7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe
Size

452KB
MD5

6b2e05f5caa933b3baeb6c086fc1f91f
SHA1

450ef99d4fe7939583488f2a970eba59d6f936d3
SHA256

7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914
SHA512

640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94
SSDEEP

3072:1+kZqVeInSk82TfatZ9mD5fvNj6kECsjZ:1jaSk8iCtPmD5Hl6ysN

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
808	winlogon.exe
872	winlogon.exe
432	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmor.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdclt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netinfo.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\undoboot.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navengnavex15.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc42.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Restart.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecengine.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccguide.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfagent.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcontrol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinntse.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwatson.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icload95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmasn.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sharedaccess.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccpxysvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hacktracersetup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav8.0.0.357es.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwin9x.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe	winlogon.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1312-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1312-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1312-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1312-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1312-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1312-71-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/872-87-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/432-88-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/432-92-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/432-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/432-97-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/872-98-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/432-99-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1312	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe
1312	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 1312	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	28
PID 808 set thread context of 872	808	winlogon.exe	31
PID 872 set thread context of 432	872	winlogon.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://oj1nc6qay360kx3.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://s1seu54sc25id6h.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://l3l8xqw580504pp.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000204344230894420cf5bf875d8cb9c4be14dcf8fb82c79b48676dea8ffc1579b0000000000e8000000002000020000000c2f4e480008d69232daa488c0dc304c813dbc2618c5e95590a9c9779756f1bba900000002c656416ab23a808ae935984f6925f0c59e84b60941059df9f029c3d090aec31d01cad7f7169a271d90dca0828c6ce9f4e04fba2774907ace71c5186bcd791ad3a2a55d23d4412504cd61d6b7e6514623e8669652abadd73a88e9d954d5b20e1d5c87959eb984ad2cb39095f3e236995c747b65bbdefdc9921a75b56bed3de6db57ddbe5c8ada78f06a4083fe094340640000000695f1da4cedb484a3473fbcf733bec5714ad9b596f8f9dbb9cbacad79bb23d022306d711cdeaddb53aed4c557662d1bd4748192db3da38d0eb9774f95625737b	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e00f3655d2d7d801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "371640094"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://0yxlo34y9516ct1.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://uznce29z7896f15.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8876BA31-43C5-11ED-979A-4A7553B9BC92} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://l5y4sj3462rxlx4.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000056a28725148acf031909b3d33490fa1be6578ca394f0469a11166f56617d5962000000000e8000000002000020000000010020ce6e75953f90ec0cbd48ae82b300f2264b60f4bdeb6cb61e300896db16200000008abd6902ac43b47a993155cfa7c65b5bb590914aa5ba5ddb9d944bbd60ffcd68400000004b71030e4b47120ede94217cb9cf7548c728df3f2373982efda7da2c1bef312568a99b581f7ba01ca14f06e87b8ecf06d16e28da79080cb21fb8cac3d65a2f53	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://0o89wf31g9d5qts.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://ymx9y39bqap5jp5.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://ppe557pvw7vs552.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://op7x31as0985782.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
432	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	432	winlogon.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1660	iexplore.exe
1660	iexplore.exe
1660	iexplore.exe
1660	iexplore.exe
1660	iexplore.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1312	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe
872	winlogon.exe
432	winlogon.exe
1660	iexplore.exe
1660	iexplore.exe
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
1660	iexplore.exe
1660	iexplore.exe
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1660	iexplore.exe
1660	iexplore.exe
1092	IEXPLORE.EXE
1092	IEXPLORE.EXE
1660	iexplore.exe
1660	iexplore.exe
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE
1660	iexplore.exe
1660	iexplore.exe
1480	IEXPLORE.EXE
1480	IEXPLORE.EXE
432	winlogon.exe
432	winlogon.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1300	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	27
PID 1720 wrote to memory of 1300	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	27
PID 1720 wrote to memory of 1300	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	27
PID 1720 wrote to memory of 1300	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	27
PID 1720 wrote to memory of 1312	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	28
PID 1720 wrote to memory of 1312	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	28
PID 1720 wrote to memory of 1312	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	28
PID 1720 wrote to memory of 1312	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	28
PID 1720 wrote to memory of 1312	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	28
PID 1720 wrote to memory of 1312	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	28
PID 1720 wrote to memory of 1312	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	28
PID 1720 wrote to memory of 1312	1720	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	28
PID 1312 wrote to memory of 808	1312	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	29
PID 1312 wrote to memory of 808	1312	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	29
PID 1312 wrote to memory of 808	1312	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	29
PID 1312 wrote to memory of 808	1312	7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe	29
PID 808 wrote to memory of 1120	808	winlogon.exe	30
PID 808 wrote to memory of 1120	808	winlogon.exe	30
PID 808 wrote to memory of 1120	808	winlogon.exe	30
PID 808 wrote to memory of 1120	808	winlogon.exe	30
PID 808 wrote to memory of 872	808	winlogon.exe	31
PID 808 wrote to memory of 872	808	winlogon.exe	31
PID 808 wrote to memory of 872	808	winlogon.exe	31
PID 808 wrote to memory of 872	808	winlogon.exe	31
PID 808 wrote to memory of 872	808	winlogon.exe	31
PID 808 wrote to memory of 872	808	winlogon.exe	31
PID 808 wrote to memory of 872	808	winlogon.exe	31
PID 808 wrote to memory of 872	808	winlogon.exe	31
PID 872 wrote to memory of 432	872	winlogon.exe	34
PID 872 wrote to memory of 432	872	winlogon.exe	34
PID 872 wrote to memory of 432	872	winlogon.exe	34
PID 872 wrote to memory of 432	872	winlogon.exe	34
PID 872 wrote to memory of 432	872	winlogon.exe	34
PID 872 wrote to memory of 432	872	winlogon.exe	34
PID 872 wrote to memory of 432	872	winlogon.exe	34
PID 872 wrote to memory of 432	872	winlogon.exe	34
PID 872 wrote to memory of 432	872	winlogon.exe	34
PID 1660 wrote to memory of 1480	1660	iexplore.exe	38
PID 1660 wrote to memory of 1480	1660	iexplore.exe	38
PID 1660 wrote to memory of 1480	1660	iexplore.exe	38
PID 1660 wrote to memory of 1480	1660	iexplore.exe	38
PID 1660 wrote to memory of 1968	1660	iexplore.exe	41
PID 1660 wrote to memory of 1968	1660	iexplore.exe	41
PID 1660 wrote to memory of 1968	1660	iexplore.exe	41
PID 1660 wrote to memory of 1968	1660	iexplore.exe	41
PID 1660 wrote to memory of 1092	1660	iexplore.exe	43
PID 1660 wrote to memory of 1092	1660	iexplore.exe	43
PID 1660 wrote to memory of 1092	1660	iexplore.exe	43
PID 1660 wrote to memory of 1092	1660	iexplore.exe	43
PID 1660 wrote to memory of 2232	1660	iexplore.exe	45
PID 1660 wrote to memory of 2232	1660	iexplore.exe	45
PID 1660 wrote to memory of 2232	1660	iexplore.exe	45
PID 1660 wrote to memory of 2232	1660	iexplore.exe	45

