99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23/11/2022, 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe
Size

344KB
MD5

c5e9e9f062388214b6c9584780320209
SHA1

2a1ffe871cc9e036a6239d3e9acb68bf7d7f2464
SHA256

99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d
SHA512

8e4aebb7541e7649eb79013418fddc938c351bdc10be471ab4fd6ef457568e05f44212bbd2ca32416d2d8be2a9a9288a6ae51d43e062343e1c4c4e15940a4f25
SSDEEP

1536:X2n2z/NfmeGrObqqvg5uJhy1haQ2R27sbXu7VUFm10IMSPzY2y76ldFkQZbe4fyQ:wKBmZGqqvgyhy1QRZaum1HBY2uKVDf

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 18 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
2280	winlogon.exe
2728	winlogon.exe
3052	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSOSREC.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\offguard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sbserv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WS2Fix.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwinstall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WORDCONV.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkpop.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\localnet.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SETLANG.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccpxysvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgm32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpm.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minilog.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisserv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinntse.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallSettings.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autodown.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfsetup.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSHTA.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\padmin.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\css1631.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc42.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winservices.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmias.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WINWORD.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hacktracersetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ss3edit.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEDFix.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\SPOOLSV.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinject.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4292-134-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2564-136-0x0000000000230000-0x000000000026B000-memory.dmp	upx
behavioral2/memory/4292-137-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4292-138-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4292-141-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/4292-142-0x0000000000230000-0x000000000026B000-memory.dmp	upx
behavioral2/files/0x0009000000022df5-145.dat	upx
behavioral2/files/0x0009000000022df5-144.dat	upx
behavioral2/files/0x0009000000022df5-150.dat	upx
behavioral2/memory/2280-152-0x0000000000A70000-0x0000000000AAB000-memory.dmp	upx
behavioral2/memory/4292-149-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2728-153-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/2728-154-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3052-158-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/files/0x0009000000022df5-159.dat	upx
behavioral2/memory/3052-161-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/3052-162-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral2/memory/2728-165-0x0000000000A70000-0x0000000000AAB000-memory.dmp	upx
behavioral2/memory/2728-166-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral2/memory/3052-167-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2564 set thread context of 4292	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	79
PID 2280 set thread context of 2728	2280	winlogon.exe	83
PID 2728 set thread context of 3052	2728	winlogon.exe	84

