5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe
Size

3.1MB
MD5

661f852723b74b77648e4a364abe2ef8
SHA1

4ac342f74a9b28678fbc9204403c20267f6ace16
SHA256

5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599
SHA512

887f7dafa1578094b76e07a9fabc3e11e051eb816dac32b36410f9967bff60cc0dd9028f8b3d9cdc957ac497f6fe04d2a47badc32c14418253efe69decb6d6ec
SSDEEP

3072:xo/zSvL4LXXgZmdZ40LmFPTmnT1Z3IgUQiTFMeeMD4:MzSvL8gmD40LwanjUQaFX/4

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
1292	winlogon.exe
568	winlogon.exe
820	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanv95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscenu6.02d30.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bd_professional.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfind.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spyxx.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2-nt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tgbob.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpm.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPREVIEW.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95ct.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moolive.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netcfg.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvsvc32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winsfcm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkpop.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvarch16.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wradmin.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlh.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navengnavex15.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rrguard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanpc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav8win32eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drvins32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallSettings.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vmsrvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwin95.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_flowprotector_us.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellspyinstall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1928-55-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1444-57-0x00000000009F0000-0x0000000000A2B000-memory.dmp	upx
behavioral1/memory/1928-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1928-60-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x000b000000012301-64.dat	upx
behavioral1/files/0x000b000000012301-65.dat	upx
behavioral1/files/0x000b000000012301-67.dat	upx
behavioral1/files/0x000b000000012301-69.dat	upx
behavioral1/memory/1928-73-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1292-75-0x0000000000EA0000-0x0000000000EDB000-memory.dmp	upx
behavioral1/files/0x000b000000012301-74.dat	upx
behavioral1/memory/1928-71-0x00000000009F0000-0x0000000000A2B000-memory.dmp	upx
behavioral1/memory/568-78-0x0000000000EA0000-0x0000000000EDB000-memory.dmp	upx
behavioral1/memory/820-82-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/files/0x000b000000012301-84.dat	upx
behavioral1/memory/820-87-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/820-88-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/568-92-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/820-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/820-94-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1928	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe
1928	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 1928	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	28
PID 1292 set thread context of 568	1292	winlogon.exe	31
PID 568 set thread context of 820	568	winlogon.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://57l801xl2q4um07.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372303862"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://j2lk41jp9dx77w1.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://433j39trp0l700h.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://dyg53ix24k8mm8w.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0204bc9dbddd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000038c78388a8f5b35176b4eb5f738e5e7de464cee0429bcdaa055505b8e71c0589000000000e80000000020000200000002df24742bd561f2c8c05124d4109d15ee5ae0773ab113b8e8290bd666a3f126a900000002adfad31788cf79f83fa79fffae8cd94ecbc66a3e2eff773fc4b75431518c976d4591b3a8b9787b535e79732db5aa4b1a0e78a0bc83614e1558e6f8ce5c5111d46d354103bd77669796d6a246c4105820e2ba1afa3491929d3348a56596cf61ecbe95cb10e9a9bdad2d3645ab7a1647215eb904a422b1ce26272648e64850b0d4a64d272f4239579fadbc30f156c3ec740000000c3b75c6c0cb732347ac45c0d2fda117ce9de597c106bafd2d0c768975f2037ddc621aee4a5d304ed4971c397a8279b4fd36cdca5ce492639c30fb5ee12b6cb19	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://f7b5s03md9guo4d.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000df6db0d4fb3daf1b43f650f54c9775ca98e5a7fece61333fb65dcd0c33494bba000000000e8000000002000020000000cba7943be7b8f2fc9c9b062c88183b9798629d1ef3bec0a814d841ed54c4c922200000007aa502f349b796bbb7a529e7a4852a5ecfe733c2871a809c979f3f30e4e9d1114000000022683ce853787cb4588f537abead291e34022137eadb30b402e37d1706ec4e7d214954ca195688bc7ba4b5a0d4d12e25baaaedbd381cfa9001151add15f46d3f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://wkmx2e89y3z0ve0.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://vezg4k3021817we.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FC500291-49CE-11ED-B4FB-76D99E3F6056} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://z1q9640nh491t19.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://a3tydoa3f81x9u8.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://z433vy42k01s1cx.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
820	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	820	winlogon.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
1824	iexplore.exe
1824	iexplore.exe
1824	iexplore.exe
1824	iexplore.exe
1824	iexplore.exe
1824	iexplore.exe
1824	iexplore.exe
1824	iexplore.exe
1824	iexplore.exe
1824	iexplore.exe
1824	iexplore.exe

