a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b

Analysis

max time kernel
153s
max time network
163s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe
Size

654KB
MD5

d271734f425ec2ba4e1018ff5ffa8343
SHA1

a351d795076e068d320d2dc49a6f231e0429947a
SHA256

a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b
SHA512

9e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22
SSDEEP

3072:TfTflRNjzPF5OncVbrCVru0K67rMjb+2:LTfbz5W6bEu0LMjb+2

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
940	winlogon.exe
616	winlogon.exe
1296	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guarddog.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sharedaccess.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrecon.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecls.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccmain.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmoon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpm.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2servic.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minilog.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swnetsup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efpeadm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\normist.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcfwallicon.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symproxysvc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieWUAU.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgm32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedapp.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tgbob.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinsm32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navstub.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avrescue.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\borg2.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\programauditor.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tracert.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe	winlogon.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1900-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1900-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1900-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1900-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1900-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1900-66-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1900-75-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1296-88-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1296-92-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1296-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1296-97-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/616-98-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1296-99-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1900	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe
1900	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1988 set thread context of 1900	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	27
PID 940 set thread context of 616	940	winlogon.exe	30
PID 616 set thread context of 1296	616	winlogon.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000996d283a0448764847681e43b15c4e3111ea43d6ecc33cc100b74f5c698cab7c000000000e800000000200002000000051d028e97c949e44bfb701a628863da9de3ec5886afc93f88801789168cc01529000000061b98fd18dccc24e183a30ad7961979fb760dffca8deafccc7701d4a37add07fd9bb78d34fcb00118db9a62e54c6c20fa6ba0113c922bd70361b821125c3659c3938b2b49aabc117b85edb5ff59e3218631e74508f6aef3def1eaf1a7d512d3de6afa81e8f80362006e37fa57bec67ca7d2b1baee9af014fb2ef9c640bef32f5668d2d81974c38d752cc01d44e838fd1400000001ec6546d38b09725a08e942e946921125b307ac89d2d31e7cec2deea105e934e7e68a9db18930ada3ead7c7cb99b035a6e9a8ebf66b9cf798c49900b8d5f4cd6	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373820539"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://jalz4j6171wlnl1.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000005198877e346d4faf7dd6a66c2bc50a8a385dc5958955dde9dd5df3d7790817ac000000000e8000000002000020000000d3263175b7e82eabfeab0761142f2216b5b17107f1699a058bda2c0f5d817f7e20000000617f9d557063de56f8ce512dcb45037929ba202ae7cb74d697ccb86609260ace4000000027079a23c9e39eff6a36d213d7c3b8a8d40ad233a2209f5422e446acd6432e96a64fe2c4aae5605b7c415c9063b626aa6c5c8519d7ff5b36fad1379c95c39de3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://zfvc39bvdc3z7p3.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://t6n2s06q6zf029d.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://rus3hhe3zkw7248.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://05xp00ep8q3b15t.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://x181m0qs5d8z4ld.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://kgyq2c11m3935t0.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://n016633rvmym47z.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45AA6B51-579A-11ED-9738-7E4CDA66D2DC} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0fc7114a7ebd801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://5270vw7jy0dzwrx.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://n2fs15imt801r38.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1296	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1296	winlogon.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