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 53 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 401959bf9fffd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998431"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003430272095f9754cb614ad357f33b11c00000000020000000000106600000001000020000000314ffb9be302f2134e57bd92f2d73b0df9d1bc56ee4694e3fc18394ad3b5a522000000000e8000000002000020000000765dde6d06fd6d4d22510a03f122669226062685e3a1dcba55152c9b68e6d90a20000000188f7565c1814c131d4c0334ab191d8f2f0387bb65d36da2ecd9040c687537b14000000004ee0363dce858fb5f617687d98f41edf071bf49d287cf46ce2e055cd4c7eb1c845f97ac83359c9fabb17d5669519ca79ca03ab863d9cf791b0b94e06b140fc3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://xp1u09rk35w867x.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\buscaid.com\Total = "1097"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://bji84fy96s8z67u.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2989005366"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1097"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://5p0g1u609i3nw51.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D81A3DA3-6B92-11ED-89AC-7ED4F7B3352B} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://44d22x19j3u5o4y.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998431"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://e1y4017p8q723l6.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www6.buscaid.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003430272095f9754cb614ad357f33b11c000000000200000000001066000000010000200000004602d4cc427bd391358fe7b3ff829e029d57d00056be3602ecf6dcf412a05900000000000e800000000200002000000002546884f97298aa4f9addd0bfe675025156dde27e957e2d9e9f51ebd4d4c15e20000000661ae91d65909a5407559fa6d5430a45d2a8af1933ead2d60eaa221e771a4dc3400000001fea512ff786bca9892fe47e37d234b129b72ecea32715bcb0864f6d58576794937728d438f88f7a8a79ea64ef2a12fda71a11720c5c78759d5f87bd5cbcd6fd	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://836d22elpjuzr49.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2989005366"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d0de72cd9fffd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://oz1t8x78rw3o35o.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://gz7k5wf8nfeo4zy.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www6.buscaid.com\ = "1097"	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://b64wxj875c0svj7.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://b6z2q7i67hcnars.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	winlogon.exe
3052	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	3052	winlogon.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
3392	iexplore.exe
3392	iexplore.exe
3392	iexplore.exe
3392	iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4292	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe
2728	winlogon.exe
3052	winlogon.exe
3392	iexplore.exe
3392	iexplore.exe
916	IEXPLORE.EXE
916	IEXPLORE.EXE
3392	iexplore.exe
3392	iexplore.exe
2564	IEXPLORE.EXE
2564	IEXPLORE.EXE
3392	iexplore.exe
3392	iexplore.exe
3840	IEXPLORE.EXE
3840	IEXPLORE.EXE
3392	iexplore.exe
3392	iexplore.exe
4308	IEXPLORE.EXE
4308	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2564 wrote to memory of 1964	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	78
PID 2564 wrote to memory of 1964	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	78
PID 2564 wrote to memory of 1964	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	78
PID 2564 wrote to memory of 4292	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	79
PID 2564 wrote to memory of 4292	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	79
PID 2564 wrote to memory of 4292	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	79
PID 2564 wrote to memory of 4292	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	79
PID 2564 wrote to memory of 4292	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	79
PID 2564 wrote to memory of 4292	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	79
PID 2564 wrote to memory of 4292	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	79
PID 2564 wrote to memory of 4292	2564	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	79
PID 4292 wrote to memory of 2280	4292	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	81
PID 4292 wrote to memory of 2280	4292	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	81
PID 4292 wrote to memory of 2280	4292	99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe	81
PID 2280 wrote to memory of 2748	2280	winlogon.exe	82
PID 2280 wrote to memory of 2748	2280	winlogon.exe	82
PID 2280 wrote to memory of 2748	2280	winlogon.exe	82
PID 2280 wrote to memory of 2728	2280	winlogon.exe	83
PID 2280 wrote to memory of 2728	2280	winlogon.exe	83
PID 2280 wrote to memory of 2728	2280	winlogon.exe	83
PID 2280 wrote to memory of 2728	2280	winlogon.exe	83
PID 2280 wrote to memory of 2728	2280	winlogon.exe	83
PID 2280 wrote to memory of 2728	2280	winlogon.exe	83
PID 2280 wrote to memory of 2728	2280	winlogon.exe	83
PID 2280 wrote to memory of 2728	2280	winlogon.exe	83
PID 2728 wrote to memory of 3052	2728	winlogon.exe	84
PID 2728 wrote to memory of 3052	2728	winlogon.exe	84
PID 2728 wrote to memory of 3052	2728	winlogon.exe	84
PID 2728 wrote to memory of 3052	2728	winlogon.exe	84
PID 2728 wrote to memory of 3052	2728	winlogon.exe	84
PID 2728 wrote to memory of 3052	2728	winlogon.exe	84
PID 2728 wrote to memory of 3052	2728	winlogon.exe	84
PID 2728 wrote to memory of 3052	2728	winlogon.exe	84
PID 3392 wrote to memory of 916	3392	iexplore.exe	89
PID 3392 wrote to memory of 916	3392	iexplore.exe	89
PID 3392 wrote to memory of 916	3392	iexplore.exe	89
PID 3392 wrote to memory of 2564	3392	iexplore.exe	98
PID 3392 wrote to memory of 2564	3392	iexplore.exe	98
PID 3392 wrote to memory of 2564	3392	iexplore.exe	98
PID 3392 wrote to memory of 3840	3392	iexplore.exe	101
PID 3392 wrote to memory of 3840	3392	iexplore.exe	101
PID 3392 wrote to memory of 3840	3392	iexplore.exe	101
PID 3392 wrote to memory of 4308	3392	iexplore.exe	102
PID 3392 wrote to memory of 4308	3392	iexplore.exe	102
PID 3392 wrote to memory of 4308	3392	iexplore.exe	102

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe
"C:\Users\Admin\AppData\Local\Temp\99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2564
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1964
- C:\Users\Admin\AppData\Local\Temp\99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4292
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:2748
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3052

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1748

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:3756

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:916
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:82950 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2564
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:17416 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3840
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3392 CREDAT:82962 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0684275E946EA5A526A0B9446D8D1B31_8BC55A34553CE38DA9A256FD39734BE9

