60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

Analysis

max time kernel
150s
max time network
156s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe
Size

719KB
MD5

09d579f0a7c71003dd8b72d59e4d2f24
SHA1

b334aa8d67a9b6342a7ea2a414111973298b9776
SHA256

60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5
SHA512

7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29
SSDEEP

1536:LbnRuEbswtfKxehJN/Ba6gZblpuiv0SvaxyXaCbZZC4+06gjIrCTRknanwujxsfS:LbnRuEYcg+mliy5bdH6MI2TqnOY

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
1528	winlogon.exe
1460	winlogon.exe
1932	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neowatchlog.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcleaner.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardhlp.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamserv.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navap.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efinet32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsched.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guarddog.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2-nt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scrscan.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hacktracersetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2-98.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tftpd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanhnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\espwatch.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmasn.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldscan.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwtool16.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwcl9.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sharedaccess.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zauinst.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedapp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwinstall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bd_professional.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccclient.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfsetup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmias.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenericRenosFix.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1952-55-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1612-58-0x0000000000D10000-0x0000000000D4B000-memory.dmp	upx
behavioral1/memory/1952-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1952-60-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1952-61-0x0000000000D10000-0x0000000000D4B000-memory.dmp	upx
behavioral1/files/0x000a0000000135a6-65.dat	upx
behavioral1/files/0x000a0000000135a6-66.dat	upx
behavioral1/files/0x000a0000000135a6-68.dat	upx
behavioral1/files/0x000a0000000135a6-70.dat	upx
behavioral1/memory/1952-69-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1528-74-0x0000000001320000-0x000000000135B000-memory.dmp	upx
behavioral1/files/0x000a0000000135a6-75.dat	upx
behavioral1/memory/1932-81-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/files/0x000a0000000135a6-83.dat	upx
behavioral1/memory/1932-85-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1932-87-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1460-91-0x0000000001320000-0x000000000135B000-memory.dmp	upx
behavioral1/memory/1460-92-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1932-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1460-94-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1932-95-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe
1952	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1612 set thread context of 1952	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	27
PID 1528 set thread context of 1460	1528	winlogon.exe	30
PID 1460 set thread context of 1932	1460	winlogon.exe	31