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe
"C:\Users\Admin\AppData\Local\Temp\7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:1300
- C:\Users\Admin\AppData\Local\Temp\7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:808
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:1120
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:872
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:432

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1456

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1480
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:603142 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1968
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:603150 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1092
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1660 CREDAT:472079 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
38af42645d29e5ed14e268600393f4ef

SHA1
bcd67c8ec44e6c4eb257115e4610a994fb45cae6

SHA256
78c949a8743fa19ae049d0dee5bb1564e12ae62a21444f9800230735042f0544

SHA512
49bdecb522fb1202f1ffb0057edd113cd391b8cf7d949fd7f74820658b40afd6f037af471b627a7ce0a6a44711d4a5ed5a75231c2a82865e9634655ca2423f0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
a2323ba13cd25c27bd921b392230e955

SHA1
9039bc1cb29044c6421bcc80f3c381588fdd20e7

SHA256
3bab4e8177d87c85a4a6381f8da4e0981a71f7a825623f6eb6bee1c542b58053

SHA512
8266e01a62961d7b0060f9df66d4f146d4ea43bc233d6352925ac3a96c3671ba8ce365da73501d04f6df039e53689c06e1e7d3e44c3925299a0b86ff44b01367

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
f0a701f10d757fef714bcafafdbc2daf

