60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 11:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe
Size

719KB
MD5

09d579f0a7c71003dd8b72d59e4d2f24
SHA1

b334aa8d67a9b6342a7ea2a414111973298b9776
SHA256

60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5
SHA512

7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29
SSDEEP

1536:LbnRuEbswtfKxehJN/Ba6gZblpuiv0SvaxyXaCbZZC4+06gjIrCTRknanwujxsfS:LbnRuEYcg+mliy5bdH6MI2TqnOY

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
1380	winlogon.exe
4360	winlogon.exe
116	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspatch.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nd98spst.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\GRAPH.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\doors.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir-help.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winroute.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieCrypto.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95ct.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moolive.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pathping.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitornt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsetmgr.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinntse.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\CLVIEW.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfind.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avrescue.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unzip.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner3.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explored.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\penis32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjscan.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wfindv32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcp.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsmb32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tracerpt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsched.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Diskmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hacktracersetup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmitfraudFix.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmavsp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe	winlogon.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3796-132-0x0000000000E70000-0x0000000000EAB000-memory.dmp	upx
behavioral2/memory/3796-137-0x0000000000E70000-0x0000000000EAB000-memory.dmp	upx
behavioral2/memory/3628-136-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3628-139-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3628-140-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3628-143-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/files/0x0003000000022def-145.dat	upx
behavioral2/memory/3628-149-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/1380-152-0x0000000000710000-0x000000000074B000-memory.dmp	upx
behavioral2/files/0x0003000000022def-151.dat	upx
behavioral2/files/0x0003000000022def-146.dat	upx
behavioral2/memory/116-159-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/files/0x0003000000022def-160.dat	upx
behavioral2/memory/116-162-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/116-163-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/4360-166-0x0000000000710000-0x000000000074B000-memory.dmp	upx
behavioral2/memory/4360-167-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/116-168-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/116-169-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 3796 set thread context of 3628	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	84
PID 1380 set thread context of 4360	1380	winlogon.exe	88
PID 4360 set thread context of 116	4360	winlogon.exe	89

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www6.buscaid.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://3kf188g5e40u294.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{774B2378-5DD9-11ED-A0EE-7A46CE8ECE48} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f01e2c49e6f1d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1271851386"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994918"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30994918"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://qwh99m1a3d50t18.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://ug28gj8al47so01.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 808a4d6de6f1d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d79060000000002000000000010660000000100002000000027225f5f411d9995a92ba81670370f24f85848bd043ccc8b80ef020ac08861d1000000000e8000000002000020000000123d3c659582fd571fde6a51a92cd7058cecb5c3b527099028e6877737f58dfd200000000ee5479b1d267dd30a6289e1e7904d05a7d9e20b54e5a205cd80a3a507403d3a40000000e8f665360ffc43ecb4e49ccb332e3c6df2d488b9fa3e05531ebef7d694549edb09d19c7b39d3911ac4d3dbae2fdf5e6031174d426d39bebc37dfa80acd535995	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1271851386"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "374507386"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\afternic.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70406866e6f1d801	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://e8t7vr4510b4d20.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www6.buscaid.com\ = "1097"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60bf235fe6f1d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d02cc350e6f1d801	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://sy2x83nc9c0002a.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1097"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30994918"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30adfe57e6f1d801	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\buscaid.com\Total = "1097"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1275290531"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043e2eb2e51ccf149ab640c8bdb0d7906000000000200000000001066000000010000200000005080a0c96fd93fa4147187a867c21e0a66fc0111eb38e196656c4dd796a160e3000000000e800000000200002000000086079f62963c074b2e5829371029f2a7fb701a608797823dd47ffabf6266923020000000ca67f19fac42a275520afd79056e5b4d413331cd487db9e8462f67038c601440400000001d9b6fa31b49f2beeee7921e43075931a8d8234c29a2caa315b4b06f06348df6b41906773b931562a59f87e9bf0da02949d4498d2691305b443ae867bd24848a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://6a341mhzc3j3ank.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://465ghik7i4hi52d.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://dz3l7554236k848.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
116	winlogon.exe
116	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	116	winlogon.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
5088	iexplore.exe
5088	iexplore.exe
5088	iexplore.exe
5088	iexplore.exe
5088	iexplore.exe
5088	iexplore.exe

