cybergate | 2f5bdc3c1540373a46565095571394adbe591b3b8b11322aefe461111d650d42

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/03/2025, 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_84c8b1fbeeb717c572934e564de714f4.exe
Size

903KB
MD5

84c8b1fbeeb717c572934e564de714f4
SHA1

2609343d195368a5b118e4d5b4587b11680c109b
SHA256

2f5bdc3c1540373a46565095571394adbe591b3b8b11322aefe461111d650d42
SHA512

d5fd6e30e64591cb8f3bcdf0e7e65f93ce3f9331516e6f8560a4124c3d0cd41a568442b04644ebee13582ecfc910a19008ddbe67dcb6979bdb650fc462b556b9
SSDEEP

12288:NBJHa4SSqrzuhQ88jIYSl10R/IqSBk58tKTGPM2Leov6uqoi2W+/gF1chxGZZlxt:NrHaFSIR/998CGPMAHgzmxGE0

Score

10^/10

cybergate viko89 discovery persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

v1.01.0

Botnet

viko89

124.123.38.124:82

Mutex

CyberGate1

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
30
injected_process
explorer.exe
install_dir
Winlog
install_file
winlogonn.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Remote Administration anywhere in the world.
message_box_title
CyberGate
password
allahisgreat
regkey_hkcu
HKCU
regkey_hklm
HKLM

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate
Cybergate family
cybergate

Adds policy Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	winlogonn.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 62 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Windows\\system32\\Winlog\\winlogonn.exe Restart"	Crypted.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe Restart"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{060450C4-878T-I7DL-13H6-74778Q4GEE5U}\StubPath = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe Restart"	winlogonn.exe

Executes dropped EXE 30 IoCs

pid	Process
2468	Crypted.exe
1128	winlogonn.exe
1516	winlogonn.exe
2212	winlogonn.exe
1764	winlogonn.exe
1484	winlogonn.exe
3048	winlogonn.exe
3056	winlogonn.exe
2012	winlogonn.exe
2864	winlogonn.exe
2800	winlogonn.exe
2840	winlogonn.exe
2816	winlogonn.exe
2296	winlogonn.exe
1920	winlogonn.exe
1580	winlogonn.exe
1148	winlogonn.exe
2956	winlogonn.exe
2260	winlogonn.exe
1096	winlogonn.exe
536	winlogonn.exe
1848	winlogonn.exe
2656	winlogonn.exe
292	winlogonn.exe
2284	winlogonn.exe
352	winlogonn.exe
2788	winlogonn.exe
2688	winlogonn.exe
2164	winlogonn.exe
1548	winlogonn.exe

Loads dropped DLL 58 IoCs

pid	Process
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe
828	explorer.exe

Adds Run key to start application 2 TTPs 62 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	Crypted.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\Winlog\\winlogonn.exe"	Crypted.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\SysWOW64\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\Winlog\\winlogonn.exe"	winlogonn.exe

Drops file in System32 directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	Crypted.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	Crypted.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File opened for modification	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe
File created	C:\Windows\SysWOW64\Winlog\winlogonn.exe	winlogonn.exe

UPX packed file 44 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016652-8.dat	upx
behavioral1/memory/2468-11-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2468-16-0x0000000024010000-0x0000000024070000-memory.dmp	upx
behavioral1/memory/828-567-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral1/memory/2468-572-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/828-573-0x0000000003BC0000-0x0000000003C16000-memory.dmp	upx
behavioral1/memory/828-578-0x0000000024070000-0x00000000240D0000-memory.dmp	upx
behavioral1/memory/1128-587-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1516-595-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2212-606-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1764-615-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/828-621-0x0000000003BC0000-0x0000000003C16000-memory.dmp	upx
behavioral1/memory/1484-626-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3056-634-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/3048-638-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/828-645-0x0000000003BC0000-0x0000000003C16000-memory.dmp	upx
behavioral1/memory/3056-650-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2012-662-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2864-674-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2800-686-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2840-699-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2296-709-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2816-713-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1920-724-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2296-727-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1920-737-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1580-748-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1148-759-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2956-772-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/828-782-0x0000000003BC0000-0x0000000003C16000-memory.dmp	upx
behavioral1/memory/2260-786-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1096-798-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/536-814-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2656-826-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1848-829-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/292-841-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2656-845-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/292-859-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2284-874-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/352-890-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/828-906-0x0000000003BC0000-0x0000000003C16000-memory.dmp	upx
behavioral1/memory/2788-907-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2688-925-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1548-940-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Crypted.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
1128	winlogonn.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
1128	winlogonn.exe
1128	winlogonn.exe
1128	winlogonn.exe
1128	winlogonn.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
1128	winlogonn.exe
1128	winlogonn.exe
1128	winlogonn.exe
1128	winlogonn.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
1128	winlogonn.exe
1128	winlogonn.exe
1128	winlogonn.exe
1128	winlogonn.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
1128	winlogonn.exe
1128	winlogonn.exe
1128	winlogonn.exe
1128	winlogonn.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
2468	Crypted.exe
1516	winlogonn.exe
1128	winlogonn.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2468	Crypted.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2468	2016	JaffaCakes118_84c8b1fbeeb717c572934e564de714f4.exe	30
PID 2016 wrote to memory of 2468	2016	JaffaCakes118_84c8b1fbeeb717c572934e564de714f4.exe	30
PID 2016 wrote to memory of 2468	2016	JaffaCakes118_84c8b1fbeeb717c572934e564de714f4.exe	30
PID 2016 wrote to memory of 2468	2016	JaffaCakes118_84c8b1fbeeb717c572934e564de714f4.exe	30
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21
PID 2468 wrote to memory of 1204	2468	Crypted.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84c8b1fbeeb717c572934e564de714f4.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_84c8b1fbeeb717c572934e564de714f4.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Users\Admin\AppData\Local\Temp\Crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\Crypted.exe"
    3⤵
    - Adds policy Run key to start application
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      Adds policy Run key to start application
      Boot or Logon Autostart Execution: Active Setup
      Loads dropped DLL
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:828
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1128
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1516
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2212
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1764
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1484
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3048
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3056
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2012
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2864
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2800
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2840
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2816
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2296
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1920
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1580
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1148
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2956
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2260
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1096
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:536
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1848
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2656
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:292
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2284
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:352
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2788
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2688
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2164
    - - C:\Windows\SysWOW64\Winlog\winlogonn.exe
        