Suspicious use of SetWindowsHookEx 47 IoCs

pid	Process
1928	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe
568	winlogon.exe
820	winlogon.exe
1824	iexplore.exe
1824	iexplore.exe
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE
1824	iexplore.exe
1824	iexplore.exe
884	IEXPLORE.EXE
884	IEXPLORE.EXE
1824	iexplore.exe
1824	iexplore.exe
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1824	iexplore.exe
1824	iexplore.exe
944	IEXPLORE.EXE
944	IEXPLORE.EXE
1824	iexplore.exe
1824	iexplore.exe
1964	IEXPLORE.EXE
1964	IEXPLORE.EXE
1824	iexplore.exe
1824	iexplore.exe
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
1824	iexplore.exe
1824	iexplore.exe
884	IEXPLORE.EXE
884	IEXPLORE.EXE
1824	iexplore.exe
1824	iexplore.exe
2724	IEXPLORE.EXE
2724	IEXPLORE.EXE
1824	iexplore.exe
1824	iexplore.exe
1644	IEXPLORE.EXE
1644	IEXPLORE.EXE
1824	iexplore.exe
1824	iexplore.exe
3040	IEXPLORE.EXE
3040	IEXPLORE.EXE
1824	iexplore.exe
1824	iexplore.exe
944	IEXPLORE.EXE
944	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1948	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	27
PID 1444 wrote to memory of 1948	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	27
PID 1444 wrote to memory of 1948	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	27
PID 1444 wrote to memory of 1948	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	27
PID 1444 wrote to memory of 1928	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	28
PID 1444 wrote to memory of 1928	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	28
PID 1444 wrote to memory of 1928	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	28
PID 1444 wrote to memory of 1928	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	28
PID 1444 wrote to memory of 1928	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	28
PID 1444 wrote to memory of 1928	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	28
PID 1444 wrote to memory of 1928	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	28
PID 1444 wrote to memory of 1928	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	28
PID 1444 wrote to memory of 1928	1444	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	28
PID 1928 wrote to memory of 1292	1928	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	29
PID 1928 wrote to memory of 1292	1928	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	29
PID 1928 wrote to memory of 1292	1928	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	29
PID 1928 wrote to memory of 1292	1928	5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe	29
PID 1292 wrote to memory of 2012	1292	winlogon.exe	30
PID 1292 wrote to memory of 2012	1292	winlogon.exe	30
PID 1292 wrote to memory of 2012	1292	winlogon.exe	30
PID 1292 wrote to memory of 2012	1292	winlogon.exe	30
PID 1292 wrote to memory of 568	1292	winlogon.exe	31
PID 1292 wrote to memory of 568	1292	winlogon.exe	31
PID 1292 wrote to memory of 568	1292	winlogon.exe	31
PID 1292 wrote to memory of 568	1292	winlogon.exe	31
PID 1292 wrote to memory of 568	1292	winlogon.exe	31
PID 1292 wrote to memory of 568	1292	winlogon.exe	31
PID 1292 wrote to memory of 568	1292	winlogon.exe	31
PID 1292 wrote to memory of 568	1292	winlogon.exe	31
PID 1292 wrote to memory of 568	1292	winlogon.exe	31
PID 568 wrote to memory of 820	568	winlogon.exe	32
PID 568 wrote to memory of 820	568	winlogon.exe	32
PID 568 wrote to memory of 820	568	winlogon.exe	32
PID 568 wrote to memory of 820	568	winlogon.exe	32
PID 568 wrote to memory of 820	568	winlogon.exe	32
PID 568 wrote to memory of 820	568	winlogon.exe	32
PID 568 wrote to memory of 820	568	winlogon.exe	32
PID 568 wrote to memory of 820	568	winlogon.exe	32
PID 568 wrote to memory of 820	568	winlogon.exe	32
PID 1824 wrote to memory of 1964	1824	iexplore.exe	38
PID 1824 wrote to memory of 1964	1824	iexplore.exe	38
PID 1824 wrote to memory of 1964	1824	iexplore.exe	38
PID 1824 wrote to memory of 1964	1824	iexplore.exe	38
PID 1824 wrote to memory of 884	1824	iexplore.exe	40
PID 1824 wrote to memory of 884	1824	iexplore.exe	40
PID 1824 wrote to memory of 884	1824	iexplore.exe	40
PID 1824 wrote to memory of 884	1824	iexplore.exe	40
PID 1824 wrote to memory of 1644	1824	iexplore.exe	41
PID 1824 wrote to memory of 1644	1824	iexplore.exe	41
PID 1824 wrote to memory of 1644	1824	iexplore.exe	41
PID 1824 wrote to memory of 1644	1824	iexplore.exe	41
PID 1824 wrote to memory of 944	1824	iexplore.exe	42
PID 1824 wrote to memory of 944	1824	iexplore.exe	42
PID 1824 wrote to memory of 944	1824	iexplore.exe	42
PID 1824 wrote to memory of 944	1824	iexplore.exe	42
PID 1824 wrote to memory of 2400	1824	iexplore.exe	43
PID 1824 wrote to memory of 2400	1824	iexplore.exe	43
PID 1824 wrote to memory of 2400	1824	iexplore.exe	43
PID 1824 wrote to memory of 2400	1824	iexplore.exe	43
PID 1824 wrote to memory of 2724	1824	iexplore.exe	44
PID 1824 wrote to memory of 2724	1824	iexplore.exe	44
PID 1824 wrote to memory of 2724	1824	iexplore.exe	44
PID 1824 wrote to memory of 2724	1824	iexplore.exe	44
PID 1824 wrote to memory of 3040	1824	iexplore.exe	45

