2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28-10-2022 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe
Size

111KB
MD5

0131eed1e59994a824a11fe0e68dd5c7
SHA1

4c3a020186be2bdd48468447649b5e56b99c7dd3
SHA256

2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c
SHA512

68fe69beb522059edbcb4662794009a87aca3da0b5a6ffc6765b7ac6d24f47b9b3a012ad148e217b2b223a4910af28da386ba08a7950c8b4a0b6bc473b40785d
SSDEEP

3072:SaIuLuxCI5Q2JPnL6gxEMd3h/bUgOBnlDg:JtIK2JPL6g5Rjpshg

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
1988	winlogon.exe
568	winlogon.exe
1532	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLVIEW.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCELCNV.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepnet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmon.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieSvc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mxtask.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netcfg.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdoc32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieRpcSs.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmor.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spyxx.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieCrypto.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\azonealarm.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exantivirus-cnet.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpf202en.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VACFix.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitor9x.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notstart.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pingscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc42.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamauto.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UI0Detect.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEDFix.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav80try.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netarmor.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netspyhunter-1.2.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin98.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrtcl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav32_loader.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Procmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir-help.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnpc3000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\findviru.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallControlPanel.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lookout.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcdsetup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vettray.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe	winlogon.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1068-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1068-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1068-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1068-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1068-64-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1068-72-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1532-89-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/568-93-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1532-94-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1532-95-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1532-99-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1532-100-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1532-114-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1068	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe
1068	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1808 set thread context of 1068	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	28
PID 1988 set thread context of 568	1988	winlogon.exe	31
PID 568 set thread context of 1532	568	winlogon.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound\Beep = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0118EDC1-5729-11ED-9FD0-D6EA6736E294} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://o0z469vw3q06605.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://xqcryr832mkfkq5.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://rarc8ap33z16pkj.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30989bcd35ebd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://df356o246po18g6.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://2p4a3s42j15f3gd.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://ogm0473u0wd56km.