Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:20
Static task
static1
Behavioral task
behavioral1
Sample
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
Resource
win10v2004-20220812-en
General
-
Target
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
-
Size
1.3MB
-
MD5
871630d7cd2880715ab79290a09859c7
-
SHA1
5d733eb1bd95b9e3a5d2b9f5d06d5d9027960391
-
SHA256
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978
-
SHA512
f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9
-
SSDEEP
3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 14 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
winlogon.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exepid process 1480 winlogon.exe 948 winlogon.exe 980 winlogon.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin98.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UI0Detect.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmoon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbscan.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgemc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\espwatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscan.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsetmgr.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isrv95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nmain.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prckiller.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\earthagent.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icssuppnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfservice.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\poproxy.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwin9x.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w9x.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SrchSTS.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\padmin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bd_professional.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpfnt206.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symproxysvc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcontrol.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview95.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clean.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecengine.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpf202en.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORDB.EXE winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UI0Detect.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-agnt95.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepnet.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe winlogon.exe -
Processes:
resource yara_rule behavioral1/memory/1748-56-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1748-58-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1748-59-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1748-62-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1748-63-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1748-71-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/948-87-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/980-88-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/980-92-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/980-93-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/980-97-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/948-98-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/980-99-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
winlogon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe winlogon.exe -
Loads dropped DLL 2 IoCs
Processes:
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exepid process 1748 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe 1748 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exewinlogon.exewinlogon.exedescription pid process target process PID 1544 set thread context of 1748 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe PID 1480 set thread context of 948 1480 winlogon.exe winlogon.exe PID 948 set thread context of 980 948 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
Processes:
winlogon.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://4nl3s333s62jwk5.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://1yen04z1g51klu4.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376146408" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://345374z21r7jp2k.directorio-w.com" winlogon.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0ca9069ce00d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000004e807c8827a3b7b668465365e66694575c7e5ad5a062361adb1711023b374ab000000000e80000000020000200000006ba96d15ec34e537e3719bfba50b046e8b9358a665d2944ff0da09d979a2d5c5200000000471b370fc4e48777aa5d6f1ddf4ba1247e7217086ebe60eaa40b338992f543040000000f0db2ae184644b5d2a7d780cdaea52e3f5cb853a83af7cf0387e58038569716b2ec6e9155037d9bd9ac510818d420cf6f5373b3aa10b9afed1c8b6f1cfdc3945 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9B5740A1-6CC1-11ED-BDDC-626677DD231B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://8op9omlqbw87r5j.