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe
"C:\Users\Admin\AppData\Local\Temp\5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe
  "C:\Users\Admin\AppData\Local\Temp\5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1292
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:2012
  - - C:\Users\Admin\E696D64614\winlogon.exe
      "C:\Users\Admin\E696D64614\winlogon.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:820

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1168

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1964
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:668683 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:884
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:668689 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1644
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:1127435 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:944
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:1324055 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2400
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:1586199 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2724
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1824 CREDAT:1455135 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3040

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
51ce1934e5dd19a815b91fd01766c02a

SHA1
086fc0833981b12bb940b9c112f39f46029b55f9

SHA256
e4fec9ed91acbc553ec857084e4efe742c0c4311f5f38f673f36a60a58e3ebb0

SHA512
e39b5ba3e4eb10cb225c9b6bb95312b09087c48bcfc22727ac1667ec10849794e6ed6cea9f3df95bf0f5e5cf4255f573e2a36098fbf9cd0ed4dbac1855c0afbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
54bf9611459d0201de157aa749324f8f

SHA1
303b0c7727053bce2b380f890173ba2869c9c971

SHA256
143cb4defce270956bf42ab28794893103f21e68f64da5eb3e8d22034f875f4a

SHA512
faa436afca390a1cd9aa39b409be26536a11afcb14816586cec8b23e93be441f5c22407008bd968a3350c081e6c2e263480e798f78ca428c951f96bac8fdb256

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
8f65df17d50069446688b60d97ed478f

SHA1
167a84e1053407448b22d97fbbb02c5606e199e8

SHA256
300ef387608ed6f092494c0a028e1c121a2e40f2fcd2d7fe7815fb86ba2a2ba4

SHA512
62f2e1e4df3b1e0cbc7d3a742af6fc40576f100373883310347757037e6ec82a1639b80212067090cf9504b5b90d657cc2f9f23aa575f9feea961684d865fbdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_871E11B76822F93FE2DBF907A5A1D9A8

Filesize
472B

MD5
ec8c3be288c030a2f21f77da38609a2c

SHA1
5dce231ac91002054bbdbc6b19f6d1aa0d6c32bc

SHA256
fa3abfefbd26a9339066ee03360614fc68312aefd2aa7e47e291589f426a7265

SHA512
4299f5de157287e7119ce33460caa566cd75fda3a30ffce13e633e201b0e62d1dc7b1d49d19cfe9983be00544ccafedad40c5e6d9fd60ce2b4b0a7c76f8b63f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
64438de086868beee75c02d57766ed35