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000000fe6a935c6aab08f729119feaf6766d5ad68f63ead914de348682b7d90092b49000000000e8000000002000020000000fbbbd0fd29f05c210b29e2b549069b961ced4be6e224dbd7e9ac94f9b33526ee9000000015941f168d1d1857e719c16e9c5b22105db766a2c92f15e6f45fd25038985eebe1f6ea4d77d4cb9d0cdcc2126ced90c01ce532f1797d30b405f2e2cee3baaaee79737a574aa365a755027e39dcdaf8f38e5222d467c3bc04c0bd8093a598cecfac21340af91e142c2c949561cb97ed3f426b504eb342094a2b29adde43e2779f8f9ca5b25969aff6fbcc8b21cd6193c2400000001d10c55de648cadbf97a517f96c6c15c4f91b5e361ddeebc55c0baa22de6e1a76d5c4b74e8f136da91862a2b3fa73b6d840e73831582fd830ba74dfc08b35cb6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://bdl5sr83c6b150n.directorio-w.com"	winlogon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000051d07d59137a6c875725ef998ea7f4309ecb9a529587aacf91c632c127f50f7c000000000e80000000020000200000003f4978b813ac60aac832a23fe19759da8cfcae812f173785d177c7095ba50384200000007e9fc3e6c64f473b05db32534b2dafa5941aab87c8509eb5b6797f4c619df131400000007f8b6765104a77742f3cb89588fd4367418ca24b56841758e09a80e710de21610d281a259de41514cbef87500e0ba8185f505c64f9ba6cb217ea6ed0c7aa09b4	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://v7gtn9kao90yi02.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373771889"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://s2t13do1ik2ju0h.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://623mb5z05p3ea32.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1532	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1532	winlogon.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1052	iexplore.exe
1052	iexplore.exe
1052	iexplore.exe
1052	iexplore.exe
1052	iexplore.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1068	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe
568	winlogon.exe
1532	winlogon.exe
1052	iexplore.exe
1052	iexplore.exe
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1052	iexplore.exe
1052	iexplore.exe
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1052	iexplore.exe
1052	iexplore.exe
2220	IEXPLORE.EXE
2220	IEXPLORE.EXE
1052	iexplore.exe
1052	iexplore.exe
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE
1052	iexplore.exe
1052	iexplore.exe
1256	IEXPLORE.EXE
1256	IEXPLORE.EXE
1532	winlogon.exe
1532	winlogon.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 1056	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	27
PID 1808 wrote to memory of 1056	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	27
PID 1808 wrote to memory of 1056	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	27
PID 1808 wrote to memory of 1056	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	27
PID 1808 wrote to memory of 1068	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	28
PID 1808 wrote to memory of 1068	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	28
PID 1808 wrote to memory of 1068	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	28
PID 1808 wrote to memory of 1068	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	28
PID 1808 wrote to memory of 1068	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	28
PID 1808 wrote to memory of 1068	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	28
PID 1808 wrote to memory of 1068	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	28
PID 1808 wrote to memory of 1068	1808	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	28
PID 1068 wrote to memory of 1988	1068	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	29
PID 1068 wrote to memory of 1988	1068	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	29
PID 1068 wrote to memory of 1988	1068	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	29
PID 1068 wrote to memory of 1988	1068	2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe	29
PID 1988 wrote to memory of 1212	1988	winlogon.exe	30
PID 1988 wrote to memory of 1212	1988	winlogon.exe	30
PID 1988 wrote to memory of 1212	1988	winlogon.exe	30
PID 1988 wrote to memory of 1212	1988	winlogon.exe	30
PID 1988 wrote to memory of 568	1988	winlogon.exe	31
PID 1988 wrote to memory of 568	1988	winlogon.exe	31
PID 1988 wrote to memory of 568	1988	winlogon.exe	31
PID 1988 wrote to memory of 568	1988	winlogon.exe	31
PID 1988 wrote to memory of 568	1988	winlogon.exe	31
PID 1988 wrote to memory of 568	1988	winlogon.exe	31
PID 1988 wrote to memory of 568	1988	winlogon.exe	31
PID 1988 wrote to memory of 568	1988	winlogon.exe	31
PID 568 wrote to memory of 1532	568	winlogon.exe	33
PID 568 wrote to memory of 1532	568	winlogon.exe	33
PID 568 wrote to memory of 1532	568	winlogon.exe	33
PID 568 wrote to memory of 1532	568	winlogon.exe	33
PID 568 wrote to memory of 1532	568	winlogon.exe	33
PID 568 wrote to memory of 1532	568	winlogon.exe	33
PID 568 wrote to memory of 1532	568	winlogon.exe	33
PID 568 wrote to memory of 1532	568	winlogon.exe	33
PID 568 wrote to memory of 1532	568	winlogon.exe	33
PID 1052 wrote to memory of 1256	1052	iexplore.exe	37
PID 1052 wrote to memory of 1256	1052	iexplore.exe	37
PID 1052 wrote to memory of 1256	1052	iexplore.exe	37
PID 1052 wrote to memory of 1256	1052	iexplore.exe	37
PID 1052 wrote to memory of 1608	1052	iexplore.exe	40
PID 1052 wrote to memory of 1608	1052	iexplore.exe	40
PID 1052 wrote to memory of 1608	1052	iexplore.exe	40
PID 1052 wrote to memory of 1608	1052	iexplore.exe	40
PID 1052 wrote to memory of 2220	1052	iexplore.exe	42
PID 1052 wrote to memory of 2220	1052	iexplore.exe	42
PID 1052 wrote to memory of 2220	1052	iexplore.exe	42
PID 1052 wrote to memory of 2220	1052	iexplore.exe	42
PID 1052 wrote to memory of 2476	1052	iexplore.exe	44
PID 1052 wrote to memory of 2476	1052	iexplore.exe	44
PID 1052 wrote to memory of 2476	1052	iexplore.exe	44
PID 1052 wrote to memory of 2476	1052	iexplore.exe	44