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://83b2tt9s36svr2l.directorio-w.com" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://mxowk4n132gkika.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://003pqq5w59t13g1.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000535c47aee1d03ab14ad7ccdb05e5aa4b89e5e5be886f60677816b66a13d039fd000000000e800000000200002000000050e6fe14d3bebcfedb5e6d1c24b90fe463654809417bc3c610af16aae94056bb90000000c2cee035791740d2ef1f697ed39bd436970ec9c4563941a6fe1ca9405cc90de7f5f1e49fc3eefead6b257b7d5746d88cf5c13d29ed215251f64afab08f8e7a055fb1c4ad7cd8dff18e25b5042f398a8ff42072fd4b11f277205302cd7b3aa49e424aa627eddaf2ce3a87e4929c5ed3eaa188ef7b7f4d9decdbf7e1229d94bb4f3d6bd0802de7f1c11afa3873e39ed4c14000000070c71deade4ceee99af4b6365711cfad34aec06c630a52bae9ce82db212e348de384e39058286d15479f4e3d2ea7e0393af5de50b5ab45a48e11bf1b805068ed iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://9i7yy7s1k0uv6og.directorio-w.com" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://y54i12cwnpai041.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://95v9l86ai4z581e.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
winlogon.exepid process 980 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winlogon.exedescription pid process Token: SeBackupPrivilege 980 winlogon.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
iexplore.exepid process 1924 iexplore.exe 1924 iexplore.exe 1924 iexplore.exe 1924 iexplore.exe 1924 iexplore.exe -
Suspicious use of SetWindowsHookEx 25 IoCs
Processes:
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exewinlogon.exewinlogon.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 1748 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe 948 winlogon.exe 980 winlogon.exe 1924 iexplore.exe 1924 iexplore.exe 1328 IEXPLORE.EXE 1328 IEXPLORE.EXE 1924 iexplore.exe 1924 iexplore.exe 1364 IEXPLORE.EXE 1364 IEXPLORE.EXE 1924 iexplore.exe 1924 iexplore.exe 1488 IEXPLORE.EXE 1488 IEXPLORE.EXE 1924 iexplore.exe 1924 iexplore.exe 2072 IEXPLORE.EXE 2072 IEXPLORE.EXE 1924 iexplore.exe 1924 iexplore.exe 1328 IEXPLORE.EXE 1328 IEXPLORE.EXE 980 winlogon.exe 980 winlogon.exe -
Suspicious use of WriteProcessMemory 53 IoCs
Processes:
a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exea2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exewinlogon.exewinlogon.exeiexplore.exedescription pid process target process PID 1544 wrote to memory of 1584 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe svchost.exe PID 1544 wrote to memory of 1584 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe svchost.exe PID 1544 wrote to memory of 1584 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe svchost.exe PID 1544 wrote to memory of 1584 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe svchost.exe PID 1544 wrote to memory of 1748 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe PID 1544 wrote to memory of 1748 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe PID 1544 wrote to memory of 1748 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe PID 1544 wrote to memory of 1748 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe PID 1544 wrote to memory of 1748 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe PID 1544 wrote to memory of 1748 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe PID 1544 wrote to memory of 1748 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe PID 1544 wrote to memory of 1748 1544 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe PID 1748 wrote to memory of 1480 1748 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe winlogon.exe PID 1748 wrote to memory of 1480 1748 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe winlogon.exe PID 1748 wrote to memory of 1480 1748 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe winlogon.exe PID 1748 wrote to memory of 1480 1748 a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe winlogon.exe PID 1480 wrote to memory of 676 1480 winlogon.exe svchost.exe PID 1480 wrote to memory of 676 1480 winlogon.exe svchost.exe PID 1480 wrote to memory of 676 1480 winlogon.exe svchost.exe PID 1480 wrote to memory of 676 1480 winlogon.exe svchost.exe PID 1480 wrote to memory of 948 1480 winlogon.exe winlogon.exe PID 1480 wrote to memory of 948 1480 winlogon.exe winlogon.exe PID 1480 wrote to memory of 948 1480 winlogon.exe winlogon.exe PID 1480 wrote to memory of 948 1480 winlogon.exe winlogon.exe PID 1480 wrote to memory of 948 1480 winlogon.exe winlogon.exe PID 1480 wrote to memory of 948 1480 winlogon.exe winlogon.exe PID 1480 wrote to memory of 948 1480 winlogon.exe winlogon.exe PID 1480 wrote to memory of 948 1480 winlogon.exe winlogon.exe PID 948 wrote to memory of 980 948 winlogon.exe winlogon.exe PID 948 wrote to memory of 980 948 winlogon.exe winlogon.exe PID 948 wrote to memory of 980 948 winlogon.exe winlogon.exe PID 948 wrote to memory of 980 948 winlogon.exe winlogon.exe PID 948 wrote to memory of 980 948 winlogon.exe winlogon.exe PID 948 wrote to memory of 980 948 winlogon.exe winlogon.exe PID 948 wrote to memory of 980 948 winlogon.exe winlogon.exe PID 948 wrote to memory of 980 948 winlogon.exe winlogon.exe PID 948 wrote to memory of 980 948 winlogon.exe winlogon.exe PID 1924 wrote to memory of 1328 