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://27py5699ykx1n7l.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://sp668epnfj608ud.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374510997"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://xhc51inkzy461w0.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://1by2tpol34nuc1s.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://pi727h0lvgh62gk.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000081e9a6b55375d69888d6be6ed659c0b3ffc5fdc3b63d54373ced2da8a2ff6984000000000e80000000020000200000006d5aa5dd5f4815c904c86250a9cd24a7aa7ead448bd2aefcc4e2fb2d958ba07590000000836e516f451914bdaef09636213d2aa16c866a3d4e04250276e0460bbf5196f8a0da1461c43d6970ffa0a0347d75bf4b11244cd0b8ffed41950aa9a006da8a52981451019141bd66ff981ed6f19cc33c7a9e5177279f829a7cdfcd5415063395f289fcda023df0591544f04b33a981abe10ba12a8022a5a7039314f5c192eacdf64476f0a6fb4cec114754be93eb70564000000056c7d6a0d8fc6c06a259c4a460e3b2ae71baa27cd839561afef42d2b5ebae386c49bed8839dd4f83d46d93044504c7945b4370b030a019edcc90ecbc7287b508	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://11e5l4f09azu400.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://qg6rmd2p609ii00.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d3b98f5693c0d24b85f349229339c59c0000000002000000000010660000000100002000000034c4dd4a0749ebb83957682eadcf809ef247033cf2bb748bcb8274427cea6d3e000000000e80000000020000200000004275f1135da3b470f29e2e5188478640792d959f052ac1a383f20bc6b50405e820000000de317e575f2207e4d163389ace395cee061c1939003a2b01c595c2788371561640000000251fa2f9d51d4bc14396e298a14350e3d03ef354a055573f749f3ee4c10cf15d7caef4fe880ece55368d23b378133cfd22b2da0802559129700cc7469ad99b37	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DE7A6771-5DE1-11ED-8B83-6A6CB2F85B9F} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e3e7afeef1d801	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://5es75gvm0b4i0ww.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://j9y0x111cif6w9e.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://027g33h80256d1v.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1932	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1932	winlogon.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe
1596	iexplore.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
1952	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe
1460	winlogon.exe
1932	winlogon.exe
1596	iexplore.exe
1596	iexplore.exe
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE
1596	iexplore.exe
1596	iexplore.exe
1400	IEXPLORE.EXE
1400	IEXPLORE.EXE
1596	iexplore.exe
1596	iexplore.exe
1280	IEXPLORE.EXE
1280	IEXPLORE.EXE
1596	iexplore.exe
1596	iexplore.exe
2164	IEXPLORE.EXE
2164	IEXPLORE.EXE
1596	iexplore.exe
1596	iexplore.exe
1176	IEXPLORE.EXE
1176	IEXPLORE.EXE
1596	iexplore.exe
1596	iexplore.exe
2568	IEXPLORE.EXE
2568	IEXPLORE.EXE
1596	iexplore.exe
1596	iexplore.exe
1400	IEXPLORE.EXE
1400	IEXPLORE.EXE
1932	winlogon.exe
1932	winlogon.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 788	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	26
PID 1612 wrote to memory of 788	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	26
PID 1612 wrote to memory of 788	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	26
PID 1612 wrote to memory of 788	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	26
PID 1612 wrote to memory of 1952	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	27
PID 1612 wrote to memory of 1952	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	27
PID 1612 wrote to memory of 1952	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	27
PID 1612 wrote to memory of 1952	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	27
PID 1612 wrote to memory of 1952	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	27
PID 1612 wrote to memory of 1952	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	27
PID 1612 wrote to memory of 1952	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	27
PID 1612 wrote to memory of 1952	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	27
PID 1612 wrote to memory of 1952	1612	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	27
PID 1952 wrote to memory of 1528	1952	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	28
PID 1952 wrote to memory of 1528	1952	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	28
PID 1952 wrote to memory of 1528	1952	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	28
PID 1952 wrote to memory of 1528	1952	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	28
PID 1528 wrote to memory of 1256	1528	winlogon.exe	29
PID 1528 wrote to memory of 1256	1528	winlogon.exe	29
PID 1528 wrote to memory of 1256	1528	winlogon.exe	29
PID 1528 wrote to memory of 1256	1528	winlogon.exe	29
PID 1528 wrote to memory of 1460	1528	winlogon.exe	30
PID 1528 wrote to memory of 1460	1528	winlogon.exe	30
PID 1528 wrote to memory of 1460	1528	winlogon.exe	30
PID 1528 wrote to memory of 1460	1528	winlogon.exe	30
PID 1528 wrote to memory of 1460	1528	winlogon.exe	30
PID 1528 wrote to memory of 1460	1528	winlogon.exe	30
PID 1528 wrote to memory of 1460	1528	winlogon.exe	30
PID 1528 wrote to memory of 1460	1528	winlogon.exe	30
PID 1528 wrote to memory of 1460	1528	winlogon.exe	30
PID 1460 wrote to memory of 1932	1460	winlogon.exe	31
PID 1460 wrote to memory of 1932	1460	winlogon.exe	31
PID 1460 wrote to memory of 1932	1460	winlogon.exe	31
PID 1460 wrote to memory of 1932	1460	winlogon.exe	31
PID 1460 wrote to memory of 1932	1460	winlogon.exe	31
PID 1460 wrote to memory of 1932	1460	winlogon.exe	31
PID 1460 wrote to memory of 1932	1460	winlogon.exe	31
PID 1460 wrote to memory of 1932	1460	winlogon.exe	31
PID 1460 wrote to memory of 1932	1460	winlogon.exe	31
PID 1596 wrote to memory of 1176	1596	iexplore.exe	37
PID 1596 wrote to memory of 1176	1596	iexplore.exe	37
PID 1596 wrote to memory of 1176	1596	iexplore.exe	37
PID 1596 wrote to memory of 1176	1596	iexplore.exe	37
PID 1596 wrote to memory of 1400	1596	iexplore.exe	40
PID 1596 wrote to memory of 1400	1596	iexplore.exe	40
PID 1596 wrote to memory of 1400	1596	iexplore.exe	40
PID 1596 wrote to memory of 1400	1596	iexplore.exe	40
PID 1596 wrote to memory of 1280	1596	iexplore.exe	42
PID 1596 wrote to memory of 1280	1596	iexplore.exe	42
PID 1596 wrote to memory of 1280	1596	iexplore.exe	42
PID 1596 wrote to memory of 1280	1596	iexplore.exe	42
PID 1596 wrote to memory of 2164	1596	iexplore.exe	43
PID 1596 wrote to memory of 2164	1596	iexplore.exe	43
PID 1596 wrote to memory of 2164	1596	iexplore.exe	43
PID 1596 wrote to memory of 2164	1596	iexplore.exe	43
PID 1596 wrote to memory of 2568	1596	iexplore.exe	45
PID 1596 wrote to memory of 2568	1596	iexplore.exe	45
PID 1596 wrote to memory of 2568	1596	iexplore.exe	45
PID 1596 wrote to memory of 2568	1596	iexplore.exe	45