Suspicious use of SetWindowsHookEx 29 IoCs

pid	Process
3628	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe
4360	winlogon.exe
116	winlogon.exe
5088	iexplore.exe
5088	iexplore.exe
2528	IEXPLORE.EXE
2528	IEXPLORE.EXE
5088	iexplore.exe
5088	iexplore.exe
3704	IEXPLORE.EXE
3704	IEXPLORE.EXE
5088	iexplore.exe
5088	iexplore.exe
2688	IEXPLORE.EXE
2688	IEXPLORE.EXE
5088	iexplore.exe
5088	iexplore.exe
1756	IEXPLORE.EXE
1756	IEXPLORE.EXE
5088	iexplore.exe
5088	iexplore.exe
900	IEXPLORE.EXE
900	IEXPLORE.EXE
5088	iexplore.exe
5088	iexplore.exe
4884	IEXPLORE.EXE
4884	IEXPLORE.EXE
116	winlogon.exe
116	winlogon.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 1612	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	82
PID 3796 wrote to memory of 1612	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	82
PID 3796 wrote to memory of 1612	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	82
PID 3796 wrote to memory of 3012	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	83
PID 3796 wrote to memory of 3012	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	83
PID 3796 wrote to memory of 3012	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	83
PID 3796 wrote to memory of 3628	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	84
PID 3796 wrote to memory of 3628	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	84
PID 3796 wrote to memory of 3628	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	84
PID 3796 wrote to memory of 3628	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	84
PID 3796 wrote to memory of 3628	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	84
PID 3796 wrote to memory of 3628	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	84
PID 3796 wrote to memory of 3628	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	84
PID 3796 wrote to memory of 3628	3796	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	84
PID 3628 wrote to memory of 1380	3628	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	86
PID 3628 wrote to memory of 1380	3628	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	86
PID 3628 wrote to memory of 1380	3628	60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe	86
PID 1380 wrote to memory of 4380	1380	winlogon.exe	87
PID 1380 wrote to memory of 4380	1380	winlogon.exe	87
PID 1380 wrote to memory of 4380	1380	winlogon.exe	87
PID 1380 wrote to memory of 4360	1380	winlogon.exe	88
PID 1380 wrote to memory of 4360	1380	winlogon.exe	88
PID 1380 wrote to memory of 4360	1380	winlogon.exe	88
PID 1380 wrote to memory of 4360	1380	winlogon.exe	88
PID 1380 wrote to memory of 4360	1380	winlogon.exe	88
PID 1380 wrote to memory of 4360	1380	winlogon.exe	88
PID 1380 wrote to memory of 4360	1380	winlogon.exe	88
PID 1380 wrote to memory of 4360	1380	winlogon.exe	88
PID 4360 wrote to memory of 116	4360	winlogon.exe	89
PID 4360 wrote to memory of 116	4360	winlogon.exe	89
PID 4360 wrote to memory of 116	4360	winlogon.exe	89
PID 4360 wrote to memory of 116	4360	winlogon.exe	89
PID 4360 wrote to memory of 116	4360	winlogon.exe	89
PID 4360 wrote to memory of 116	4360	winlogon.exe	89
PID 4360 wrote to memory of 116	4360	winlogon.exe	89
PID 4360 wrote to memory of 116	4360	winlogon.exe	89
PID 5088 wrote to memory of 2528	5088	iexplore.exe	96
PID 5088 wrote to memory of 2528	5088	iexplore.exe	96
PID 5088 wrote to memory of 2528	5088	iexplore.exe	96
PID 5088 wrote to memory of 3704	5088	iexplore.exe	102
PID 5088 wrote to memory of 3704	5088	iexplore.exe	102
PID 5088 wrote to memory of 3704	5088	iexplore.exe	102
PID 5088 wrote to memory of 2688	5088	iexplore.exe	104
PID 5088 wrote to memory of 2688	5088	iexplore.exe	104
PID 5088 wrote to memory of 2688	5088	iexplore.exe	104
PID 5088 wrote to memory of 1756	5088	iexplore.exe	105
PID 5088 wrote to memory of 1756	5088	iexplore.exe	105
PID 5088 wrote to memory of 1756	5088	iexplore.exe	105
PID 5088 wrote to memory of 900	5088	iexplore.exe	106
PID 5088 wrote to memory of 900	5088	iexplore.exe	106
PID 5088 wrote to memory of 900	5088	iexplore.exe	106
PID 5088 wrote to memory of 4884	5088	iexplore.exe	107
PID 5088 wrote to memory of 4884	5088	iexplore.exe	107
PID 5088 wrote to memory of 4884	5088	iexplore.exe	107

