"4⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"6⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"7⤵
- Executes dropped EXE
PID:3076
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"8⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"9⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2124
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"9⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1888 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"10⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:936 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"11⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4036
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4324 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"12⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1960 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"13⤵
- Executes dropped EXE
PID:3096
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"13⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:948 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"14⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
PID:3804 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"15⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4300
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"15⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:452 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"16⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1112 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"17⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3488 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"18⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"19⤵
- Executes dropped EXE
PID:1204
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4536 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"20⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"21⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"21⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5076 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"22⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4232 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3264
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1380 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"24⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4616 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"25⤵
- Executes dropped EXE
PID:2784
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"25⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4852 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"26⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3472
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"27⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3672 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"28⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
PID:4548 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3284
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:948 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"30⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2404 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"31⤵
- Executes dropped EXE
PID:4588
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"31⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3596 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"32⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3640 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1212
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"33⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2396 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"34⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"35⤵
- Executes dropped EXE
PID:1568
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"35⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5048 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"36⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:5072 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"37⤵
- Executes dropped EXE
PID:388
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"37⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3492 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"38⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1564 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"39⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4932 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"40⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1780 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"41⤵
- Executes dropped EXE
PID:1168
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2884 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"42⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:404 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"43⤵
- Executes dropped EXE
PID:948
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"43⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3580 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"44⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Enumerates system info in registry
- Modifies registry class
PID:3884 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"45⤵
- Executes dropped EXE
PID:4540
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"45⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:640 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"46⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2396 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"47⤵
- System Location Discovery: System Language Discovery
PID:4424
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"47⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1752 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"48⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"49⤵
- System Location Discovery: System Language Discovery
PID:4968
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"49⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:412 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"50⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"51⤵
- System Location Discovery: System Language Discovery
PID:652
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"51⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4780 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"52⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4860 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"53⤵
- System Location Discovery: System Language Discovery
PID:3672
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"53⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4640 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"54⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"55⤵
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"55⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3612 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"56⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1364 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"57⤵PID:4836
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"57⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3080 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"58⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"59⤵
- System Location Discovery: System Language Discovery
PID:940
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"59⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3524 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"60⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
PID:1332 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"61⤵
- System Location Discovery: System Language Discovery
PID:3664
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"61⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4280 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"62⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"63⤵PID:3480
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"63⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2476 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"64⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"65⤵
- System Location Discovery: System Language Discovery
PID:4796
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"65⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3716 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"66⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:708 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"67⤵PID:3576
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"67⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2008 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"68⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:208 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"69⤵
- System Location Discovery: System Language Discovery
PID:1072
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"69⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1048 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"70⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2380 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"71⤵PID:3376
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"71⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1524 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"72⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2540 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"73⤵
- System Location Discovery: System Language Discovery
PID:1604
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"73⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3600 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"74⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"75⤵
- System Location Discovery: System Language Discovery
PID:2888
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"75⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:784 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"76⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4004 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"77⤵
- System Location Discovery: System Language Discovery
PID:2476
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"77⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3456 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"78⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"79⤵PID:784
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"79⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1632 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"80⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:2632 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"81⤵PID:3456
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"81⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1732 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"82⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
PID:3316 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"83⤵
- System Location Discovery: System Language Discovery
PID:4148
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"83⤵
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2964 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"84⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Modifies registry class
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"85⤵
- System Location Discovery: System Language Discovery
PID:3416
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"85⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3460 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"86⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:928 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"87⤵
- System Location Discovery: System Language Discovery
PID:512
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"87⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3124 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"88⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"89⤵PID:4884
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"89⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:2300 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"90⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"91⤵PID:1312
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"91⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4420 -
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\SysWOW64\WinLogon\winlogon.exe"92⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
PID:3128 -
C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"C:\Users\Admin\AppData\Local\Temp\EINJECTOR.EXE"93⤵
- System Location Discovery: System Language Discovery
PID:4944
-
-
C:\Windows\SysWOW64\WinLogon\winlogon.exe"C:\Windows\system32\WinLogon\winlogon.exe"93⤵PID:2600
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5beaf4f5653f696aa557cdb89dacd0a34
SHA1a1e28403f150f1ffc068860170a474b6b64269ff
SHA256d45fa3b5fdd5caabc6d4806cc77c628c41e431f8be2e89a2a36282d03539b6dd
SHA5126c8934755dee21bb40483886a990f4e219b316ddb7a79224b29d92a6e1ed77c500eba50ec9ac0566f5b8c72783991096d7cd1d36a0c69c63fef5d33f6661d096
-
Filesize
809KB
MD5f9125c9bee0155403e07299ead7217e5
SHA1d4f4370b64b6447186554a0aa9b1a28db0793794
SHA256e9802f475acad40c110201c262e83ad8fd737780cfe4bd235553eaa2552d442f
SHA512fd0f6cbb759c9762bf8a5caaa5ee4032f029a064339d8e0c5bc4aed1a2b6256ea45e93e14bd7eab0a4cf93fe712ce377d9726470d78243fdb1e72b7953175320