Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
153s -
max time network
163s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
29/10/2022, 08:37
Static task
static1
Behavioral task
behavioral1
Sample
a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe
Resource
win10v2004-20220901-en
General
-
Target
a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe
-
Size
654KB
-
MD5
d271734f425ec2ba4e1018ff5ffa8343
-
SHA1
a351d795076e068d320d2dc49a6f231e0429947a
-
SHA256
a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b
-
SHA512
9e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22
-
SSDEEP
3072:TfTflRNjzPF5OncVbrCVru0K67rMjb+2:LTfbz5W6bEu0LMjb+2
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 3 IoCs
pid Process 940 winlogon.exe 616 winlogon.exe 1296 winlogon.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guarddog.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sharedaccess.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrecon.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecls.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccmain.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmoon.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpm.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2servic.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minilog.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swnetsup.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efpeadm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fih32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\normist.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcfwallicon.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symproxysvc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieWUAU.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgm32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedapp.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tgbob.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinsm32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapsvc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navstub.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avrescue.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\borg2.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\programauditor.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tracert.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe winlogon.exe -
resource yara_rule behavioral1/memory/1900-56-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1900-58-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1900-59-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1900-62-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1900-63-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1900-66-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1900-75-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1296-88-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1296-92-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1296-93-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1296-97-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/616-98-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1296-99-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 1900 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 1900 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1988 set thread context of 1900 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 27 PID 940 set thread context of 616 940 winlogon.exe 30 PID 616 set thread context of 1296 616 winlogon.exe 33 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c00000000020000000000106600000001000020000000996d283a0448764847681e43b15c4e3111ea43d6ecc33cc100b74f5c698cab7c000000000e800000000200002000000051d028e97c949e44bfb701a628863da9de3ec5886afc93f88801789168cc01529000000061b98fd18dccc24e183a30ad7961979fb760dffca8deafccc7701d4a37add07fd9bb78d34fcb00118db9a62e54c6c20fa6ba0113c922bd70361b821125c3659c3938b2b49aabc117b85edb5ff59e3218631e74508f6aef3def1eaf1a7d512d3de6afa81e8f80362006e37fa57bec67ca7d2b1baee9af014fb2ef9c640bef32f5668d2d81974c38d752cc01d44e838fd1400000001ec6546d38b09725a08e942e946921125b307ac89d2d31e7cec2deea105e934e7e68a9db18930ada3ead7c7cb99b035a6e9a8ebf66b9cf798c49900b8d5f4cd6 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "373820539" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://jalz4j6171wlnl1.