SHA1
c2db487c6af7b96074b826f6f69f2ea38c0f2f4b

SHA256
b8b0e51b81996b5c5895b9871c9884a31e24b21c170d6833cfd37078593ee383

SHA512
f836ca791bf20aeb8ff71277ec4314049bd55e36035f94574c04832ed05d26390ff490c99681d836d4cb79a588411dfaa697165d78d232e57819ec14b9d66697

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
5a11c6099b9e5808dfb08c5c9570c92f

SHA1
e5dc219641146d1839557973f348037fa589fd18

SHA256
91291a5edc4e10a225d3c23265d236ecc74473d9893be5bd07e202d95b3fb172

SHA512
c2435b6619464a14c65ab116ab83a6e0568bdf7abc5e5a5e19f3deaf56c70a46360965da8b60e1256e9c8656aef9751adb9e762731bb8dbab145f1c8224ac8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_871E11B76822F93FE2DBF907A5A1D9A8

Filesize
472B

MD5
b45b15bb651cc185ea82d91a51f06b5a

SHA1
44987727be72bb12b4e4fc4fac50145835512750

SHA256
f0b61426de169cf2efde87ac98d5123ea785004ad05c05932a099b644b2fdf64

SHA512
55a113bd3767b6a70aafbaa02ea65e8630881ad7f8adb6a5b684ddff56b8b0cec63967e7e9e9314f258261ff84307f7502bdac66df01f9c0981ff3daf4fda579

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d8a6d4587b78cc4c62a204e8e2122e4b

SHA1
c800a55ed17ba3c882a84d4208461d0ff3a2af21

SHA256
8239f802ac7b25b1613661c2834826beccc2ce89c17391d3455e013de537e8f6

SHA512
ab3fcfc4d87551b5946792aa73fea9d48ec9b0d11668f9f29bc31329e1666c76cb6bc4d836fb983b313009e6d0ef58a73650826e2eb477c6e410cdb779727211

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
18c99f71aa68f8bc98bfe857fab9ca95

SHA1
660772d094332e85f9c35443388da40339d3ba9b

SHA256
5db3b2bd3be1ddb4941f0d6ac20f38c4b672420da95e5efc4eb4efa9ef86b0a9

SHA512
401bf078486f58ae8a44fca434ca968ac1f7e1f9f1d2c68e445011a99aa1bcdfdfa5520b16f7825f44855e6423f10af2d1ee0753fec6b449323fbe174671ccde

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3d97abc7b9644786f5134b605b9c595

SHA1
0cbc37ee92619beb04ab471a8aa67d345a79ad89

SHA256
890fe064254934c6ee0e4fad49c8bad9b48a543119c35ff8130c68e1962a3453

SHA512
340ca031ef8ffadc09a5eb51b9641c1f6abd1f76b1bc9c7f1fcad4d18133380f911cf1c69ec23726f86a45d10aaccd94fb1f04e34609e65becefe3e5dbdbd8a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e46c59978fc7662e2cf656289050b554

SHA1
68d5b8bcc0974129da967b0df32ea9fcb5d4664e

SHA256
76726dcd256f98aefb186b24f447fe919a8a1a785010baf7973acce950c33943

SHA512
4703160f9e4c7ce0701ad1dfd77f3e0ae3fded36efbd839914c1aa2f4b5c7169647ccb89ebb4c5fd9e8638623eefe6b0c8f8b05ad196e1e3ba7ee52f9e969387

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0175affa633a50fd66e48017e89b2e2

SHA1
5ccccddea5d553dc974ac7673289d7c445b7da71

SHA256
aca591612110d0975cfac55859d5bc9a50110851c6dda629f901a4b8a3c2a192

SHA512
231539be80428af09adc5cad51aa16921941fbd1b8d2c7d205052d47a5be560caeac9159ca588d4d03cb5c8a010832a0656ba13d7ba859df21a91bdcb6e71415

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
399366c95da1f1394708c21baa9ef2b0

SHA1
f90ac5036d02d78f62d523f37df44d9ac2c4be0d

SHA256
8202ce7a05bae5d40312a95424ccac3a612e5c27f5242659b01f4a2fb1f038f3

SHA512
6112dcb5a0673b94d88dabbbf810aab968fcfabeb64c52697004a95839bbc67dd7e2c7f8a1b1e502bdd23278c36a47e06568b1b03d4dce801d6254de8b48ec15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
6b21e3de914115773f2b97f568dc1037

