Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 06:58
Behavioral task
behavioral1
Sample
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
Resource
win7-20220812-en
General
-
Target
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
-
Size
531KB
-
MD5
c4a0bfbd42a2e42e261ca21d6cf4f638
-
SHA1
329e7e3425e5da6632377ebdc243cf9645bdc5bd
-
SHA256
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
-
SHA512
fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
SSDEEP
3072:OwHl/Gnrl2wGELlyzXq4D2N3v5FQLffCv7oVJNpUpnrT8vp:tB4rlryzIFQLfqvsPfSUv
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 14 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
winlogon.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exepid process 2040 winlogon.exe 1760 winlogon.exe 1696 winlogon.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shn.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsbgate.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530wtbyb.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEDFix.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icload95.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Filemon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCELCNV.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpexec.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95_o.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fix-it.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORDB.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup_flowprotector_us.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcons.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explored.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamstats.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsshld.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfagent.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\callmsi.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guard.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavlite40eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rulaunch.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirus.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netscanpro.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvapsvc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2002s902.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav8.0.0.357es.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supporter5.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepsrv.sys.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccguide.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjscan.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdclt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe -
Processes:
resource yara_rule behavioral1/memory/1124-55-0x0000000000240000-0x000000000027C000-memory.dmp upx behavioral1/memory/1832-58-0x0000000000240000-0x000000000027C000-memory.dmp upx behavioral1/memory/948-56-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/948-60-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/948-61-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/948-65-0x0000000000400000-0x000000000041C000-memory.dmp upx \Users\Admin\E696D64614\winlogon.exe upx \Users\Admin\E696D64614\winlogon.exe upx C:\Users\Admin\E696D64614\winlogon.exe upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral1/memory/948-72-0x0000000000400000-0x000000000041C000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral1/memory/2040-77-0x0000000000E90000-0x0000000000ECC000-memory.dmp upx behavioral1/memory/1696-82-0x0000000000400000-0x0000000000443000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral1/memory/1696-87-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1696-88-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1760-92-0x0000000000E90000-0x0000000000ECC000-memory.dmp upx behavioral1/memory/1760-93-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1696-94-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
winlogon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe winlogon.exe -
Loads dropped DLL 2 IoCs
Processes:
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exepid process 948 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe 948 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exewinlogon.exewinlogon.exedescription pid process target process PID 1832 set thread context of 948 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 2040 set thread context of 1760 2040 winlogon.exe winlogon.exe PID 1760 set thread context of 1696 1760 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
Processes:
winlogon.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://b994diluz21zmm1.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00cc280cd300d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://3k4wm683yt5k73q.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{30DBE051-6CC6-11ED-BB27-6A94EDCEDC7A} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d832ac2a114b7741a02b44777b630b2f000000000200000000001066000000010000200000005a837e31ca07d127f52da3e0d10627fa6c2afd6eaa7567ee6dabe94643ca197e000000000e80000000020000200000004ac43cfcea365e0fca1173c2bbd000df94d3c20e8478ef59d931f88b719460e2200000001f7951034a816b138627d741215aed6ad519c98a23d56ca4b1052ba5b499b588400000005d1d61f5579c12d56da6282138ed14dd4680947d269306af293fb596fe2389377f117c9e6bbb7bc57eeb2ce623774a621fbe43d3cc406fb520e566d275cfe8e1 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://s8p6oh7w0k1634b.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://i7717q4uk7203ux.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://hw0m441l9jr066g.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://x2m58e58fsjid3h.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://7051uhxuwp9zowp.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d832ac2a114b7741a02b44777b630b2f0000000002000000000010660000000100002000000038556e5a44230e8a0782e7c48db68d2338fc5f858127e07f9e5824eff64e8c20000000000e8000000002000020000000a97315f86ca9c9990dd217581ebddfebd7dacde6918b4334cf1ecae5dede570690000000fcda312852af31240a4954cfc87aeed9abadf3d133a34ca929f8b6b1a4a29d972dc4ebf3917e63552889531225e5095a9e46e4c680d22ee6a0d3bb908daf223d9a6a8e21708ab2ccbf86c5565f574c9347a141658bdc8586dedd56f25b8e8c068a7c2e9cbeb154bc416d639fa8f7473654c07034a227a6eff210543a5f0a8d2bd4c2ee0a13a90c93f68cad885899681a40000000dee21adcaffa1a72268e8dcf4912c408aa28787d63f67b58651f46fd6d7043ee387b6a4d8b016811f86a278d82628d5600f07ba50cf59fbef0929cb316c784b7 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376148382" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://u94pme19s366662.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://5qv981aodr8x15i.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://fzqei322b6fz47z.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
winlogon.exepid process 1696 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winlogon.exedescription pid process Token: SeBackupPrivilege 1696 winlogon.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
iexplore.exepid process 1508 iexplore.exe 1508 iexplore.exe 1508 iexplore.exe 1508 iexplore.exe 1508 iexplore.exe 1508 iexplore.exe -
Suspicious use of SetWindowsHookEx 27 IoCs
Processes:
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exewinlogon.exewinlogon.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 948 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe 1760 winlogon.exe 1696 winlogon.exe 1508 iexplore.exe 1508 iexplore.exe 844 IEXPLORE.EXE 844 IEXPLORE.EXE 1508 iexplore.exe 1508 iexplore.exe 1496 IEXPLORE.EXE 1496 IEXPLORE.EXE 1508 iexplore.exe 1508 iexplore.exe 520 IEXPLORE.EXE 520 IEXPLORE.EXE 1508 iexplore.exe 1508 iexplore.exe 632 IEXPLORE.EXE 632 IEXPLORE.EXE 1508 iexplore.exe 1508 iexplore.exe 844 IEXPLORE.EXE 844 IEXPLORE.EXE 1508 iexplore.exe 1508 iexplore.exe 2304 IEXPLORE.EXE 2304 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exeda5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exewinlogon.exewinlogon.exeiexplore.exedescription pid process target process PID 1832 wrote to memory of 1168 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe svchost.exe PID 1832 wrote to memory of 1168 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe svchost.exe PID 1832 wrote to memory of 1168 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe svchost.exe PID 1832 wrote to memory of 1168 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe svchost.exe PID 1832 wrote to memory of 1124 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1124 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1124 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1124 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1084 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1084 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1084 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1084 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 896 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 896 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 896 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 896 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1900 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1900 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1900 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1900 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1624 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1624 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1624 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 1624 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 948 