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c000000000200000000001066000000010000200000005198877e346d4faf7dd6a66c2bc50a8a385dc5958955dde9dd5df3d7790817ac000000000e8000000002000020000000d3263175b7e82eabfeab0761142f2216b5b17107f1699a058bda2c0f5d817f7e20000000617f9d557063de56f8ce512dcb45037929ba202ae7cb74d697ccb86609260ace4000000027079a23c9e39eff6a36d213d7c3b8a8d40ad233a2209f5422e446acd6432e96a64fe2c4aae5605b7c415c9063b626aa6c5c8519d7ff5b36fad1379c95c39de3 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://zfvc39bvdc3z7p3.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://t6n2s06q6zf029d.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://rus3hhe3zkw7248.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://05xp00ep8q3b15t.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://x181m0qs5d8z4ld.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://kgyq2c11m3935t0.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://n016633rvmym47z.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45AA6B51-579A-11ED-9738-7E4CDA66D2DC} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0fc7114a7ebd801 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://5270vw7jy0dzwrx.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://n2fs15imt801r38.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1296 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 1296 winlogon.exe -
Suspicious use of FindShellTrayWindow 8 IoCs
pid Process 896 iexplore.exe 896 iexplore.exe 896 iexplore.exe 896 iexplore.exe 896 iexplore.exe 896 iexplore.exe 896 iexplore.exe 896 iexplore.exe -
Suspicious use of SetWindowsHookEx 37 IoCs
pid Process 1900 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 616 winlogon.exe 1296 winlogon.exe 896 iexplore.exe 896 iexplore.exe 1856 IEXPLORE.EXE 1856 IEXPLORE.EXE 896 iexplore.exe 896 iexplore.exe 1148 IEXPLORE.EXE 1148 IEXPLORE.EXE 896 iexplore.exe 896 iexplore.exe 2016 IEXPLORE.EXE 2016 IEXPLORE.EXE 896 iexplore.exe 896 iexplore.exe 2244 IEXPLORE.EXE 2244 IEXPLORE.EXE 896 iexplore.exe 896 iexplore.exe 1856 IEXPLORE.EXE 1856 IEXPLORE.EXE 896 iexplore.exe 896 iexplore.exe 2724 IEXPLORE.EXE 2724 IEXPLORE.EXE 896 iexplore.exe 896 iexplore.exe 1148 IEXPLORE.EXE 1148 IEXPLORE.EXE 896 iexplore.exe 896 iexplore.exe 1388 IEXPLORE.EXE 1388 IEXPLORE.EXE 1296 winlogon.exe 1296 winlogon.exe -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 1988 wrote to memory of 1964 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 26 PID 1988 wrote to memory of 1964 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 26 PID 1988 wrote to memory of 1964 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 26 PID 1988 wrote to memory of 1964 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 26 PID 1988 wrote to memory of 1900 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 27 PID 1988 wrote to memory of 1900 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 27 PID 1988 wrote to memory of 1900 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 27 PID 1988 wrote to memory of 1900 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 27 PID 1988 wrote to memory of 1900 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 27 PID 1988 wrote to memory of 1900 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 27 PID 1988 wrote to memory of 1900 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 27 PID 1988 wrote to memory of 1900 1988 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 27 PID 1900 wrote to memory of 940 1900 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 