        "C:\Windows\system32\Winlog\winlogonn.exe"
        5⤵
        Adds policy Run key to start application
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypted.exe

Filesize
274KB

MD5
919dd12016105c1c493266b8cf953be4

SHA1
c10905f567ed84e902558dc28a4403e31d9156f5

SHA256
a59d766c381fe3fa7f273b42ecc646a8ccca83d432dac96d75aebb422539a3f9

SHA512
7e8a9ad5b0c1d306f0b75c49d01de7dc006c28180152a4191b38e6486d3e0ac5f67cb2cf1fbaf0f9729a821d44a2117a511635720046245a39f6d1cd6ba3e47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
55d3f623c6ca6abc5ef4065b90f4b819

SHA1
1673dd7e6a9ab865ef9f0d6ba62097225b8b48c8

SHA256
add9d847001f41cf1c6ad5f15d835b77eff0fb6ee7ac9defc801e1873e2f4b77

SHA512
8509ad33d53eba356a076f8c9023de0d1a15415427ba47f51639ff31093b950d88b52d98a271b48ed2e78ea53cc2d3cb8ad44d3a1a70051963f55c861470d50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
bdb3c1f3758bfc38ff350b12945b44e5

SHA1
72e052cff4942a3edfeb4015475c2697eae54da7

SHA256
04bee1d0c123c172984fa808e070972232c1fcc505452d02ea82cef2c6e48b86

SHA512
35a84800887a8195c5fcb326194450a664b8275141d43f8b082b10a40755d88f167841bf3aed45b40cb63dceabc46c5f0ba94210226ccd279e439065c31deda2

Download Submit
C:\Users\Admin\AppData\Local\Temp\XX--XX--XX.txt

Filesize
227KB

MD5
af61e40bb6fefb8cc39bafd1630dce8f

SHA1
8a854139b4305ed184eb73ca47c677c44aa50cf5

SHA256
15c4c1213a79675ec0f2ea4ea16fadee790c65dd4cb6dc6faeb0313e937b1a78

SHA512
e3cee1a34fea429ac7c0db231b2005a4013f2ac79aac0e30647ae15e7545e7417c41aa1fc5b9cf74669bf371bde4ffb9020c7c5443ad5e3c676dcb7d1fc64aac

Download Submit
memory/292-859-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/292-841-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/352-890-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/536-814-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/828-661-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-645-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-567-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/828-261-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/828-812-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-573-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-578-0x0000000024070000-0x00000000240D0000-memory.dmp

Filesize
384KB

Download
memory/828-582-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-922-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-769-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-386-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/828-825-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-601-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-600-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-809-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-782-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-621-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-633-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/828-906-0x0000000003BC0000-0x0000000003C16000-memory.dmp

Filesize
344KB

Download
memory/1096-798-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1128-587-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1148-759-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1204-17-0x0000000002870000-0x0000000002871000-memory.dmp

Filesize
4KB

Download
memory/1484-626-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1516-595-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1548-940-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1580-748-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1764-615-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1848-829-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1920-724-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1920-737-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2012-662-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2016-3-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-2-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-0-0x000007FEF5F5E000-0x000007FEF5F5F000-memory.dmp

Filesize
4KB

Download
memory/2016-1-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2016-12-0x000007FEF5CA0000-0x000007FEF663D000-memory.dmp

Filesize
9.6MB

Download
memory/2212-606-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2260-786-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2284-874-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2296-709-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2296-727-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2468-11-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2468-572-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2468-16-0x0000000024010000-0x0000000024070000-memory.dmp

Filesize
384KB

Download
memory/2656-826-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2656-845-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2688-925-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2788-907-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2800-686-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2816-713-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2840-699-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2864-674-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2956-772-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3048-638-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3056-634-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/3056-650-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download