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 948 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 948 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 948 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 948 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 948 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 948 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 948 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 1832 wrote to memory of 948 1832 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 948 wrote to memory of 2040 948 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe winlogon.exe PID 948 wrote to memory of 2040 948 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe winlogon.exe PID 948 wrote to memory of 2040 948 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe winlogon.exe PID 948 wrote to memory of 2040 948 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe winlogon.exe PID 2040 wrote to memory of 276 2040 winlogon.exe svchost.exe PID 2040 wrote to memory of 276 2040 winlogon.exe svchost.exe PID 2040 wrote to memory of 276 2040 winlogon.exe svchost.exe PID 2040 wrote to memory of 276 2040 winlogon.exe svchost.exe PID 2040 wrote to memory of 1760 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1760 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1760 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1760 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1760 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1760 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1760 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1760 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1760 2040 winlogon.exe winlogon.exe PID 1760 wrote to memory of 1696 1760 winlogon.exe winlogon.exe PID 1760 wrote to memory of 1696 1760 winlogon.exe winlogon.exe PID 1760 wrote to memory of 1696 1760 winlogon.exe winlogon.exe PID 1760 wrote to memory of 1696 1760 winlogon.exe winlogon.exe PID 1760 wrote to memory of 1696 1760 winlogon.exe winlogon.exe PID 1760 wrote to memory of 1696 1760 winlogon.exe winlogon.exe PID 1760 wrote to memory of 1696 1760 winlogon.exe winlogon.exe PID 1760 wrote to memory of 1696 1760 winlogon.exe winlogon.exe PID 1760 wrote to memory of 1696 1760 winlogon.exe winlogon.exe PID 1508 wrote to memory of 844 1508 iexplore.exe IEXPLORE.EXE PID 1508 wrote to memory of 844 1508 iexplore.exe IEXPLORE.EXE PID 1508 wrote to memory of 844 1508 iexplore.exe IEXPLORE.EXE PID 1508 wrote to memory of 844 1508 iexplore.exe IEXPLORE.EXE PID 1508 wrote to memory of 1496 1508 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 6 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe"C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
-
C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
-
C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
-
C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
-
C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
-
C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:603145 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:472078 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:603158 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1508 CREDAT:930854 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD579341a72b77d23e92e284c609042d185
SHA1abf2442e615b28ac099c688be99b89e6355573c4
SHA2560cd273ef624d3e69706595982ee7b74e4e04a6215365b26e77d140442b099ade
SHA512959810157c0c9af762427aa7810790a82be5a5c28db50c2af64c730aa9bb3e2e8185e88fb5a5812a32f88aeabfaa411c0eba237f7dfd862932223c307c219bf3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4Filesize
472B
MD576544babbcf6515110bd81aaee8e7e63
SHA1043497692868c67ac84cdfe70d0a484517abd1c2
SHA256a19d5958d683662375a2469d1d7e551188469b967eb6f2bae2d5e43dac51a4f0
SHA512a23198710b8898b9fe8f9d62841567995b30be60938ebba2a3aad94c4dc7687d5e5d188f3388f939d27833e44a9aec275cdadc815e01d6ce32ae3b9b07d4a561
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562Filesize
1KB
MD5b8914a9f1a906f927cccce6ced9b2d0a
SHA1416b18e429e5666f291b0b1c2a027540ccac9d98
SHA256368fea95d9e90df28a6bfddc6b5a4541a082e521f28dca1fda3c0451926fa10d
SHA512c182123030362c722735903641739a02f42a625f0a0080495b99a70150bbfb5e7a81cb6c88a0bf21b5547308621e1b487947298c8c5ab302b94a7e4bb72190d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD53dcf580a93972319e82cafbc047d34d5
SHA18528d2a1363e5de77dc3b1142850e51ead0f4b6b
SHA25640810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1
SHA51298384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26Filesize
1KB
MD5d416222752f135ed236e638a9446d727
SHA1705876fb8232b28d61bc23d3a48a42ad293106ed
SHA256d86e5758fb2d4f5cb0ea9be687e11c7056f094dc24a445971c75e23b97e8d24b
SHA51225f495232f2f28d41335eaed9a400af4e2942b0d25997b171b9ea9d06a42ebe316a7456d5b08814b47ab924f2f4db0ccad6726a8c62382fa1d3c004e56bcb555