SHA1
2b290508ec03c810d42790d6d6ee3642845ccd03

SHA256
c53b01d8f5031008013a2de50e909cf7eb0ae0e897e4cd2ce33db29038cd747f

SHA512
c57e8ea93423f711c601fe382a6637297ad67f22197562590c8b551a16ff2deadefeca4b220fbdd155c1bc9856ac4f7de43cda45fe764c15bced3fdc32967cec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
8a1c8330e36b46ca69619eb1a523d4ad

SHA1
22de02355e87821b5fc860b38881adeab1c277e9

SHA256
ac69c0cde8f3c880a0b53f6a0fbe64b714722d9c05b96bd2e765acb076bee0ea

SHA512
82e424e13c67dff091647bab0f16de0d5384e530e5e9711894983805a17f0de373b4127fee8726fe1301a80e92058c6db3a8a06f233bfe9aedbb533f1cbf8bd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0974205f9b8c510819779b950869cc45

SHA1
6efb5b0a54fab86c1b678f607b9004178ec54099

SHA256
1fa3b235e9548b72ef7114a2cffca07b20e0a046de78612cd6109d1ae072e46d

SHA512
da02a131d95a7598ad14f4fc0c46d73bd7c5981470ef4793e20de3b7e7d3c052895089c22ea84cf725c1e5c038139e24ce923241306ef150ccf9de07663dafb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0aed5916ca6664a7b1a9132febbc080f

SHA1
1290984d76c32d189ce65acd338c886f06359cc2

SHA256
484ca570e5e47ad03064e2e506d957b57883360db3fd70fb74c2aa445417fc6c

SHA512
dbbfe17cff1769600a34105427facbd31f790b2aa4cb97fb74e28a8d992a8a09e924878243a9391b8c809dac9b47f9226205880da9fa0c29ffe99a4e915f8a82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eeacb323ff986e55d45838ef6914091

SHA1
f026293a8e9bb624ab7f680b1556a0c63049bd54

SHA256
e4715dea2aabf80838355fb5be02f5dfd1d27a19807706f29e9b97c9ab06b0c7

SHA512
e090f513c4f71c77ba59989835867242745931a5441d2a5258046e718f8f1d98a68f891814491d433550120ff8e1be1c1cebe029cde76b49825ed8f36e6d01af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6997786cd93910ba9305db954982603a

SHA1
3b67f157e4ba46ba5e7285b629b6b0eed211a799

SHA256
616f6628c5ddafa6dabed4ad3da9df4f600a472df5c5c109ef377e8c9a559748

SHA512
9f66d969d7d6299f66100d762b08ee79449c6871aa70df8c67797187b02d327af7eb3a786d6b0d311346b9584832fd3b966b30a795eaff6d03b55f1c24571440

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f9ba75899043b5b97883625c9153a1e

SHA1
1b6fc62ed664381fa7a5ef437ebb17843afaeae5

SHA256
175a337200091c5d18eadbd84b8c099779a5fd5ca5755b9a38912f64e00ba866

SHA512
48e6cf6ff43f603747c5bbde7ae2f249798187205b31d844011e9feb627a76e72044daaf8674019b19fb2806dc1ed614fc702bf1a67ee33fbf74b2a1e31a48bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d12215372c31bc37cfccf065e4f1922

SHA1
a411e2ff42558130539b73f6b1fe0ed145af42a8

SHA256
7e6fde0f9506d789203682d42190c7a265935c910a1d1f492823796f48d422c6

SHA512
93882fc005776a47475f61e428e5eb9de7269d003c71ef451b9f06a952de6e9a926bc417b9feaec3733135707302e7f273e73334605563c1c2a29cffa609584f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93d02ba04080af54f9a79485fd6dd204