28 PID 1900 wrote to memory of 940 1900 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 28 PID 1900 wrote to memory of 940 1900 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 28 PID 1900 wrote to memory of 940 1900 a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe 28 PID 940 wrote to memory of 1308 940 winlogon.exe 29 PID 940 wrote to memory of 1308 940 winlogon.exe 29 PID 940 wrote to memory of 1308 940 winlogon.exe 29 PID 940 wrote to memory of 1308 940 winlogon.exe 29 PID 940 wrote to memory of 616 940 winlogon.exe 30 PID 940 wrote to memory of 616 940 winlogon.exe 30 PID 940 wrote to memory of 616 940 winlogon.exe 30 PID 940 wrote to memory of 616 940 winlogon.exe 30 PID 940 wrote to memory of 616 940 winlogon.exe 30 PID 940 wrote to memory of 616 940 winlogon.exe 30 PID 940 wrote to memory of 616 940 winlogon.exe 30 PID 940 wrote to memory of 616 940 winlogon.exe 30 PID 616 wrote to memory of 1296 616 winlogon.exe 33 PID 616 wrote to memory of 1296 616 winlogon.exe 33 PID 616 wrote to memory of 1296 616 winlogon.exe 33 PID 616 wrote to memory of 1296 616 winlogon.exe 33 PID 616 wrote to memory of 1296 616 winlogon.exe 33 PID 616 wrote to memory of 1296 616 winlogon.exe 33 PID 616 wrote to memory of 1296 616 winlogon.exe 33 PID 616 wrote to memory of 1296 616 winlogon.exe 33 PID 616 wrote to memory of 1296 616 winlogon.exe 33 PID 896 wrote to memory of 1856 896 iexplore.exe 37 PID 896 wrote to memory of 1856 896 iexplore.exe 37 PID 896 wrote to memory of 1856 896 iexplore.exe 37 PID 896 wrote to memory of 1856 896 iexplore.exe 37 PID 896 wrote to memory of 1148 896 iexplore.exe 41 PID 896 wrote to memory of 1148 896 iexplore.exe 41 PID 896 wrote to memory of 1148 896 iexplore.exe 41 PID 896 wrote to memory of 1148 896 iexplore.exe 41 PID 896 wrote to memory of 2016 896 iexplore.exe 44 PID 896 wrote to memory of 2016 896 iexplore.exe 44 PID 896 wrote to memory of 2016 896 iexplore.exe 44 PID 896 wrote to memory of 2016 896 iexplore.exe 44 PID 896 wrote to memory of 2244 896 iexplore.exe 46 PID 896 wrote to memory of 2244 896 iexplore.exe 46 PID 896 wrote to memory of 2244 896 iexplore.exe 46 PID 896 wrote to memory of 2244 896 iexplore.exe 46 PID 896 wrote to memory of 2724 896 iexplore.exe 49 PID 896 wrote to memory of 2724 896 iexplore.exe 49 PID 896 wrote to memory of 2724 896 iexplore.exe 49 PID 896 wrote to memory of 2724 896 iexplore.exe 49 PID 896 wrote to memory of 1388 896 iexplore.exe 53 PID 896 wrote to memory of 1388 896 iexplore.exe 53 PID 896 wrote to memory of 1388 896 iexplore.exe 53 PID 896 wrote to memory of 1388 896 iexplore.exe 53 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe"C:\Users\Admin\AppData\Local\Temp\a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵PID:1964
-
-
C:\Users\Admin\AppData\Local\Temp\a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b.exe
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe4⤵PID:1308
-
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:616 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1296
-
-
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1632
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1856
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:734221 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1148
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:275469 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2016
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:1127438 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2244
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:1192981 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:896 CREDAT:1192998 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1388
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5ba193abd5cee7e274574232485234ad3
SHA17ee0bc7ab1fd7e1f80bcb6c0ec8b10ef23d6bd0c
SHA256a045521ec79810b4d21db82065efd81689bce5262030994694048709943b4215