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe
"C:\Users\Admin\AppData\Local\Temp\2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1068
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:1212
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1532

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1136

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1052 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1256
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1052 CREDAT:865291 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1608
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1052 CREDAT:996364 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2220
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1052 CREDAT:275480 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
294810a3a4a72a483a7c036f87a517b5

SHA1
84ad16357570017dc2bf5b589256eafc333b9c90

SHA256
1938641ed20c6577c9187373b64b297064cdb00442b336f032ea35a9f3e7e3e6

SHA512
cd2c1a2aebcbe26b577c11398067d6e0ec75962ec072c0f4fbbe87829898a11ba7fc0ec4ac8662f3cf5c189ba4b4502608b2609fe9b6fc45bd783185667c3e2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
6043fc1e4107b19a0db5da7ae5fd2ef2

SHA1
33f775ae3202d803c88dbf829416bef12756d116

SHA256
e27724c63c7158ef1532a8dc28c02ac5140121840a111f2fa34f6875f18c9266

SHA512
4fa2249d2292ce088053de5281fa878cd598ba18dfe8836e861aac5c975ba212c03ef9e1f14e0964b6e6782bc6b1236846dda86c749a9fd7a7867a5c29a3d3a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
cedebd8d5a0949a03cdbdcc39372599a

SHA1
8ca4e74f7d84bbae1dae07f5829611bb3ca7a60c

SHA256
fd5168bf1ebc38a425656138d347eed745523ee88ee5108b1edcf178dc6f910a

SHA512
92e401d48228d4063a69ffbbb7049453cd5968f8e3c96ddbf63383ae97e40874c76d9dfa002a5d968257b804d69f8f32be2948c78bfd39af1da82af5da11a7ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_FF62BD756A5FABB9D839CE721823CD76

Filesize
471B

MD5
20c69990e9f2324ecbf75090016c6acd

SHA1
45c7098e6bb31c439bad5752935770dd9b801617

SHA256
d12d3f4a51368230c20f54388c3062144a9f54a70cc3d6f784599ea1b0668dee

SHA512
5daf51bf4cec07adc19a2e4ed96ce5be6a97ba2f26487ee2ca140d2532a880fecbc96408c2466bfada3e84bbfbd8f31964594fea72f16ef2d3a1b026c5d7a4e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
7aa77c323da7a291a20954f45fda11af

SHA1
73be9ae117b811d78f69d358d6f12032c2b0d52f

SHA256
bdab6fe500b64d53e13e41fed19b68ff859f1a71883f8f55b494b0efbe85d0eb

SHA512
a5bb0888123beea2a6bb9ff10684399ff3c2e1e5b329f5ee65d1421cfd54a846bf37a546723224f1030d441a66aaf584879273e00e2c351e48a30b0c437691e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
b5db416dd717af9676335000be20a749

SHA1
ac30d193b8bd53fd570b23a39bf788587d0bee03

SHA256
15f5e5bb76eec3d1942054b6481c1bd9260497805cf33b7eeda481d72c4250a1

SHA512
fc1547e0a1805cf476c98011f3a96552b3257c5b3ac8c51f9ad24eaa0abbedc4aa0d3d4f0d5c648ddd74dd4c98bc662b0cb0654cba8892296e1905b42efdbfe8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e912b9931712728981617c4e71e98b8

SHA1
a5feb86d3b6dacd382b58cf34cb7056ee2c2cf0e

SHA256
98defab0416f7b106fa6b050ce48b61d4cb4283ee19fd6929aed63655d800605

SHA512
5819d2dfa859e680206acee257276d0ac9c411827c0c443f6f0569bc56f32b769bed880232cc783a083d2394b234a9ee84b3e95d567ce4a20e97d491b5012cd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
090cdb4306cd5dd01a6c7a2137f7a4a0