896	iexplore.exe
896	iexplore.exe
896	iexplore.exe
896	iexplore.exe
896	iexplore.exe
896	iexplore.exe
896	iexplore.exe
896	iexplore.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
1900	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe
616	winlogon.exe
1296	winlogon.exe
896	iexplore.exe
896	iexplore.exe
1856	IEXPLORE.EXE
1856	IEXPLORE.EXE
896	iexplore.exe
896	iexplore.exe
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
896	iexplore.exe
896	iexplore.exe
2016	IEXPLORE.EXE
2016	IEXPLORE.EXE
896	iexplore.exe
896	iexplore.exe
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
896	iexplore.exe
896	iexplore.exe
1856	IEXPLORE.EXE
1856	IEXPLORE.EXE
896	iexplore.exe
896	iexplore.exe
2724	IEXPLORE.EXE
2724	IEXPLORE.EXE
896	iexplore.exe
896	iexplore.exe
1148	IEXPLORE.EXE
1148	IEXPLORE.EXE
896	iexplore.exe
896	iexplore.exe
1388	IEXPLORE.EXE
1388	IEXPLORE.EXE
1296	winlogon.exe
1296	winlogon.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 1964	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	26
PID 1988 wrote to memory of 1964	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	26
PID 1988 wrote to memory of 1964	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	26
PID 1988 wrote to memory of 1964	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	26
PID 1988 wrote to memory of 1900	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	27
PID 1988 wrote to memory of 1900	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	27
PID 1988 wrote to memory of 1900	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	27
PID 1988 wrote to memory of 1900	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	27
PID 1988 wrote to memory of 1900	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	27
PID 1988 wrote to memory of 1900	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	27
PID 1988 wrote to memory of 1900	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	27
PID 1988 wrote to memory of 1900	1988	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	27
PID 1900 wrote to memory of 940	1900	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	28
PID 1900 wrote to memory of 940	1900	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	28
PID 1900 wrote to memory of 940	1900	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	28
PID 1900 wrote to memory of 940	1900	a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe	28
PID 940 wrote to memory of 1308	940	winlogon.exe	29
PID 940 wrote to memory of 1308	940	winlogon.exe	29
PID 940 wrote to memory of 1308	940	winlogon.exe	29
PID 940 wrote to memory of 1308	940	winlogon.exe	29
PID 940 wrote to memory of 616	940	winlogon.exe	30
PID 940 wrote to memory of 616	940	winlogon.exe	30
PID 940 wrote to memory of 616	940	winlogon.exe	30
PID 940 wrote to memory of 616	940	winlogon.exe	30
PID 940 wrote to memory of 616	940	winlogon.exe	30
PID 940 wrote to memory of 616	940	winlogon.exe	30
PID 940 wrote to memory of 616	940	winlogon.exe	30
PID 940 wrote to memory of 616	940	winlogon.exe	30
PID 616 wrote to memory of 1296	616	winlogon.exe	33
PID 616 wrote to memory of 1296	616	winlogon.exe	33
PID 616 wrote to memory of 1296	616	winlogon.exe	33
PID 616 wrote to memory of 1296	616	winlogon.exe	33
PID 616 wrote to memory of 1296	616	winlogon.exe	33
PID 616 wrote to memory of 1296	616	winlogon.exe	33
PID 616 wrote to memory of 1296	616	winlogon.exe	33
PID 616 wrote to memory of 1296	616	winlogon.exe	33
PID 616 wrote to memory of 1296	616	winlogon.exe	33
PID 896 wrote to memory of 1856	896	iexplore.exe	37
PID 896 wrote to memory of 1856	896	iexplore.exe	37
PID 896 wrote to memory of 1856	896	iexplore.exe	37
PID 896 wrote to memory of 1856	896	iexplore.exe	37
PID 896 wrote to memory of 1148	896	iexplore.exe	41
PID 896 wrote to memory of 1148	896	iexplore.exe	41
PID 896 wrote to memory of 1148	896	iexplore.exe	41
PID 896 wrote to memory of 1148	896	iexplore.exe	41
PID 896 wrote to memory of 2016	896	iexplore.exe	44
PID 896 wrote to memory of 2016	896	iexplore.exe	44
PID 896 wrote to memory of 2016	896	iexplore.exe	44
PID 896 wrote to memory of 2016	896	iexplore.exe	44
PID 896 wrote to memory of 2244	896	iexplore.exe	46
PID 896 wrote to memory of 2244	896	iexplore.exe	46
PID 896 wrote to memory of 2244	896	iexplore.exe	46
PID 896 wrote to memory of 2244	896	iexplore.exe	46
PID 896 wrote to memory of 2724	896	iexplore.exe	49
PID 896 wrote to memory of 2724	896	iexplore.exe	49
PID 896 wrote to memory of 2724	896	iexplore.exe	49
PID 896 wrote to memory of 2724	896	iexplore.exe	49
PID 896 wrote to memory of 1388	896	iexplore.exe	53
PID 896 wrote to memory of 1388	896	iexplore.exe	53
PID 896 wrote to memory of 1388	896	iexplore.exe	53
PID 896 wrote to memory of 1388	896	iexplore.exe	53