SHA5122583f52452db0d88733561086574150ec1ecb547f4d3c0617588c0d37b7b678dca38756ee29a50718913bad30078595f997708a6f029b56548c87f61c63e87da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
Filesize1KB
MD5418c89767ea2e57136dfff9b98e17b06
SHA158e44fb1ac9d09c4b72ca76920eb20cd208e3d7a
SHA256ee87539a84229f985410e9b2c40e5019027914fdf2b4c43573a7b84cf8edf0ff
SHA512bad5b3bfe1bf1de8317de0e123c572c82efbffc3bfd0e263ad62cd8359f165591ebd8c09574240660e95742485e65731c6a9e9ca4a16377d0f1479c0fcc6f77c
-
Filesize
61KB
MD53dcf580a93972319e82cafbc047d34d5
SHA18528d2a1363e5de77dc3b1142850e51ead0f4b6b
SHA25640810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1
SHA51298384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
Filesize1KB
MD5886de94f05f136ef1ae4e7aeb7294e1f
SHA17f27c12e92a7fa207d0f9b2f37aad44c144749e8
SHA2560d6bb0e9fc82b2aced62c69e45bdb0db4e01a25c537a05c7afdb4765e4754d6e
SHA512ec35d03563fa90fc8679937a795c6c94f7aa110738f4f8e5124466a7474da3be1e76f236e674eaf6f4e154bd45ebca4927b3b57ff3920cd1ebbfb98a4b7d2880
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_FF62BD756A5FABB9D839CE721823CD76
Filesize471B
MD520c69990e9f2324ecbf75090016c6acd
SHA145c7098e6bb31c439bad5752935770dd9b801617
SHA256d12d3f4a51368230c20f54388c3062144a9f54a70cc3d6f784599ea1b0668dee
SHA5125daf51bf4cec07adc19a2e4ed96ce5be6a97ba2f26487ee2ca140d2532a880fecbc96408c2466bfada3e84bbfbd8f31964594fea72f16ef2d3a1b026c5d7a4e6
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5430d1279841210241cdd7ed9616e1b79
SHA133f44452e661a76f79c2da4a6daa11a743af2c8d
SHA256116574ae534f9b74c596c8107715561fb8c60f971765dee104470b61f9c9b14e
SHA512f4dc03f9c61003a473e409c33ec5bc77b32d094a656bac928c2650c36d1895a610c5ba5c1c8c21822343f3d4fd14f28f9bf169d99dd451a4e7ad58f9519517c8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
Filesize466B
MD51b0fcc65009c457a173aca8ba3ccf323
SHA1b5142bb9ac22b625f455678f8d413602d7c504c3
SHA2566fdd73ce46309746c6211b5b4eb679c2aabe505a05c64d4227985d47319e06f4
SHA512510ba0b62fcaefc9ebcfac2b6d7d936173dd0b35650c74fba44928c026f97076e69a291b9cbad532dcfc4f8d7dd00220e2e15ba2710d63913a8794a10aab80de
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59d3c00f00532b606c6a78bafab245562
SHA158e9b43549ee8ed7adacd47c5952ebd7941b46b0
SHA2563d4e8b73ef44dd8d044dfdcf30e8074a76628d78cd62b3b96ef989c662d29593
SHA5126cd6abc9d2153e8cd648cd67f351c52f0e01be7a38dccd68bb2fb68571819e245d0b4483d24d5414fb222aa6bb91519c8ba1b504457f0a7088f508eae483dca6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD522d1f83426d8c9352d27bebafdfa9fb2
SHA1eb7233ee6c580c59c70265f0224454de92c82f38
SHA2563d08b10077e34933644a018c7b4bec318aab35d7faf9f1a243b951c0ec61f3b9
SHA5126c11cfe09aefa8f923d5592fa95fa65b565abd42f8aed35f96f39a139d1bbc3955d7890f79bc425ed6eebfc447054af63cfaf16b2e63ff4e3a5791390ddec017
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59f2379b1a9ab185400d6e8b6b2dbc62e
SHA1b6f62041727a85dbb8ac63d625e25b5c6bb26f32
SHA256d3f22c12e88eefd3647d2aabd2e593bae05076d50294f22ba28f6af790d40e4a
SHA5126e0aa8108f2f2ca733ab8b6d80de65464913f0156eb5f050938a8553ce204a4a365524f321f3503b481dce14a48531f559d859f5a1e4045c481a256a407eee90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5de508def44fc04d138e70be99a6cb007
SHA19cc25e2519714c521df56910c2cf874d97364054
SHA25692ed54ffbe91585047b137e08c227fb2473c8154773ade9392c04cae20cfdefd
SHA512436959842c38f11716ff8edeca36c2ccd02ce5ea108fed09a9e565af96b4873b4c959d1fed7f541cb109c84a7735338e0ffac6a2be3b9b21deceb627416f365b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c310c74f96367a26f42c1ea87b1a3b46
SHA13ff87b9ba780f11f1c70dbb7bf57fac4d6c5b1bd
SHA256b9ef956a74757c93d519e0e0bec4bc846eac4daa21bf4231e9fc059042b4797e
SHA5127ed8d9f830957325a2fa89c15f1b42890aa69ee8c59f25b50bd632aece5a4c923a5df421cf020ebc96517ef294ebc7b5916b1279e85a1098da39c0e69569d600
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50e709063573dc55768a92f113fd3ecbc
SHA17695a8b2cd812cc7f2ca2713e58ea940fcf9e524
SHA256e41f82a896daa4b09be5dd7de60ddf85d69232d72ee201b29f4dece17bc5b138