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 1328 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 1328 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 1328 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 1364 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 1364 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 1364 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 1364 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 1488 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 1488 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 1488 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 1488 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 2072 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 2072 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 2072 1924 iexplore.exe IEXPLORE.EXE PID 1924 wrote to memory of 2072 1924 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 6 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe"C:\Users\Admin\AppData\Local\Temp\a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵PID:1584
-
C:\Users\Admin\AppData\Local\Temp\a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978.exe
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe4⤵PID:676
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:980
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1668
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1328 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:865287 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1364 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:275473 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1488 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1924 CREDAT:865301 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2072
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD579341a72b77d23e92e284c609042d185
SHA1abf2442e615b28ac099c688be99b89e6355573c4
SHA2560cd273ef624d3e69706595982ee7b74e4e04a6215365b26e77d140442b099ade
SHA512959810157c0c9af762427aa7810790a82be5a5c28db50c2af64c730aa9bb3e2e8185e88fb5a5812a32f88aeabfaa411c0eba237f7dfd862932223c307c219bf3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4Filesize
472B
MD576544babbcf6515110bd81aaee8e7e63
SHA1043497692868c67ac84cdfe70d0a484517abd1c2
SHA256a19d5958d683662375a2469d1d7e551188469b967eb6f2bae2d5e43dac51a4f0
SHA512a23198710b8898b9fe8f9d62841567995b30be60938ebba2a3aad94c4dc7687d5e5d188f3388f939d27833e44a9aec275cdadc815e01d6ce32ae3b9b07d4a561
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562Filesize
1KB
MD5b8914a9f1a906f927cccce6ced9b2d0a
SHA1416b18e429e5666f291b0b1c2a027540ccac9d98
SHA256368fea95d9e90df28a6bfddc6b5a4541a082e521f28dca1fda3c0451926fa10d
SHA512c182123030362c722735903641739a02f42a625f0a0080495b99a70150bbfb5e7a81cb6c88a0bf21b5547308621e1b487947298c8c5ab302b94a7e4bb72190d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD53dcf580a93972319e82cafbc047d34d5
SHA18528d2a1363e5de77dc3b1142850e51ead0f4b6b
SHA25640810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1
SHA51298384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26Filesize
1KB
MD5d416222752f135ed236e638a9446d727
SHA1705876fb8232b28d61bc23d3a48a42ad293106ed
SHA256d86e5758fb2d4f5cb0ea9be687e11c7056f094dc24a445971c75e23b97e8d24b
SHA51225f495232f2f28d41335eaed9a400af4e2942b0d25997b171b9ea9d06a42ebe316a7456d5b08814b47ab924f2f4db0ccad6726a8c62382fa1d3c004e56bcb555
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5606b5269fae05310e697bc154a0ae2b2
SHA1adf7729cc7c9f3bc7617ae97c8c7dd22f1f2b2ca
SHA256430d0e85649f5f8cf05a12fe606db076c2c48c9effd2d5c64334a3442e644733
SHA5122ba9b37718423b1525fa9214a2813ac3f7168756150b62c713c7574f16ac83ac4257eaa662a7fe85bf2f1686b45b17cf992cfdf988b885fc5306d4371dcf3235
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4Filesize
402B
MD55619032c9797eaf84babe0ca81132c00
SHA1b083811f08660b836d56a96a6860b7160d3f1367
SHA256e6ebea9aff716218580680b0dc551bf38f2a5b2ac3bba87f62008b5260067d28
SHA512d82d2ae5c55a6b7639fc2fba2c877775026db035fe643267347140501ce9593daa7606cf345efde7646ba4ce249994d1ca5dbf0848a6633474a40f393c1a84fd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562Filesize
466B
MD5d6d82d9f2e0074ef3c749d4138483462
SHA1ffe47f42132fde058727005de5af298d6f8cee4d
SHA25668e8ba3eabaffebaeb94181ae6417098b7b62c9f78f5a3f10dbec371100474d8
SHA51205f659cc42871c6677624fc67daa5ba0663a3b0eddf1853f961334a342c872c29435339bfd80402f59532f29ffa86dfd1893ecff25d9786a9071c2a0d55425ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD59e591a112b19116fb0fba5b738139b38
SHA167fc75e89e8d228929e7f079caa7e4e2e6296bd0
SHA25687b630dc4aa2a1cb02ce7b26321d37626a97f511cf2d0cd7465e9d12f36abc0c
SHA512bc42d48c21fcd035e786e791c8a1fca2d5b5ebca66ef077be52b17de0af5c599e69a815cea2f85f1d6638f713ab29e6612cbf87a9920bace4b84f6e56913c8f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD503c976a1ddfad979205837c2305c7f5b
SHA1574168cf7d1fbe8969d62666448be59b414172c3
SHA256a4caaae3edcedd6bb3a3ee67ae3ee50f2cf7e1227e94ceb16db2617654bc0531
SHA5121e7f4cfd0f4058617c7e707ee215aeac2df72a249e9e9247218c16a3170aa4fc76d6db395a2afabc75ae922ce8732377fbe6b80ef93732a5a5afcb8fd98bf4e7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5048611e4024db219ef93b016305474bd