Filesize
1KB

MD5
17840a4e015271921144507847003b4b

SHA1
06eaa8a161ee10019b614700ef915c3291254650

SHA256
3a54b10809443fc881f31a5a21f1de3d058207b7a565fd19786662a7dc38636d

SHA512
ccb9ed95f52f78ef07c423d9700e31731e6892df15169ce911cd3946ea2504707b3dcc6ccf66a9c2f0abed2f77a9954292af7c1b32d173dd892b8ef6d5c8f70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\08B8D8C1791AA7714DD4D760C5F42C55

Filesize
503B

MD5
65076c459568ff05978d7ddfe4b368cd

SHA1
a5b2b8a31d0f8a9a08e93e93cb5a08a9c424b297

SHA256
b37032c67ee677df0c5cc0e4714511196ed0b307442b19abaf86c1e0a4456ae5

SHA512
f2955d30436e3aa009a9cd7236a5b028a123f968699403f10cbfdfa96e3a1aa660c3ed5e29d5682912beeca076e32a9c27cc586f4e1d6a09577f1dc9b9e0b9a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
ec8ff3b1ded0246437b1472c69dd1811

SHA1
d813e874c2524e3a7da6c466c67854ad16800326

SHA256
e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab

SHA512
e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
1KB

MD5
676104ca857ff7d329d05f54d88acc1f

SHA1
798a6028f0c6187c5a6fd17d34b4f49f234b46fe

SHA256
268539f073520f01393d2e6628fece9ae9112ade08f788170dbd2f58c4bac8ba

SHA512
5b50693313b42a5a71c19658e07ca0fb3904d56e8ecdcb2ee380fac713d8310fd6d4eba1974dde566d453ce5bc14f1a122543aa954ccc73d03dac827ad9502dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
ae7674294f5a17ef8761b33ac4dad848

SHA1
30a771e623dd1e3cb8694bb5f71393aaa9e87b6a

SHA256
cac85ed50ce25c45d5093aaaa231a0d1cd9667f47bd2312947070ba202c5d96b

SHA512
ab4a0adbe606ac6b1b8c87fb24fa23c7fdd23fbdcfb616f24fe1269dd4d409c45d7b64cdf65b08caa13e88b4461b29d2bded7e197120a7f65a525c2c5e905a5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\646C991C2A28825F3CC56E0A1D1E3FA9

Filesize
1KB

MD5
1519171ba0e9b6aabdd22495c93b43f8

SHA1
da916b57522c4c4cbac2aedc3354bc6c69a56270

SHA256
dfb271a64ffabd0110e6c943e6052fca6dcb7cc738c9cc4c03ce3732361fa318

SHA512
7392b921cdb6419c616d744e9556b09d38a2e0956cf0ee0687aba4b4ff75ad7692440afa6d99daeea67f0c07197b466990d6d2c6e4d3567cd8f15b0750dcff2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
7055fbc792b81e2fcdb72da9d3e6ad81

SHA1
dec614359d5d9e76c20aadd3d467037e6a9665ff

SHA256
0eb7311d9c9d181942fd9c9ff0217a360ae91829d0dd6df95a8247625eccae34

SHA512
b1a94b289211cba78d11888c30d2e6b16fb21fc21476c69e8c9ae618f169ca02f6ddaeac72e1e8bce3a0ea9f4bfbd4e47005703963b6cdf46773d27c34e16f5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
ad6d84486c3194ab2f71ef94912fdddc

SHA1
89aeb9ea77a27510b11762db5acef5654b62ea4b

SHA256
437fe72dd5a616c3db9a8e0c4823731abdd627641879ed511e9cf86994492789

SHA512
0e37e80588d96a6fb9fe34c0d34d688bb64f3540185fa9e2cb1ed0504229003f3bc31be717a390d3acc668bbfb7a1645cc52bb9e4235afc85a23653ead8ad09a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0684275E946EA5A526A0B9446D8D1B31_8BC55A34553CE38DA9A256FD39734BE9

Filesize
458B

MD5
9863f63717e6c26c3bbada96782d7d12

SHA1
8f885a7de53087fe81bd10050840d7fd901ce076

SHA256
779d43cab161712374ded0d2aee802034802cb47d466c5d4a63803d0d394ca42

SHA512
8346bc979aecfea75f52e8dc8fd9104608eb6246d8d7e9cfabdaf34a1dabf47ef03f3868e1f76622dff9bdaf29f79b52ddc36bd5e2102bafc67078550779a84b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\08B8D8C1791AA7714DD4D760C5F42C55