SHA512a17fe5e408be39b042544393131f3e576b194dbc8a90e9c8fa988caa0972e719adb12f4c18b0cb93128172cc85cc01aae90c408ecb53d5514f840d31125c78c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58381256926bc15747fa11ea5173a8b09
SHA1a2310f19e15bc4a71c54d729b8c5ea4e42e2b2df
SHA2568953d1ff0c422ae46903883d481228a1e4e27cbaa0b16d38b8d4f2025dddc1ed
SHA512cef9b7607db803878ac726616b10adbdefca5553bbeddbb4129f3a0890f0e0144b141051bac594bdb17330a7dea646fd04010c7058b05e45e4833a64486be753
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a677ed53f4931409954d329a70c3841
SHA170b7b3bab9d148b0c41a7248f4cc2defb0844623
SHA256a2fb1cc8b7295f078743108557896f676921d4eb67fbaa170fc8fc1e6aeaaf2a
SHA51229784fd0451386521196d75c6797132dd572597dde8e3bcf16c38b89ca8575d027b91e12ccfb6faa4faadfaeb5b787fbaae3d22bc951c34c81462d5627231b16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
Filesize470B
MD5d3d7d420ad6547f952326b8b3b78cab8
SHA11e3fcdbac0575b1883133bd01276668d4c61953b
SHA256fbeffb00e518e640b9cc8c2f7e970a6f6d4655e8d71a53bc4416582ab01fd019
SHA512908cbe5d32d41fb0427f9b61ed5776663b5a2ccdeb8f02153a89fbe34735582f2f96ac6bf9798d45ec8976c1c07bc0908ec4c8e058db006557d71bc83b1c96bd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD5f346d93a7f04202431b01383c053563d
SHA15b47f51112bf1fec72cf377f4c0cb4091cb2d88c
SHA256bdf402263ca5a686e75e9dd603e12d18a5a0e1ccc9576df81e57f66d1d15afef
SHA512bbf6c9b99e67a525dd662cdd0494ad9ad926263d815063d57c79944a545fa8248d5da05288f9d3f74b183160473479a408f77bb7b307e0b05e3ee0573e0874eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_FF62BD756A5FABB9D839CE721823CD76
Filesize406B
MD5fbaafa101847f7370fdf60fdf564b1d5
SHA1fcc686425cbac6d0e848778a3972462e97cc8d8a
SHA2564122877a54a20d145c7861543bbb248ded7fa85b279e36e0e0c8c56e2165a453
SHA5128bbf0172c79f91dcf743985907cfb4eb57ff5032e1fac785ed1737fd2eaf6c38f083ce7ae150f0c6128ad434c2a17eeb904805924365b060b91258387af46955
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5acb0552994c43b80f00531477e57a1b2
SHA18809cc8ac33e18e4c150fb4651b98d4a4657054a
SHA2568cb0f34674e1ed43cb9fc444948a04a059a2110239186b2e63e42152763342ed
SHA5120d196ed2f44a03835a2e6d65f4c2321860f64216de34e3c269a3c6219bf860aab24547a65a7d91b5178932927ffd0491f2236bea4c80c3fd7ba14c1a7d0afe16
-
Filesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
Filesize
593B
MD58de6768e87db761fb453e84d4fd65809
SHA1fdd0cfa2b2e432e1d3a04808d6df4d80c9585dc3
SHA256f644bacc42a82cc4b14a39345a859bec887f84ad2224772cba6acbb7527640bb
SHA512c2b47851c4a9007adb4e8daa669a8aa7ede8751da9274e44637e4d25d88b29f6a390b7fa4fbc8776814a39300299489b2d5b49fcc100c39a7082d3ba6d6a4667
-
Filesize
654KB
MD5d271734f425ec2ba4e1018ff5ffa8343
SHA1a351d795076e068d320d2dc49a6f231e0429947a
SHA256a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b
SHA5129e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22
-
Filesize
654KB
MD5d271734f425ec2ba4e1018ff5ffa8343
SHA1a351d795076e068d320d2dc49a6f231e0429947a
SHA256a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b
SHA5129e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22
-
Filesize
654KB
MD5d271734f425ec2ba4e1018ff5ffa8343
SHA1a351d795076e068d320d2dc49a6f231e0429947a
SHA256a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b
SHA5129e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22
-
Filesize
654KB
MD5d271734f425ec2ba4e1018ff5ffa8343
SHA1a351d795076e068d320d2dc49a6f231e0429947a
SHA256a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b
SHA5129e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22
-
Filesize
654KB
MD5d271734f425ec2ba4e1018ff5ffa8343
SHA1a351d795076e068d320d2dc49a6f231e0429947a
SHA256a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b
SHA5129e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22
-
Filesize
654KB
MD5d271734f425ec2ba4e1018ff5ffa8343
SHA1a351d795076e068d320d2dc49a6f231e0429947a
SHA256a1a16334aabecd72c2d43bd7c1a27c45841e11624d25125f3ade0a5b2c2d543b
SHA5129e408addce17fca7149788a61e23d35a49c13a1ac4f3c8a56f95606d0c36fc66cbc78de30126d3935e61bf03b5600417183bce6c753e204ce55c370784213e22