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe
"C:\Users\Admin\AppData\Local\Temp\60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:788
- C:\Users\Admin\AppData\Local\Temp\60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:1256
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1460
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1932

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:864

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1176
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:865288 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1400
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:603152 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1280
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:4142090 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2164
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1596 CREDAT:406554 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
57cf5dc2957b8c427a334d9d6d6e43bb

SHA1
54d0b3f0c6185b909e840fc0007e87bc03b24d86

SHA256
74eb7b237eef1e196fe74ad2501fbfbcd81cc90ddc30237d73f162d50003b5c2

SHA512
45a9c351d836be8683f65c8faf538f3131cf2c471cf3e3c60193e5115049a0b9256566a8ca0ae8bb71c8c7e4a7740ae1c92d00e5845f46e4d822227e1a216442

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
3959b026c29a03a9b64211202d7f4763

SHA1
6b82528fbd98bf8f8e9f58879e4c1feae3d15431

SHA256
282ac7a64dd65a043ba1f01dde2cb4d532df4363855b3dabe2403ed2a1e2ceec

SHA512
cb53440288919a6bfc8a92372e210e8fed8b7de4002fb8262650af64a0b62f9e9abf6e427b60b432c78a06ceccc1fbdfb365b9ebe414f22146491061e2fa6a65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
9899db9e64102530d774d2d20e546ef6

SHA1
98d789b64fa448ec0b34987113680240146a165e

SHA256
c453100b83847c928813e521749b41201ac79d7acbd7af1db2dfab97b296c5f5

SHA512
49f14fe6f1c57a7dfc19ad322ac9f198816308172c7f1723034d95ca32b919144df47f3b251d6ed77e222ad511a3cae11ea7c634fdca8e8732c5091c62d6fdd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_543B7BD726970BD166CFFC3B32EE7089

Filesize
472B

MD5
6b72bfaacba486284aa2ecb4bcd8ebba

SHA1
89fa4ef09e60380fc432c73b7919a29f26117088

SHA256
fed14b27362ffe0dfbe0b1696e8dab5f6bba3e08b76bec620e75f0f3f213f69b

SHA512
c028d009bd4c86f4c9038ae04865416c817ca5e7c40ca9301aadcd6983df0e52bdbc4900dce5c11a78d80f7594d21d5f1718c3eb5eaf3e987f51503b404b5741

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
ca8e04b4e54eb0582a41d4029d1eb0c3

SHA1
0183e793444c57a4924a2ebef3b5ad14ebddf3fb

SHA256
b7f943b4e21d8afd236cd2d130e38ff70bb8243e79bfe8ad37f375fbe22b04fb

SHA512
6d52484d147ddfd5356d58c731f5422aa68f702a767d4416be769c2fd8c6955aa6b4882f1b0c9d13dbee1d2494eafb010f0fb5777b79923f52421e908b102414

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
d597eb331ee2da45f5e5066fc745964e