Filesize
548B

MD5
0364838883189c4de8bb77bc0ac4fa9b

SHA1
d8f25c00129ef306a7fbb48ca9d0febf18d62a6f

SHA256
a01f5cbfc9e107639c4f44942a2c9805b13c6338193b87eca75b1381f7108e05

SHA512
6d00596cafe03456bebe21564a0f698b3c89b4670c3ade300a06ced2c36e8c576a06feabae2a4104b9a4afd54da6ac9acbc9c66b42e5e2fe3a4cc46b57ac22bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
826ca7981c321fa5edd672e40c92b5ec

SHA1
508bfc9d8b9998312f5efe730ecf4010513a727e

SHA256
4936553b007bcdc4ffa8ac3fb88d21ca7b995cbbddcebcaee829e6526718c18e

SHA512
0eb1d00d28fddd59ccaca3b43b03052f008f42118c82e766c709c6f117b604f3bd64fe47d087473e89f9af49bd0707588cd6c95ab46540c2479c9c90189b954a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771

Filesize
450B

MD5
db0b4a99c3cdc32bfb1cf75afbb42d64

SHA1
809186c956ca38acbb4a16b6fcbc758fb15ea3d7

SHA256
0189a001dd67e810f0bdbeff01027a9d563f86fea5cfde6a572067f2d368bb08

SHA512
cd0fb182782b9c0655669401774cadd2695c8df52ac3388379e2ae9adcf55f0ebd43cc9addc66c7151c53a2a59228cc115f36d544be6c062cabebdd79901a79f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
74bd3e3c0396f5eef61439abd09f602a

SHA1
3e181d1077b6cca8e4b9aaa3f8dee019d11ed6dd

SHA256
dc3e5eca1203786b53c1dbd8671e863ce26f2229a33df0081f722facd88f6e4a

SHA512
a29fe595e10309f2246f09e2e8d41cb5514b4ae4a1c864dce773f41e34658f0631f361899c4af80a55ff75d74865c0c05e1e356413903ee4410915b72ce42468

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\646C991C2A28825F3CC56E0A1D1E3FA9

Filesize
184B

MD5
edf0d36c5851d8def0a437a526ae71bd

SHA1
7eb9dbe9c99ee1f5ae5347d6b5c852f28a142ae0

SHA256
396be8e8e769310ab29864bb129cfc3b02a171ec73eb8aef52131cacb868ae37

SHA512
c9dc8a9bc9bf9f39081a7b956e552983770aa57e867dcbff030ee190d6fab058bcf80fdf5915484fbdf52c16639b207e6abe7c94fb817cfcbf03fa3b6d5fe369

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
1d5625e6ba0053cde6b255a112d28d3d

SHA1
b7ed37bd64180e650e6c78d138f586ea3a2ec428

SHA256
b99b12e9b5e8582d6371fa777337c1c2d411c26879f99eca0975c1ea44a710c2

SHA512
fee8a98188cc9498d6fc05c76e55ca373db4e1ed4f6df6597882e0fd0646e64ac2ccf7118cdce745a09c6a5bf152447ca872a0d8748e3a677dce7c5d61e6a174

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
936a2264b170ee179e05bd8f2a828349

SHA1
875da3911ce8f8015552e73ffe2d3539dd3a60f1

SHA256
3faae420e8ee7d41c8b265b416855ce20097e6e6afcdf4de437bee777dd8279a

SHA512
0edd62675358c73a547d3b34ba428cad6ac79c89061ce153c929fda1cbeb1bcaa7fa0ec1fecd3411db5fc0e02adc51bdc8be066e0a2eb2c553c0a53ad605a454

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
97039cea8b1cba973b34cf5be4263451

SHA1
28fe5f0dfd3fdc31c8e131a926c6aea6175c1eb1

SHA256
d538f0eb2b8c9474030204ae89dd817bf0f5d357c1579f9169391ef7cc707c2a

SHA512
3b4d99ff523c0a3508b8b030dd58391c8ee5bce39700f2efc0376b4d6d5a4513f5c1f76ea2c011f00e7f64fbbcf43bada9a8c233e56d582e7836d00db843d4b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\N0CAD7QF\www6.buscaid[1].xml