SHA1
548be4be600b325b233be47a37784ae35fed36d7

SHA256
2e9e4ce1cc539eba46ca334e960896597c358043d810fa06c5edbe729d77ef7d

SHA512
4f932f495b939b95f70f98e2d789c2d793ad99b86d9ab8959d0e6e78ff34f92f72225ffdd7168d003671278a5cb659ee5a6da5c37f1dd70a5e48501404174e31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a257464950c47bf1efae7823905efda

SHA1
bc8456b314a7cbd7768dc352024cc9f51388f1b5

SHA256
b88c57231d2c375593267447683e1d682aaf73007f19670535fa83fd6acd635d

SHA512
f8bfefb57e453113f4beff3ba7fad3408b771fbfab2e42fb22420da6711809a4cd3086d53f0cc6d8d58a4b6b71124857f323e03e4adc0c7d8b75d9ee8290bb57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfd4a6ed89e64154dc682b8035d9aee4

SHA1
ead4f5752df661d3e27423e62d72f838bb18dfe9

SHA256
828ae77234943fd7e8c0a638ef375e4b634dca3b49366fda49b56d112219a89c

SHA512
592ec9eed23b9eb642acd3fcffc9336d79efa95dd0b393a3494dcee124ac4b2c65b0a84665ffb4ed126870fc8fe63067d7d682825abe80239012b2ca41cef2dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d74fedb04d9863cced37c6d33959f032

SHA1
33e2bf06ad4e17606daa15b84389b3d0052dbacc

SHA256
329e6f6580146a1764268636bd05d1ea6c1a8f3898c8a5f24b5cb5ecadee8de2

SHA512
62df91f5cc971baa1f2aeec8d2f612de307912acc5c131fa8a59be6ed1d74b4980983170c52c39652cb813f7bd3672a4984871b72291b1bfe1c58a0ba077d04b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b104519ab980b3fc3bb602958a416b6a

SHA1
36f71cfd4ae8113d8a6d90a52d8db2b248ce2112

SHA256
96070dc15a08033fb0ac60375b466c7d3e8b72e2601a153fe894acdd4f0a08c4

SHA512
8ae6ecb823f1017337b9ff206977ac0e8092cbfd624e4cd78b3ee6a4de9171c71f710970499761e2a0370cea8834bd257334751d91d4be8cb816262881c0ba00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
14046ba6be98a7ac1238808bd7b3d21c

SHA1
92673cc2a1ad2b2e58134847729b3f4c9de5c86a

SHA256
93ec6c6abfa6155ad93ee1aff38e8c0d083e1f2ee1ef0b4d3140ed16c7e8d60c

SHA512
013cd0c784a7d7c31d07354b64ee0e75adad75ff1ec18e5bcfd714198f60ab89169db691805c7ac1cc7a15376c00f96c2cc600e2fced323080eb9186adcc1ca0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
7ada1445635f6665c6ccdccd94467e5c

SHA1
06ab03fe91ff1a04033a3d4b739d77823841b3a8

SHA256
580fb9a441fcebdb2bcaa2ead968e378cf7d0afa15133c1acbe02742c42ed02f

SHA512
a2514a4c31d9e04da043559999d755011fc449ca054001c599141eaa3f4c37f2e59dcc5e66aa6bac6493d129d52356bc2a8f50e95b051b4ee6895530e6eb4ae5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_871E11B76822F93FE2DBF907A5A1D9A8

Filesize
402B

MD5
08c581ff501c8208427b70a99914c888

SHA1
965dcca1f001e90f4383775f9e5a4ea160cf2fca

SHA256
ecdc94846221d747e56633e094172e28b1fbbb38aa4d2ce65a4b4213161633bf

SHA512
96633d7b243183f4102e255edb8d7d67fec464f1cf2bb6629b91eed80b3eaf90d68a1d370f28d73e3c23c5dab047d871b12c229c36a3cfe98290a18c892851f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a603c4b7e97a916f625584baa355db3b

SHA1
24a1a3bc66a8d4bfa041212b881ae0a8b5818d86

SHA256
3597d5bda5c571882c3a5585b40a7cbb0c4c212d9eac70bd705e04f2390cd097

SHA512
b4163a5e8adb463aefc28ca70e88ce094989a7b9a25a16c742d4a279489e32dc25d05f827e9d5df3cbc22ac252f2953ae61702d1ca918907bfa761b497f408a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\VUTJVSQT\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MPV4VODY.txt