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe
"C:\Users\Admin\AppData\Local\Temp\60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1612
- C:\Users\Admin\AppData\Local\Temp\60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe
  2⤵
  PID:3012
- C:\Users\Admin\AppData\Local\Temp\60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1380
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:4380
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4360
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:116

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2376

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:4708

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5088 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2528
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5088 CREDAT:17418 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3704
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5088 CREDAT:17424 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2688
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5088 CREDAT:17430 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:1756
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5088 CREDAT:17436 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:900
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5088 CREDAT:17444 /prefetch:2
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0684275E946EA5A526A0B9446D8D1B31_8BC55A34553CE38DA9A256FD39734BE9

Filesize
1KB

MD5
61d82c8dcbd0c473719fbb4b6e107845

SHA1
ebf2e0fd34157a633716731dea6008c23e007f7b

SHA256
0350a0373d5a6411be57e30c5cb62d42e384e5443d88b1f8875d81bb80a17707

SHA512
7e7860c811dd77cd259a6fde70c23fef97e12350c62b16ef80da4f4f9c82f7e025b76c8c2df670ac8026d73396534f17b487dffcf0289f567f9a132c05a768f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\08B8D8C1791AA7714DD4D760C5F42C55

Filesize
503B

MD5
988a964f8bf44244de1991ff15293c03

SHA1
0efa6ef96778112c3ac87787f7501a8d5f2ff3a0

SHA256
c7b38f4cf0bfe148788af666bf2f5f1b1d1bd87550eaba3b1ec2880eba9c06dc

SHA512
cf4759dfc4460a862470bdcab457224ddbc791e7e2854b82d2880e47ef2b8280ad1822e7a7df98a53bd9a6bc6b6616041a636eb4dba3b7b092cfacf2b48c0be9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
7b39bae19fd7ce73eeb53b28fcd01bb8

SHA1
95a32498901209255b18add3ea83dbe9a8f0b838

SHA256
2677fcfc316f63ac184409c8c3be4a94dd92946bef9de1a04ebb86e1dff801cb

SHA512
1459ea077a5a945c80977bebcd169057fd1190891bb4d2fc4c443545671f8303d41425f3bd462fa68ce75ab251ce412f162a02f2cd290129cef6a655ad57415a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
57cf5dc2957b8c427a334d9d6d6e43bb

SHA1
54d0b3f0c6185b909e840fc0007e87bc03b24d86

SHA256
74eb7b237eef1e196fe74ad2501fbfbcd81cc90ddc30237d73f162d50003b5c2

SHA512
45a9c351d836be8683f65c8faf538f3131cf2c471cf3e3c60193e5115049a0b9256566a8ca0ae8bb71c8c7e4a7740ae1c92d00e5845f46e4d822227e1a216442