Filesize
1KB

MD5
e34f9ad1de7cb2eb808153a97947595c

SHA1
f4abe1ff1be6efa2fb611d9f25623a9564ff976a

SHA256
55c23aa2c8b0031a3dfbe5a92876b78a2ceaab9647215ac9c4bd6a90fa716ff4

SHA512
32fa4de247756d54acdcb6eeb38b777134431541e34f525b0005e7be6a6e5264d82d6b01b225478082f7ff292edf117c1a20830e4057475469f4a7d0e01fde19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DU2BEY67\56Z8O3K8.htm

Filesize
2KB

MD5
41f66bb0ac50f2d851236170e7c71341

SHA1
59bcec216302151922219b51be8ad8ab6d0b8384

SHA256
ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073

SHA512
d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DU2BEY67\PM1QZHYS.htm

Filesize
2KB

MD5
41f66bb0ac50f2d851236170e7c71341

SHA1
59bcec216302151922219b51be8ad8ab6d0b8384

SHA256
ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073

SHA512
d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\ETTR837T.htm

Filesize
2KB

MD5
41f66bb0ac50f2d851236170e7c71341

SHA1
59bcec216302151922219b51be8ad8ab6d0b8384

SHA256
ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073

SHA512
d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GMQ6XNBF\v4[1].xml

Filesize
9KB

MD5
4d6df0143257b3fe24dba5d9f486fd7a

SHA1
5a96ff596932a07563cbe2225459dddc7c763e2e

SHA256
78f8af944801c24abbc11b9d85d424e07e26626944a028defd201c1536a3ed23

SHA512
52a5c16f8e4a2e1372dc9899906051f1bcc5f293b42dfc95f72ae03607b2334c930931a9c5a913504c68cc1a11b06bf4d1970626a795364afd5556dc8ae040c1

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
344KB

MD5
c5e9e9f062388214b6c9584780320209

SHA1
2a1ffe871cc9e036a6239d3e9acb68bf7d7f2464

SHA256
99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d

SHA512
8e4aebb7541e7649eb79013418fddc938c351bdc10be471ab4fd6ef457568e05f44212bbd2ca32416d2d8be2a9a9288a6ae51d43e062343e1c4c4e15940a4f25

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
344KB

MD5
c5e9e9f062388214b6c9584780320209

SHA1
2a1ffe871cc9e036a6239d3e9acb68bf7d7f2464

SHA256
99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d

SHA512
8e4aebb7541e7649eb79013418fddc938c351bdc10be471ab4fd6ef457568e05f44212bbd2ca32416d2d8be2a9a9288a6ae51d43e062343e1c4c4e15940a4f25

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
344KB

MD5
c5e9e9f062388214b6c9584780320209

SHA1
2a1ffe871cc9e036a6239d3e9acb68bf7d7f2464

SHA256
99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d

SHA512
8e4aebb7541e7649eb79013418fddc938c351bdc10be471ab4fd6ef457568e05f44212bbd2ca32416d2d8be2a9a9288a6ae51d43e062343e1c4c4e15940a4f25

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
344KB

MD5
c5e9e9f062388214b6c9584780320209

SHA1
2a1ffe871cc9e036a6239d3e9acb68bf7d7f2464

SHA256
99e72c553ea20d9979773b118e0f947a9a8044e5866c5b38bfe18c8fdda7063d

SHA512
8e4aebb7541e7649eb79013418fddc938c351bdc10be471ab4fd6ef457568e05f44212bbd2ca32416d2d8be2a9a9288a6ae51d43e062343e1c4c4e15940a4f25

Download Submit
memory/2280-152-0x0000000000A70000-0x0000000000AAB000-memory.dmp

Filesize
236KB

Download
memory/2564-136-0x0000000000230000-0x000000000026B000-memory.dmp

Filesize
236KB

Download
memory/2728-166-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2728-165-0x0000000000A70000-0x0000000000AAB000-memory.dmp

Filesize
236KB

Download
memory/2728-154-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2728-153-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/3052-162-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-158-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-167-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/3052-161-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4292-149-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4292-142-0x0000000000230000-0x000000000026B000-memory.dmp

Filesize
236KB

Download
memory/4292-141-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4292-138-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4292-137-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/4292-134-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download