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe
"C:\Users\Admin\AppData\Local\Temp\a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:940
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:1308
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:616
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1296

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1632

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:734221 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1148
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275469 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2016
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:1127438 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2244
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:1192981 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2724
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:1192998 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
ba193abd5cee7e274574232485234ad3

SHA1
7ee0bc7ab1fd7e1f80bcb6c0ec8b10ef23d6bd0c

SHA256
a045521ec79810b4d21db82065efd81689bce5262030994694048709943b4215

SHA512
2583f52452db0d88733561086574150ec1ecb547f4d3c0617588c0d37b7b678dca38756ee29a50718913bad30078595f997708a6f029b56548c87f61c63e87da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
418c89767ea2e57136dfff9b98e17b06

SHA1
58e44fb1ac9d09c4b72ca76920eb20cd208e3d7a

SHA256
ee87539a84229f985410e9b2c40e5019027914fdf2b4c43573a7b84cf8edf0ff

SHA512
bad5b3bfe1bf1de8317de0e123c572c82efbffc3bfd0e263ad62cd8359f165591ebd8c09574240660e95742485e65731c6a9e9ca4a16377d0f1479c0fcc6f77c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
886de94f05f136ef1ae4e7aeb7294e1f

SHA1
7f27c12e92a7fa207d0f9b2f37aad44c144749e8

SHA256
0d6bb0e9fc82b2aced62c69e45bdb0db4e01a25c537a05c7afdb4765e4754d6e

SHA512
ec35d03563fa90fc8679937a795c6c94f7aa110738f4f8e5124466a7474da3be1e76f236e674eaf6f4e154bd45ebca4927b3b57ff3920cd1ebbfb98a4b7d2880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_FF62BD756A5FABB9D839CE721823CD76

Filesize
471B

MD5
20c69990e9f2324ecbf75090016c6acd

SHA1
45c7098e6bb31c439bad5752935770dd9b801617

SHA256
d12d3f4a51368230c20f54388c3062144a9f54a70cc3d6f784599ea1b0668dee

SHA512
5daf51bf4cec07adc19a2e4ed96ce5be6a97ba2f26487ee2ca140d2532a880fecbc96408c2466bfada3e84bbfbd8f31964594fea72f16ef2d3a1b026c5d7a4e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
430d1279841210241cdd7ed9616e1b79

SHA1
33f44452e661a76f79c2da4a6daa11a743af2c8d

SHA256
116574ae534f9b74c596c8107715561fb8c60f971765dee104470b61f9c9b14e

SHA512
f4dc03f9c61003a473e409c33ec5bc77b32d094a656bac928c2650c36d1895a610c5ba5c1c8c21822343f3d4fd14f28f9bf169d99dd451a4e7ad58f9519517c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
1b0fcc65009c457a173aca8ba3ccf323

SHA1
b5142bb9ac22b625f455678f8d413602d7c504c3

SHA256
6fdd73ce46309746c6211b5b4eb679c2aabe505a05c64d4227985d47319e06f4

SHA512
510ba0b62fcaefc9ebcfac2b6d7d936173dd0b35650c74fba44928c026f97076e69a291b9cbad532dcfc4f8d7dd00220e2e15ba2710d63913a8794a10aab80de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d3c00f00532b606c6a78bafab245562