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
0ef90204485649be625ea2be1b9018fb

SHA1
28fbc0852140ec51d0c097a4962a160afa4d754b

SHA256
c8028acd9a8c8c795b87cf835fc3182d003264608f161baa0ca020711b22bca0

SHA512
b8bbba0dcc6cb6f87efb47a605953c93fcf93c5a65520b822ebfee25754632d6bb66c2a946f457e1e40a92556683ddb9d14f2703782833e12d7e37bb3b7fcec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
3959b026c29a03a9b64211202d7f4763

SHA1
6b82528fbd98bf8f8e9f58879e4c1feae3d15431

SHA256
282ac7a64dd65a043ba1f01dde2cb4d532df4363855b3dabe2403ed2a1e2ceec

SHA512
cb53440288919a6bfc8a92372e210e8fed8b7de4002fb8262650af64a0b62f9e9abf6e427b60b432c78a06ceccc1fbdfb365b9ebe414f22146491061e2fa6a65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_C2762C5F6270C1AE65D4E36FC57032D8

Filesize
471B

MD5
b82d4dc411e05b18ff9e08b17f189a11

SHA1
361781e2a33effc1fe3be222616b79e7edf76e0c

SHA256
4e89cd9847ada63d8bf26c748540580aebf563295589134b4895352cf85b713e

SHA512
49d7eb719209ff84cad8157eb73efe1679aab231f9cc7889f8f429991b894cd431a0bd0058be14aa3693469e151d763d9f7f03464f874553d4498a506c244f77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
9899db9e64102530d774d2d20e546ef6

SHA1
98d789b64fa448ec0b34987113680240146a165e

SHA256
c453100b83847c928813e521749b41201ac79d7acbd7af1db2dfab97b296c5f5

SHA512
49f14fe6f1c57a7dfc19ad322ac9f198816308172c7f1723034d95ca32b919144df47f3b251d6ed77e222ad511a3cae11ea7c634fdca8e8732c5091c62d6fdd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_543B7BD726970BD166CFFC3B32EE7089

Filesize
472B

MD5
6b72bfaacba486284aa2ecb4bcd8ebba

SHA1
89fa4ef09e60380fc432c73b7919a29f26117088

SHA256
fed14b27362ffe0dfbe0b1696e8dab5f6bba3e08b76bec620e75f0f3f213f69b

SHA512
c028d009bd4c86f4c9038ae04865416c817ca5e7c40ca9301aadcd6983df0e52bdbc4900dce5c11a78d80f7594d21d5f1718c3eb5eaf3e987f51503b404b5741

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0684275E946EA5A526A0B9446D8D1B31_8BC55A34553CE38DA9A256FD39734BE9

Filesize
458B

MD5
edf93cb4564dfccde3d23434d81d8289

SHA1
16b19512e176501f61cfde7f648fd2b595a2a8f4

SHA256
1c5b22356a30ab552a44c1ca9d6f29b852cef82c2f284f9198138b83e61634f6

SHA512
ad831a8853cc363747441b312972ff72385c091c5c8870b1a31cb32848ade1af7fc904fbbd2d50876508474a0c8640a6dd49c9bbfb1adf5e480e87244b24ab88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\08B8D8C1791AA7714DD4D760C5F42C55

Filesize
548B

MD5
f92cacc85a4473a05729da4fb5f60852

SHA1
701abeca32a6b73a2e52b27826af47a604bd410a

SHA256
f4d35d0879e5cb2b85042861c93b3cc5736149686256596a7f536177be7c4c32

SHA512
1a573632453284b5ad4e92586fb5fbbdd60233786c66c0b77ae20c7ad93d163159729453fa7b0362edc24fc296a82a8b1b72752214dbcb8e3380c62f993f0127

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
0133ea0084dd4039a7678e8b8560391b