SHA1
923724c113c11d5ae015e5f1656c9c2588df786a

SHA256
227e801907be13503bf0312f0f304037cb0de7ef468169d0a91d4277d5d03dd4

SHA512
2be29f56062cbffaf1a7d1992fd4f25ff523b61d135f5ef9ba73bffd846a2b843248b736c8fa484a38d7f69f5b3cdac5270d923e411e492ed41ab15565082866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f64669203df49c10dbd40497d5702cea

SHA1
644303dbd35782fffc9793783e9bd509acaf077a

SHA256
b990b8af76091b08625838310aba8f15a3c64abe601e8a091e4966b67bb904a0

SHA512
1f51bf9f9e0919c287d2b7f2812bec3d370142ed36bfc4b049526a444444616b8b0c75e9dbaac30f6c7b8477a954d1cdaae7413468905f6ee3060c8029b50527

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b801b2f966c2b51a528c544c19afa7d

SHA1
4c598a33b708ec8a5b58b1b7958cf62ad8cc5311

SHA256
8c180486d8586122bfd92aca89b0c2354f694c4dd67464e41e5e0884ad76286e

SHA512
2c3872815c56bc65953c1b8e5a796a2315a2dd498a90bbb2f71b16994b938cc8caec4b40cf451c4b25054e999171e88cd4ed1d17d5535d22865cb07537f94017

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68c24aa41fa720f8bea394db8b515ee2

SHA1
d04e0bd65e1d1737ddfca3377540924e0b4b2cfb

SHA256
c807ff21c85e497248d1c8311ddf80f0e04c3ebc30da5dff98402ea5df09242f

SHA512
d03d822afb185f9b95fea90a803f9fd855b9536c1cef6904fc2b71a28797b38c5f5aa1c4f6ba9d946c9e46e99e1bb64707dfa72b56b8023947b426c55af88c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fe8817eb8456c9624154bbc93836055

SHA1
6227260b04abad309b5655c0e4ce0c62fc7d2bdf

SHA256
5fff8fb190d89b02483adddb06e0fec1e82bbc448b1fb48c9dad1a6014d55f96

SHA512
3f89e87abb1c609a08e4ab664b4879240d44849b987d30e44718386d78b64a920911ad38255bfebe4f101ee37a1cbf8d597f4733062e779419f24cb6fa861d68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
427919841ec54153151418305f25f789

SHA1
5b712756f9e67f72f8c5de50ed62096857bc0c76

SHA256
7051bbe95bed470bbed77751e0f8cbba56e09e26c4bd4345d22e5879ce3ac92d

SHA512
ad29fa3f2a686c59266be5cceb3913b69ed1c2a497e34f43a6388bdece143765a1c8800f32055672b7a5e3171ec2dba0cc86cf2e2c0cfef83b38832c6871a4ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23604453dc102fa46b148e6c959eb508

SHA1
74d33c57c695b3b7c935ccd900ad82ab03e1e9cf

SHA256
7b4c58daee29804af9763c16d59ab5091bb43336ed972c0051905093da1c3f43

SHA512
c996b9acb0f691207d2ae66a51e510cfdbeea6ca49d7f86d39a6387286da74f000230b86460f55c0321737f72d9ae3057c78e035003b4c28296045f265695ccb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43c9cb725e10167cfd5865e7a164abb0

SHA1
a3aa6e294daae95e073f75d7fc9ebf400ed7b2d7

SHA256
0c610a7310d6e986f0bdb3ae9e08cbab0f42b2b07eeb3a7607349638fd311ccc

SHA512
9f46a3a170b2d5a172ca8ed200c6b796652a401b426a820a818ced0d969b10cca68874067a3c528d0d47b5d11260a1c120b29c6ba69be81180378fb2dca04223

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
6aef9a17975ff50f38df8f3ee65dcc94

SHA1
2d970b269eca28c833f7ed63a37e7910cc2ec583

SHA256
4cdd7e8ac1b56fe2663d599fdcc6279baf392573084d49633a129c84844575aa

SHA512
e197fb1170b7d734cf9feb7664efb2184154d31702144c1edd528e5e3ccaa3b6ed6332a428f45c427f07f67f1d65ac2a91eee18ca854d3fef6eb9c2ffe4964bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
0bd92223ecb650c2f838f1b2aa67f7f2