SHA1a81623cd399da807ca2ae1bbe8185f9a77128ca1
SHA256dd23ffe23e4c708dd596021cb370c8b478a46a830c64724f04db8067723da232
SHA5121014a91d0d802d099e44b7c66dd58b63bd2a9e7afa3c21fc52fb62c357a87105fe190ed498ab3c8bf4df324b793398c1e2b24d3c3bdffc6e76177c33e26d4418
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD533106b549547c6ce26db8264ef55db96
SHA14d874f4200bae3407b7b9a6c20e735633e45b525
SHA2561761d3879b738579a895c263596aec1eecba310bece993253e8bebe6f730e5d5
SHA512a967c1635b97f9dd4f29c08df5544310256fac464bc751253005d04f8f841de10143ed9c7b39b0d4a2c44b669f58edbf87498942d9fac23c5a456915939def7a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5cc674dc3d8db83086cbf38d3207f1919
SHA109ca54a2dcd439343c1d181941375e613e6d9f33
SHA25694091a0057b16549468b304a936cbfa9c96431b9e93906d882d9051cafa42f5b
SHA512d757c4ba19e9b41555e897787540f311952278d882566244ea2dcc7ef2d2653a06a5e90d6748a0f6f4589acbaec9456003f47a7bb739a5ad9c6be5c03ff7055d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26Filesize
470B
MD5c534638095ccc41f7b3725ce2e3ceed5
SHA1fdf3c1ebe1b0adb4ab00dd4ea6e50f8a76eb711f
SHA256256a83fa61ce438747f40fe0eba4d99f3a4374bfb5e052714056c3f7a9d4683d
SHA512343fca52fdab8f3e68e29580fb1944e09bfc203710700761d7ace7373ac4ce8881f6d51a306902f7e719d5c8ce156c56f9e002dd9012cef33a3bba5bdb463ec9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD512c48381d21eca192027a51abe4eaaf1
SHA11a527cb16f1f88661e3e48bb5a026955c8479f60
SHA2565efb3dd23f9e6c461a7453094cd0b659b0171cbf30a37290a0118f89d25fdb0e
SHA512e8716b6f5d1aa132fb7b7cab3e9122be9a04ab39c1959e5cfb5b7889f4ac962cbdff97c22c20e76a786f95441ec59557b627f59a002e833c21eef59a38dcbccf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5b86d0a312c208c9543bbd26e1c0cec16
SHA1d1398ff016f120d4c853abdae1d26e9d8d563606
SHA256fd1f94193d3ffb073c07a3673739b68635ffb2f5d60aacb9cd4afedc25142eac
SHA512563d0b50340cc20686cf1a12ba4f3d569c6133cb1560b81d513cdb7ae67ddc5ff9d99827d3b27d29044fca42972c35ce1ea1a8068749f2c18eaf0c6c6a8ade3f
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\1S76D4TI\www6.buscaid[1].xmlFilesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WOIIJH8D.txtFilesize
601B
MD51778fd76718e46a4a56a76ca574e4206
SHA1e1a40696712a696460ca12d21cdccf35bc852594
SHA2562143e66501f38a9adca1f77b654829c55f638f98cb2e15b7183e324969899c15
SHA512d5aa5a62cacf2c4368eb2ab1101a40a288c85231e51e232404687875bed458710506dc6e001545e4ea4182b1897382ba68e464a1e9f87b383608ef0afc013419
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.3MB
MD5871630d7cd2880715ab79290a09859c7
SHA15d733eb1bd95b9e3a5d2b9f5d06d5d9027960391
SHA256a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978
SHA512f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.3MB
MD5871630d7cd2880715ab79290a09859c7
SHA15d733eb1bd95b9e3a5d2b9f5d06d5d9027960391
SHA256a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978
SHA512f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.3MB
MD5871630d7cd2880715ab79290a09859c7
SHA15d733eb1bd95b9e3a5d2b9f5d06d5d9027960391
SHA256a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978
SHA512f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.3MB
MD5871630d7cd2880715ab79290a09859c7
SHA15d733eb1bd95b9e3a5d2b9f5d06d5d9027960391
SHA256a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978
SHA512f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9
-
\Users\Admin\E696D64614\winlogon.exeFilesize
1.3MB
MD5871630d7cd2880715ab79290a09859c7
SHA15d733eb1bd95b9e3a5d2b9f5d06d5d9027960391
SHA256a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978
SHA512f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9
-
\Users\Admin\E696D64614\winlogon.exeFilesize
1.3MB
MD5871630d7cd2880715ab79290a09859c7
SHA15d733eb1bd95b9e3a5d2b9f5d06d5d9027960391
SHA256a2458a9f5db85e7c14ca90ef4ea0287d51d56a11173ecbf7af18ffaec1e07978
SHA512f12244a30bc1ec4be22a9839bc33df7f94c178826f5454c8d42c001f88513d0fa32b921ae5c2a1842d256c3eb39daf738afbdbcecd21220792be17a85c06eac9
-
memory/676-72-0x0000000000000000-mapping.dmp
-
memory/948-87-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/948-98-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/948-79-0x000000000041ABB0-mapping.dmp
-
memory/980-93-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/980-89-0x0000000000441740-mapping.dmp
-
memory/980-88-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/980-92-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/980-120-0x0000000003BB0000-0x0000000004C12000-memory.dmpFilesize
16.4MB
-
memory/980-97-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/980-99-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1480-69-0x0000000000000000-mapping.dmp
-
memory/1584-54-0x0000000000000000-mapping.dmp
-
memory/1748-71-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1748-63-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1748-62-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1748-60-0x000000000041ABB0-mapping.dmp
-
memory/1748-59-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1748-58-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1748-56-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1748-55-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1748-66-0x0000000075681000-0x0000000075683000-memory.dmpFilesize
8KB