SHA1
58e9b43549ee8ed7adacd47c5952ebd7941b46b0

SHA256
3d4e8b73ef44dd8d044dfdcf30e8074a76628d78cd62b3b96ef989c662d29593

SHA512
6cd6abc9d2153e8cd648cd67f351c52f0e01be7a38dccd68bb2fb68571819e245d0b4483d24d5414fb222aa6bb91519c8ba1b504457f0a7088f508eae483dca6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22d1f83426d8c9352d27bebafdfa9fb2

SHA1
eb7233ee6c580c59c70265f0224454de92c82f38

SHA256
3d08b10077e34933644a018c7b4bec318aab35d7faf9f1a243b951c0ec61f3b9

SHA512
6c11cfe09aefa8f923d5592fa95fa65b565abd42f8aed35f96f39a139d1bbc3955d7890f79bc425ed6eebfc447054af63cfaf16b2e63ff4e3a5791390ddec017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f2379b1a9ab185400d6e8b6b2dbc62e

SHA1
b6f62041727a85dbb8ac63d625e25b5c6bb26f32

SHA256
d3f22c12e88eefd3647d2aabd2e593bae05076d50294f22ba28f6af790d40e4a

SHA512
6e0aa8108f2f2ca733ab8b6d80de65464913f0156eb5f050938a8553ce204a4a365524f321f3503b481dce14a48531f559d859f5a1e4045c481a256a407eee90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de508def44fc04d138e70be99a6cb007

SHA1
9cc25e2519714c521df56910c2cf874d97364054

SHA256
92ed54ffbe91585047b137e08c227fb2473c8154773ade9392c04cae20cfdefd

SHA512
436959842c38f11716ff8edeca36c2ccd02ce5ea108fed09a9e565af96b4873b4c959d1fed7f541cb109c84a7735338e0ffac6a2be3b9b21deceb627416f365b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c310c74f96367a26f42c1ea87b1a3b46

SHA1
3ff87b9ba780f11f1c70dbb7bf57fac4d6c5b1bd

SHA256
b9ef956a74757c93d519e0e0bec4bc846eac4daa21bf4231e9fc059042b4797e

SHA512
7ed8d9f830957325a2fa89c15f1b42890aa69ee8c59f25b50bd632aece5a4c923a5df421cf020ebc96517ef294ebc7b5916b1279e85a1098da39c0e69569d600

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e709063573dc55768a92f113fd3ecbc

SHA1
7695a8b2cd812cc7f2ca2713e58ea940fcf9e524

SHA256
e41f82a896daa4b09be5dd7de60ddf85d69232d72ee201b29f4dece17bc5b138

SHA512
a17fe5e408be39b042544393131f3e576b194dbc8a90e9c8fa988caa0972e719adb12f4c18b0cb93128172cc85cc01aae90c408ecb53d5514f840d31125c78c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8381256926bc15747fa11ea5173a8b09

SHA1
a2310f19e15bc4a71c54d729b8c5ea4e42e2b2df

SHA256
8953d1ff0c422ae46903883d481228a1e4e27cbaa0b16d38b8d4f2025dddc1ed

SHA512
cef9b7607db803878ac726616b10adbdefca5553bbeddbb4129f3a0890f0e0144b141051bac594bdb17330a7dea646fd04010c7058b05e45e4833a64486be753

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a677ed53f4931409954d329a70c3841

SHA1
70b7b3bab9d148b0c41a7248f4cc2defb0844623

SHA256
a2fb1cc8b7295f078743108557896f676921d4eb67fbaa170fc8fc1e6aeaaf2a

SHA512
29784fd0451386521196d75c6797132dd572597dde8e3bcf16c38b89ca8575d027b91e12ccfb6faa4faadfaeb5b787fbaae3d22bc951c34c81462d5627231b16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
d3d7d420ad6547f952326b8b3b78cab8