SHA1
581c3fdb58ed9d95b33d0ed3555527e95acec398

SHA256
3a2794f22c81e52a2378800d07c9268a237f09fd210a1bc9793ca90ee906144b

SHA512
22b0e20342cd30efe014cf34fcf03f0c930929ad2031b72d41ed43d86c1bde9c51ee3c4e3c7661c2c8f77eff28452af70403854842ccdb4bd7ae143c82c59646

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
11ad223558dd0673b344a6ecfad96d4b

SHA1
d4936e6354487ec1385f630067b49ab40563f9b9

SHA256
f5c31963e7bc0d0ec6f9b4801b276d4534d21930ad3024e4ee7a87e7145298bd

SHA512
16afed5567af2af6699723e3f1e8729a38a1d186127614ca50c0c3cc7572d39ca25d0c31e91840bddd772c9d6da2c0881972f8ad8ccd4f18e04e806f4d227cf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d83e1832d262d3d1915e1be8d81c9711

SHA1
6a762cd4e6378d36234a8c545860cba17e669086

SHA256
3768f20c8fb9131aba1eeb0382402877619e71b37d0b981cc3725a61e5e9eaba

SHA512
91aa77c61f97617fedcfa79ccd30772cf39e33ac5e2c3fdb3ffa8a575423118d410f61bf8a829a1a1620f1d0a089b08ed0b4c84167491ce15c8f4190ad97813b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
e1d6460db1ba57af0f085c748995a1a0

SHA1
482920e5cdd7bda8ab54346e99635bbe13c533a0

SHA256
b460a8c4b6e84b4825f8742465507824b9de07c0075e63a6af89fdc70cc357f3

SHA512
e4a70dbb77451080a1d76fb7f39f2857987d4ef89643cbe304ababa63d9f340a6bfd4841976965f08c7ebc590d5207d54f9480febcf0df1be3902eaf8c9f78e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
b66bdd9b409894f9dbaace342229c23b

SHA1
4edd78d872f0155a35ca3480201ce9af9c77638c

SHA256
71d707a566a1113745341a7ff86cfd83c4fb1d35b4f5e69f6a013d667999cef2

SHA512
6ae67a7d0f3830161465765d112c10394c0d841e05b9c124fa88942306e28ca9f10a1b0db57fd48f1a7447125524a00fa540a3399b0b5237f6f35042b5b28893

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_C2762C5F6270C1AE65D4E36FC57032D8

Filesize
406B

MD5
2089ad2d42d35c73bff642aaf40b64bb

SHA1
3e52fab1d6a7375fb33583c1d0a7adfba5a1d270

SHA256
f8573b04161164435dd743ffc7abfe8ff5113e4926e14610e54b04a3faaa8eba

SHA512
143ad962caaed6d5af1fc0ef7f2dde8fdfc4902576e3e8a565b4efa1de7c6ab574d099cfb9df3d6a910a021083d4def0c9ea59945b04fc7a22185d554bc26c95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
c655d44d7fc8545fef163e86fa7751d7

SHA1
3eca6068985aef4eba9aa534a5b520a2fb24f7c9

SHA256
af264d5bd6124a167727a3b54480b8d78ba2be3c4219e2773dab89241d0ea864

SHA512
6caeb3520a853c3478e16a4b870dbd4770896eb69ef4665b4bfcfba73ca9f502316cbbeccbc2d996bbb18ed34e8721206f82492741bb3fe15f0244eb269952cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
8b999986a5784f23c9c7c8bf75504534

SHA1
2f88ab975665b33ab07e3291cc28929022e4ddfe

SHA256
09b391a69df70d9695436c0c4a7a26d123148735ca914f3689572555c4f2bcc0

SHA512
184cf102f8ad527069009f087a4f7a45432eb10d5f937c0a4a7c8381648e8ee31a9393bca1a57f524aaf65b05c3e29ba4a6bb48df11efbc58ab6412202488665