SHA1
b097edd4fc4b11840b706ff7be4f53d6e05bb6aa

SHA256
1bc5490fcfa3ed7c715e043be8f78d4410e0d87b637fd44b2a53dad53db3939d

SHA512
c9389ffe1cff531b590db1ead029984c655cf11e1afdf0d505bc09bb306fffa56491d40e10f9dd7a26190e0e5661aa00c84302f3b61944f6a9d7c40da0d218bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5fd0319d695c7539d1fb8cc221e253e

SHA1
57d57d5a69609f8023f3769a6e451b8cf978be21

SHA256
253cf5bf7a919745d8cc7f5f485f28f862166a73bcc6e54c7a3ee962050c5612

SHA512
ae01005381ca8cababa62ac3f0a8058d156251e8ea434937f04e30e364ac69649ea9307db75fd391a9fa72b0bc055764fcde2b3be8aca695bbf309cbed9f8260

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6215fd27e630f74d4b42ddac95d0b227

SHA1
0e9a97693c8f70f4bfba1db82fb32cab9bc53ff5

SHA256
5a0f1630b986d77a1bde5c6fc27e4eca53b5fd749a7531ef31f6fea556854096

SHA512
5b9ed55d57d72ebe1dd549d569abb67672065d3649bdefdff26cccee5dbbf944fbfc5a05fe419bce38976cf18f9f6c0d8a9047e6d5b4648a3a05b91a4ef2eb0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45fddb8fa3862359f69032d6ad8c94b8

SHA1
5f7c9a87862511d6c4c459827e0fa12477ac5a02

SHA256
2dd3b10f32812848127168e689066c04561e4b3739c7cadb16187c5f6d0fb295

SHA512
de26734a2e9b662448bb5af61706ee286b3cedc1fd3a002a13d589babc5bfc9ab1292217f92e2297ac74371228eb85cf5bf094c0d272cdfd116f9c4c106230bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
3b8ca04d21e4a16ba70ab03795058f94

SHA1
7a57392808543e2e6045caf15f258a1d3e486a0d

SHA256
229c941362373d60f370493789776af7b473a35a5eab0f651eff3b83c3251657

SHA512
7d2b715903d51f4c11e7f417ba76e428c1d1bfec3c1ad6fd76e9e1c35644f36274432fedfb9595e3a98592568f0cf807de637c0fcd241b1a80859c63d6e4c354

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
60e2c69ed38488d2a1adfa85c8d33f8d

SHA1
f316040cda38045540b3ce5c629b73c3447455ef

SHA256
809b6f9801997c441e53eeeb04c153fccaf83ef3cf6c717012ce0e956b2daa17

SHA512
cd789ace9586c23185b9a7b64c30f7afd3c58c4bf45627f3d660305e368193ef23af1755d0ada489df0d8ebe5b200c08b70c053c331005d6be0514bea7f5d83a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_FF62BD756A5FABB9D839CE721823CD76

Filesize
406B

MD5
795373f6d9d24dee4af9b22649b6eb44

SHA1
b03f59ccf3a33cafcdcffe423d7bceb4300938fe

SHA256
b382e537407f595890aceb8a352a6637560e6f0b253c48b9dcae338d14956884

SHA512
283dc614e0ca669195236e0191bdaf82ad1dffa52772046e048b44e81ab70935401cf2635c32c87ea6d5a21f445fcf5b2993b41641101b9dc1c07b8b73d5597d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
1d85951d18153d3ca11bb2f3b4b09c41

SHA1
ca0322a41e006c597629ff7dcc8a5885c90da8bf

SHA256
ba52ddc50ffa03fc59760a47ea4a94feb78625e41e370f1321e76e4ae5f00175

SHA512
ca22511ef268f1443bed53c64463e306c40ae37eac51302833148b4d8066f361d2e2a2a83af9ed04ae4a1cd3a73d3c706b84a67d8ac472860e05765e6e1ff75a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\2YO4CWG3\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FBHXRZS2.txt