SHA1
1e3fcdbac0575b1883133bd01276668d4c61953b

SHA256
fbeffb00e518e640b9cc8c2f7e970a6f6d4655e8d71a53bc4416582ab01fd019

SHA512
908cbe5d32d41fb0427f9b61ed5776663b5a2ccdeb8f02153a89fbe34735582f2f96ac6bf9798d45ec8976c1c07bc0908ec4c8e058db006557d71bc83b1c96bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
f346d93a7f04202431b01383c053563d

SHA1
5b47f51112bf1fec72cf377f4c0cb4091cb2d88c

SHA256
bdf402263ca5a686e75e9dd603e12d18a5a0e1ccc9576df81e57f66d1d15afef

SHA512
bbf6c9b99e67a525dd662cdd0494ad9ad926263d815063d57c79944a545fa8248d5da05288f9d3f74b183160473479a408f77bb7b307e0b05e3ee0573e0874eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_FF62BD756A5FABB9D839CE721823CD76

Filesize
406B

MD5
fbaafa101847f7370fdf60fdf564b1d5

SHA1
fcc686425cbac6d0e848778a3972462e97cc8d8a

SHA256
4122877a54a20d145c7861543bbb248ded7fa85b279e36e0e0c8c56e2165a453

SHA512
8bbf0172c79f91dcf743985907cfb4eb57ff5032e1fac785ed1737fd2eaf6c38f083ce7ae150f0c6128ad434c2a17eeb904805924365b060b91258387af46955

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
acb0552994c43b80f00531477e57a1b2

SHA1
8809cc8ac33e18e4c150fb4651b98d4a4657054a

SHA256
8cb0f34674e1ed43cb9fc444948a04a059a2110239186b2e63e42152763342ed

SHA512
0d196ed2f44a03835a2e6d65f4c2321860f64216de34e3c269a3c6219bf860aab24547a65a7d91b5178932927ffd0491f2236bea4c80c3fd7ba14c1a7d0afe16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\L46CBE73\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\O24ONQII.txt

Filesize
593B

MD5
8de6768e87db761fb453e84d4fd65809

SHA1
fdd0cfa2b2e432e1d3a04808d6df4d80c9585dc3

SHA256
f644bacc42a82cc4b14a39345a859bec887f84ad2224772cba6acbb7527640bb

SHA512
c2b47851c4a9007adb4e8daa669a8aa7ede8751da9274e44637e4d25d88b29f6a390b7fa4fbc8776814a39300299489b2d5b49fcc100c39a7082d3ba6d6a4667

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
654KB

MD5
d271734f425ec2ba4e1018ff5ffa8343

SHA1
a351d795076e068d320d2dc49a6f231e0429947a

SHA256
a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b

SHA512
9e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
654KB

MD5
d271734f425ec2ba4e1018ff5ffa8343

SHA1
a351d795076e068d320d2dc49a6f231e0429947a

SHA256
a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b

SHA512
9e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
654KB

MD5
d271734f425ec2ba4e1018ff5ffa8343

SHA1
a351d795076e068d320d2dc49a6f231e0429947a

SHA256
a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b

SHA512
9e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
654KB

MD5
d271734f425ec2ba4e1018ff5ffa8343

SHA1
a351d795076e068d320d2dc49a6f231e0429947a

SHA256
a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b

SHA512
9e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
654KB

MD5
d271734f425ec2ba4e1018ff5ffa8343

SHA1
a351d795076e068d320d2dc49a6f231e0429947a

SHA256
a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b

SHA512
9e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
654KB

MD5
d271734f425ec2ba4e1018ff5ffa8343

SHA1
a351d795076e068d320d2dc49a6f231e0429947a

SHA256
a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b

SHA512
9e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22

Download Submit
memory/616-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1296-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1296-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1296-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1296-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1296-123-0x0000000003AF0000-0x0000000004B52000-memory.dmp

Filesize
16.4MB

Download
memory/1296-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1900-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1900-67-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1900-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1900-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1900-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1900-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1900-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1900-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1900-75-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download