SHA1
65f7e1188282933e1b11b2db944c35b395dc685c

SHA256
092a82a5954987da085549cec34f449f46ad1fc26ce3f8961ca3a29ca68b9f79

SHA512
c072c16282df33ec4e26e22a57d7f18e3d94890aaceacfd904b929dfc39203ba6f9071663d4524092fef746c5f0c2b4d87f0311080221e7473a4236b390c3c19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
8783720d1bd227e83c8eebe26bf205b2

SHA1
a96a03e59e388e8522a3d7b02e02ecebee72f8c8

SHA256
8891f5347ad792a33ba274bf80889f705938afa75f4e8eb7283aba32e1e87480

SHA512
eb2b60efe2d322b97f7e8d5ad4caca3a9be38b089d5c7bbded2660d123323d199075443a32cab1348767a14483f587f947cce6be5b178f92ea076e90664cb366

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_871E11B76822F93FE2DBF907A5A1D9A8

Filesize
402B

MD5
ac3a72aa2462757fbf17582028303c79

SHA1
3207ac613263c373d8fa94192e40b1ca4a182bbb

SHA256
98321bf61e96ef0e9c0402fe0e3c3bb4d6d4d8376537bb2c01bae1fd0a065ea6

SHA512
4cf8d334523e132a25015d1de8d5714f0b270a14f14e5bd55f061f8919c01fccf85e70811a4626bff3409e498b69320b9cb0657f5cd36d3cbcc663313600fcb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
88fe7e72ccc48b29b6809adefc6b8d3a

SHA1
bd413a912b60a2761b443d754af07e62fb4306d7

SHA256
ba1b8eff8c698f76f2082378a0ec979f449dc68a71d32b9eefce46bf6c518690

SHA512
43a26c9ec080ef4e888b2f2db4b83f6ce93fdfcf88bccad0f9509b85cc52ffb0d9653ea640c3a425b1d3cd8bf73a015c6a3456d23f561ecf6acb62c64021f22e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\X2948LUQ\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\TE7DC5T2.txt

Filesize
601B

MD5
0c7a2f9eeffe5bc4f34341cff7441b5c

SHA1
e93c3ff2ea35918b3750adb5c857a78a69a60a58

SHA256
199658620d624a533cbb408c65a2b2264adffdbf1ab9423124dfdaece1d2b9b6

SHA512
72fd36168596578bd25b36526bdbef7e10c8318fe7562c8689f4d49175edf59905c23ccc3906d56b17c3ecb7230cb80efb7bca6507cd6a8d2852112060cee537

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
452KB

MD5
6b2e05f5caa933b3baeb6c086fc1f91f

SHA1
450ef99d4fe7939583488f2a970eba59d6f936d3

SHA256
7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914

SHA512
640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
452KB

MD5
6b2e05f5caa933b3baeb6c086fc1f91f

SHA1
450ef99d4fe7939583488f2a970eba59d6f936d3

SHA256
7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914

SHA512
640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
452KB

MD5
6b2e05f5caa933b3baeb6c086fc1f91f

SHA1
450ef99d4fe7939583488f2a970eba59d6f936d3

SHA256
7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914

SHA512
640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
452KB

MD5
6b2e05f5caa933b3baeb6c086fc1f91f

SHA1
450ef99d4fe7939583488f2a970eba59d6f936d3

SHA256
7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914

SHA512
640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
452KB

MD5
6b2e05f5caa933b3baeb6c086fc1f91f

SHA1
450ef99d4fe7939583488f2a970eba59d6f936d3

SHA256
7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914

SHA512
640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
452KB

MD5
6b2e05f5caa933b3baeb6c086fc1f91f

SHA1
450ef99d4fe7939583488f2a970eba59d6f936d3

SHA256
7be73725bb27497f4e920572565283d42b9d20a2bf3bee907a9d4bda02ae1914

SHA512
640b5e2efe7c68e4f732331a840039b650a63faa5a1cc3d0414934be92f49cc9bc080792137bcb8af206c0dcf8c4d1f5d2031d82907fc523bcb93c388bb5cf94

Download Submit
memory/432-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/432-119-0x0000000003A80000-0x0000000004AE2000-memory.dmp

Filesize
16.4MB

Download
memory/872-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/872-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1312-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1312-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1312-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1312-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1312-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1312-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1312-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1312-66-0x00000000765B1000-0x00000000765B3000-memory.dmp

Filesize
8KB

Download