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_543B7BD726970BD166CFFC3B32EE7089

Filesize
402B

MD5
aba7ba284df4f8886f1f83d2da599ce7

SHA1
3a4d30e0c6ab746e6c609e456e50e04e60aaa999

SHA256
f6297d95f2c7f4505a276c6032f5bec3bf5913918f3c6db40fa0f9e77529c1f8

SHA512
69af8e9a12a2c2eca73bd38d23554c78d350d05ad552aa3468804228058a45e67b80dd60b1c3bb7b287470bd28502bcfb57964bbac2987c777f3bb31e633e0f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\J80QZJO6\www6.buscaid[1].xml

Filesize
1KB

MD5
7ad54d7a02bb31c3f898dcf0f48056ea

SHA1
0bb18a39ba4adecc82d364d1f037557f87a1a98d

SHA256
88255121046118c1c5da96985976cada19c9b20326486dc4e73c6bae490d13e5

SHA512
dc81232a1fa770b17d7a3dc0a32ac89464b216ddc2f445802a6f88e0c2f780af52241834ac036054bb0256f8655e53ff44a11c40094b963c7d6104775d8275da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\47NRIJ2V\QBEP76EU.htm

Filesize
2KB

MD5
41f66bb0ac50f2d851236170e7c71341

SHA1
59bcec216302151922219b51be8ad8ab6d0b8384

SHA256
ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073

SHA512
d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\47NRIJ2V\YTBF3SS3.htm

Filesize
2KB

MD5
41f66bb0ac50f2d851236170e7c71341

SHA1
59bcec216302151922219b51be8ad8ab6d0b8384

SHA256
ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073

SHA512
d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZX6MAMIN\99RSA0WQ.htm

Filesize
2KB

MD5
41f66bb0ac50f2d851236170e7c71341

SHA1
59bcec216302151922219b51be8ad8ab6d0b8384

SHA256
ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073

SHA512
d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZX6MAMIN\UK7A762Y.htm

Filesize
2KB

MD5
41f66bb0ac50f2d851236170e7c71341

SHA1
59bcec216302151922219b51be8ad8ab6d0b8384

SHA256
ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073

SHA512
d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
719KB

MD5
09d579f0a7c71003dd8b72d59e4d2f24

SHA1
b334aa8d67a9b6342a7ea2a414111973298b9776

SHA256
60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

SHA512
7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
719KB

MD5
09d579f0a7c71003dd8b72d59e4d2f24

SHA1
b334aa8d67a9b6342a7ea2a414111973298b9776

SHA256
60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

SHA512
7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
719KB

MD5
09d579f0a7c71003dd8b72d59e4d2f24

SHA1
b334aa8d67a9b6342a7ea2a414111973298b9776

SHA256
60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

SHA512
7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
719KB

MD5
09d579f0a7c71003dd8b72d59e4d2f24

SHA1
b334aa8d67a9b6342a7ea2a414111973298b9776

SHA256
60dedf9ce14bc5592237afa354136f1dd4159e27a4c91efc2812797ecc272ae5

SHA512
7a1bb88c923fd8059ef7289b86ad19a33689408b4851f08e56651beffc6979380d58d981e9d47cd43f1f35bd395d75c80f687f5e4ac53ed38fdba675eca06d29

Download Submit
memory/116-162-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/116-163-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/116-169-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/116-168-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/116-159-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1380-152-0x0000000000710000-0x000000000074B000-memory.dmp

Filesize
236KB

Download
memory/3628-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3628-143-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3628-140-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3628-139-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3628-136-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3796-137-0x0000000000E70000-0x0000000000EAB000-memory.dmp

Filesize
236KB

Download
memory/3796-132-0x0000000000E70000-0x0000000000EAB000-memory.dmp

Filesize
236KB

Download
memory/4360-167-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4360-166-0x0000000000710000-0x000000000074B000-memory.dmp

Filesize
236KB

Download