SHA1
88d16056f97263a96355a36f717cc1f701852e35

SHA256
5c5da29ddf3a84c3cdf8a5a19e491c96f2816aff40044825f9632cba021c4965

SHA512
fb7de4d2cf84354c5ac67816a743ba45c3fd64b90ba73c1d561f9eea64c664c89e6a7564a999390bd6205f246143f6ca009c139a2fdf6675dad129ee22e96da0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d6157ffe8be5a89c3983377fa2c21010

SHA1
603a0eb2ddb218735d292195c847bc9552e9fcde

SHA256
a7eade19b6d35455688aafeb54b42254750125666f52f40f7fc00443e0896cc4

SHA512
ac387fde74fc593c1ff4217ca29f528fb90c3fd4877516e5162705a2b224644cac5c6bbbed74b913c6f14d5ea4594ac01c896b665350de30a1eb17b0454d0b92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_543B7BD726970BD166CFFC3B32EE7089

Filesize
402B

MD5
5d4ea92dd25ed4e0646a81ead1248a58

SHA1
903d1d34306f0a7ee1f772c0003879f93b74b145

SHA256
ccdf1f3501e67e7acb54680912d009d584982cfa9c0bbdbee07b96abf5817c90

SHA512
49f4e7a7503017664a0bedaf0a7f78963deaf05187799061be29377e486404e405689da28f6a23c491a17d9054ed29f6c72fa6b7d013ba1043bd33743952b138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\Y095ES8U\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LJN9R32Z.txt

Filesize
602B

MD5
d72466fc165cdbf847dfaee1bb00c53d

SHA1
6a3f11b0ba91edf6eb8992d85fa129a67c340f52

SHA256
b507891224bc05f8db26c598ae0142f3f734d861b771ebe386ca32d98b32e11f

SHA512
965853e6c07694940a4b83a5caeee3bf86e7e29efbab7d9533f18ab6a4ed1d31ed24d7653895d67ad05bf14a9e375ba8a05f307d9307bdf5ce951a4ec5c5f5c7

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
719KB

MD5
09d579f0a7c71003dd8b72d59e4d2f24

SHA1
b334aa8d67a9b6342a7ea2a414111973298b9776

SHA256
60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

SHA512
7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
719KB

MD5
09d579f0a7c71003dd8b72d59e4d2f24

SHA1
b334aa8d67a9b6342a7ea2a414111973298b9776

SHA256
60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

SHA512
7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
719KB

MD5
09d579f0a7c71003dd8b72d59e4d2f24

SHA1
b334aa8d67a9b6342a7ea2a414111973298b9776

SHA256
60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

SHA512
7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
719KB

MD5
09d579f0a7c71003dd8b72d59e4d2f24

SHA1
b334aa8d67a9b6342a7ea2a414111973298b9776

SHA256
60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

SHA512
7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
719KB

MD5
09d579f0a7c71003dd8b72d59e4d2f24

SHA1
b334aa8d67a9b6342a7ea2a414111973298b9776

SHA256
60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

SHA512
7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
719KB

MD5
09d579f0a7c71003dd8b72d59e4d2f24

SHA1
b334aa8d67a9b6342a7ea2a414111973298b9776

SHA256
60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

SHA512
7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29

Download Submit
memory/1460-92-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1460-94-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1460-91-0x0000000001320000-0x000000000135B000-memory.dmp

Filesize
236KB

Download
memory/1528-74-0x0000000001320000-0x000000000135B000-memory.dmp

Filesize
236KB

Download
memory/1612-58-0x0000000000D10000-0x0000000000D4B000-memory.dmp

Filesize
236KB

Download
memory/1932-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1932-87-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1932-118-0x0000000003F70000-0x0000000004FD2000-memory.dmp

Filesize
16.4MB

Download
memory/1932-85-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1932-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1932-81-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1952-61-0x0000000000D10000-0x0000000000D4B000-memory.dmp

Filesize
236KB

Download
memory/1952-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1952-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1952-64-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1952-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1952-69-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download