Filesize
608B

MD5
2d8f0f7d14a89840d1357b0dd62a43ac

SHA1
b13d79570fb8e8598dcd2062738cb5e1437bda9c

SHA256
e349ebfd061a83d7475fa30ea383cea5b234fae1b658fa45e88cbb956625588e

SHA512
65f8bbceb37a9e28cef858afc6f7f1261dc75d239c1ccda7b54277639bc26a471f3dfb9e7cee116458a02c3bfd90e52a18f9f78d2d7c1240d232a5f10697388e

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
3.1MB

MD5
661f852723b74b77648e4a364abe2ef8

SHA1
4ac342f74a9b28678fbc9204403c20267f6ace16

SHA256
5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599

SHA512
887f7dafa1578094b76e07a9fabc3e11e051eb816dac32b36410f9967bff60cc0dd9028f8b3d9cdc957ac497f6fe04d2a47badc32c14418253efe69decb6d6ec

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
3.1MB

MD5
661f852723b74b77648e4a364abe2ef8

SHA1
4ac342f74a9b28678fbc9204403c20267f6ace16

SHA256
5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599

SHA512
887f7dafa1578094b76e07a9fabc3e11e051eb816dac32b36410f9967bff60cc0dd9028f8b3d9cdc957ac497f6fe04d2a47badc32c14418253efe69decb6d6ec

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
3.1MB

MD5
661f852723b74b77648e4a364abe2ef8

SHA1
4ac342f74a9b28678fbc9204403c20267f6ace16

SHA256
5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599

SHA512
887f7dafa1578094b76e07a9fabc3e11e051eb816dac32b36410f9967bff60cc0dd9028f8b3d9cdc957ac497f6fe04d2a47badc32c14418253efe69decb6d6ec

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
3.1MB

MD5
661f852723b74b77648e4a364abe2ef8

SHA1
4ac342f74a9b28678fbc9204403c20267f6ace16

SHA256
5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599

SHA512
887f7dafa1578094b76e07a9fabc3e11e051eb816dac32b36410f9967bff60cc0dd9028f8b3d9cdc957ac497f6fe04d2a47badc32c14418253efe69decb6d6ec

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
3.1MB

MD5
661f852723b74b77648e4a364abe2ef8

SHA1
4ac342f74a9b28678fbc9204403c20267f6ace16

SHA256
5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599

SHA512
887f7dafa1578094b76e07a9fabc3e11e051eb816dac32b36410f9967bff60cc0dd9028f8b3d9cdc957ac497f6fe04d2a47badc32c14418253efe69decb6d6ec

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
3.1MB

MD5
661f852723b74b77648e4a364abe2ef8

SHA1
4ac342f74a9b28678fbc9204403c20267f6ace16

SHA256
5607e8d5d662b46be0b9d78b3b8e4d76dc773cbd630b3325d468909ebae15599

SHA512
887f7dafa1578094b76e07a9fabc3e11e051eb816dac32b36410f9967bff60cc0dd9028f8b3d9cdc957ac497f6fe04d2a47badc32c14418253efe69decb6d6ec

Download Submit
memory/568-92-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/568-78-0x0000000000EA0000-0x0000000000EDB000-memory.dmp

Filesize
236KB

Download
memory/568-72-0x000000000041ABC0-mapping.dmp

Download
memory/820-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/820-82-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/820-94-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/820-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/820-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/820-83-0x00000000004417B0-mapping.dmp

Download
memory/1292-75-0x0000000000EA0000-0x0000000000EDB000-memory.dmp

Filesize
236KB

Download
memory/1292-66-0x0000000000000000-mapping.dmp

Download
memory/1444-57-0x00000000009F0000-0x0000000000A2B000-memory.dmp

Filesize
236KB

Download
memory/1928-71-0x00000000009F0000-0x0000000000A2B000-memory.dmp

Filesize
236KB

Download
memory/1928-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1928-63-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1928-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1928-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1928-56-0x000000000041ABC0-mapping.dmp

Download
memory/1928-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1948-54-0x0000000000000000-mapping.dmp

Download
memory/2012-68-0x0000000000000000-mapping.dmp

Download