Filesize
608B

MD5
176e52cfe682c50d0a288d53195e8573

SHA1
916475746e8db7a0aa10e1d38e28283183bf85e6

SHA256
f5d5d931937bae9ceaaf4d6a213dace260ff1c1e00963d6653a934f719ed9ea6

SHA512
b0c98c1eb6c2d8252c05f765f586bec37c0bd3418450cd7abd58598b530d455e2813224f1d77e38e5cc907d659f94269ce3bf94fede1068a28ecfdfe0f8b00f6

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
111KB

MD5
0131eed1e59994a824a11fe0e68dd5c7

SHA1
4c3a020186be2bdd48468447649b5e56b99c7dd3

SHA256
2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c

SHA512
68fe69beb522059edbcb4662794009a87aca3da0b5a6ffc6765b7ac6d24f47b9b3a012ad148e217b2b223a4910af28da386ba08a7950c8b4a0b6bc473b40785d

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
111KB

MD5
0131eed1e59994a824a11fe0e68dd5c7

SHA1
4c3a020186be2bdd48468447649b5e56b99c7dd3

SHA256
2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c

SHA512
68fe69beb522059edbcb4662794009a87aca3da0b5a6ffc6765b7ac6d24f47b9b3a012ad148e217b2b223a4910af28da386ba08a7950c8b4a0b6bc473b40785d

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
111KB

MD5
0131eed1e59994a824a11fe0e68dd5c7

SHA1
4c3a020186be2bdd48468447649b5e56b99c7dd3

SHA256
2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c

SHA512
68fe69beb522059edbcb4662794009a87aca3da0b5a6ffc6765b7ac6d24f47b9b3a012ad148e217b2b223a4910af28da386ba08a7950c8b4a0b6bc473b40785d

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
111KB

MD5
0131eed1e59994a824a11fe0e68dd5c7

SHA1
4c3a020186be2bdd48468447649b5e56b99c7dd3

SHA256
2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c

SHA512
68fe69beb522059edbcb4662794009a87aca3da0b5a6ffc6765b7ac6d24f47b9b3a012ad148e217b2b223a4910af28da386ba08a7950c8b4a0b6bc473b40785d

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
111KB

MD5
0131eed1e59994a824a11fe0e68dd5c7

SHA1
4c3a020186be2bdd48468447649b5e56b99c7dd3

SHA256
2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c

SHA512
68fe69beb522059edbcb4662794009a87aca3da0b5a6ffc6765b7ac6d24f47b9b3a012ad148e217b2b223a4910af28da386ba08a7950c8b4a0b6bc473b40785d

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
111KB

MD5
0131eed1e59994a824a11fe0e68dd5c7

SHA1
4c3a020186be2bdd48468447649b5e56b99c7dd3

SHA256
2e7a23302265f20a13b074af45847f786dd1c30a6f03e1e2cd871884cc77415c

SHA512
68fe69beb522059edbcb4662794009a87aca3da0b5a6ffc6765b7ac6d24f47b9b3a012ad148e217b2b223a4910af28da386ba08a7950c8b4a0b6bc473b40785d

Download Submit
memory/568-93-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/568-80-0x000000000041AB90-mapping.dmp

Download
memory/1056-54-0x0000000000000000-mapping.dmp

Download
memory/1068-60-0x000000000041AB90-mapping.dmp

Download
memory/1068-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1068-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1068-67-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1068-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1068-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1068-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1068-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1068-64-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1212-73-0x0000000000000000-mapping.dmp

Download
memory/1532-90-0x0000000000441760-mapping.dmp

Download
memory/1532-114-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-94-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1532-122-0x0000000003D70000-0x0000000004DD2000-memory.dmp

Filesize
16.4MB

Download
memory/1808-62-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1988-70-0x0000000000000000-mapping.dmp

Download
memory/1988-81-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download