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5c86b17ac903ee28ef695357a6ab7379f
SHA177b95224a05306ee27d88c27607d307a43611faf
SHA25687669585f5bf419b33553bdb56c3d72da686e5f4029f015a7c1c5268f155cbd0
SHA51201fef38f8bd62714751b84b52332ed58a76b88f27278c91ee034c2e51d66c06418dd117bd3d630810a3b2c3aef8ca97494bd096b04d7ead27885d204df8871f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4Filesize
402B
MD58c0768279edeee3f1cec26058a0d89c1
SHA132e1d7281d994d0c1f274c77424a40a9e385ab6d
SHA256d23541a345a2a36ed1c58830329290b7e4304a8506576b17217fb7dcc59bc6fd
SHA512bdf9f5ce4597702c0def93a3070fc8d57fc5c940db8e865f57872adeccb2c68684480656246244cc39ae292bcee8b69a55122b0c5402459ff20f56033b9dc960
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562Filesize
466B
MD5bfe03677bb6ac1203aa50d06190532c5
SHA1c547fbfe90f880a077ced05d62c8a62f5b35f5d7
SHA256afbf37d22ce624f5c669d2992de2a0f2729b8cb1d8281f72ad038bfd539abe4a
SHA512413b2e34e71f3470534e9d618cd4e739b49d90e5196eef999492b8a79a933f3262a14dec45cb5775a0df44c056484dd984ebda2012e1b8b2c61248d369a08a3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD530eb69d2d2b70f1977b03c1ae7e50f9e
SHA1c3930ee134c4705e9df3a2834436de9a743f558a
SHA256e569bf6710c850c6ec4b14bcdbe462b193b6e95e8bdaf8c43b3d815888158f90
SHA5125d802e7cc823972082179838a02f9915d6bca337159e4245a6096eb417ed9c381ff94c9698d7cdf277d4267d1d0de4e6f7cca331350a86987983bbbf8765666e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5b4d9493d204c34ed3ace310e6bc653eb
SHA15c9c1a26ebed639a417ea3cf2eb718c4a9130ff7
SHA25606ad50dd25d3238534d959005a4f6c5a0f55a12e729269677f658ae7cbe80858
SHA512fd9020db07278fd92a5452240b375d90d30686bc1515695ab99cd660feed59dd2b3a9b5d1a07ee16e858e40495b515ae419eb1a7ce8cad1e0b6b799f682e6382
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD57df1c9f406308a3d65668fe1f4e8c70b
SHA15abc81f21322be1b708c6e718da5e0b067db71ed
SHA256772b8486d3668d9dbae60a072a82d725daa7acf604df1d5a1a60b88efd963043
SHA5121b394dd913f204b05df9f2f588ca68e96480a7dea7d579b57983221af7a26aca801a33bba30303f2b44ec678fe2162b6f41d8224efef5007079f3dbf6f196e33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bb0bc0fe3c53873c51b70bbeba65acdb
SHA1c3da0c1a925b32badb96c0790ecd809030536b87
SHA256c4e8fba65542fe6bd317b318e611eb6473c0ecd819447a6ab03c2861562ce5e4
SHA5124df8753dabaa4d2af7891337767efcdf8c81b8966657df018cff141b4cdecff81ccdb0a2d79b75258649c3897d7076277554f0f7a9eb30afa58c1825087edd88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5981cc889753ca13979372b8de6d636c8
SHA1559e9a5e22f2b6b4d3f43775a3be295bd58334b3
SHA25695bb9192d10103208a937c834d3941a044aa8e7f8381a3f803e731860a25fcaf
SHA512e31bf159072b792eddb3adb12edc73f8498542901d87e227cbe2d6ea7974c2ff599ec36e5e22195183b705238b387bcc4b22385852f43813c2d5651ff40a32da
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5f6e86a8c0632d07ec49c6e5b4b922493
SHA1ba3bbab5a78201932d0ffc16278d67d0e2ee7663
SHA256b63092bee411a191743f26295bc9dd4cd516c45274e041410ee8d5607bf89e6c
SHA5125620b803c08e3ea16bc33b8134e8616eec3cc9966111365e1eeded2b2fe093bf460eda98c98d89a8d5ec9391c5f73a86bfbf8b0161779943040a515471e8ee4b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26Filesize
470B
MD59964eaaf0a452d47cd711be29a547d74
SHA10a803d5c4256f9e9a695dad2961829357e0e109f
SHA2568e8c556b2b3e2e278dbac88c409a6ee17e6297526fdf497a416b08ec27d16352
SHA5128e9a2bcfffdafbcf504293adcd588a6eefe4049d9b4fa58388e38aecb7324bea3887023b6b22919fbfac8adcb605e9f73036ed77e55e26571ee1dd77f7f5c0f7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD561851069db32deeb0100f2c1909cfb9a
SHA157bb13df260191b23b121de75674ab553daa2184
SHA256f07fef216c39e0b3b4177e560b0a64046bc4299cf481972ec2fa94f2a7a629ef
SHA512b68fa3c3d92e5acd88908090cb8acc9e9242293892dda870c7950cc819ca8dab53608786671fb1fa20ef86adf7b53cf1ce05e8f4c2c412e5ddef42543699fcfb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD57d4cd00fe0a57cfe82d59bed53db6b24
SHA1c6e69dcc6a9fd2f2cfcb126fdd2c3dc89902a43d
SHA2565d2228bf80f318d13862415c1a649ca5c517674068047260b9d1e18990310536
SHA5125c75bd62c841c23e62595f671e7fbbb6574d1a850273cbb18ddac25c4828a1e250ec9e54417a96ce48fa81dbee99403aaa09f877cd694075085223c3aa82013d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\ZE43L5PM\www6.buscaid[1].xmlFilesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\AMQ9Y5C0.txtFilesize
601B
MD5cc3ce50382433fdf07ccde641a497e6a
SHA1410fdd7856c41685930e20e75c9458050d509747
SHA2566f10836f14f5b02e9480d5273263f0c8e61ff3e5dea600784efdb4db955dd0af
SHA5123f4bcc97d4d838b443b5145703033f4b53850da90d2a42fc3d8657406527b318aafd5bf20df2919acbfa3d7188884fcc82d95740f949e0aaf705da2cac164421
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
531KB
MD5c4a0bfbd42a2e42e261ca21d6cf4f638
SHA1329e7e3425e5da6632377ebdc243cf9645bdc5bd
SHA256da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
SHA512fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
531KB
MD5c4a0bfbd42a2e42e261ca21d6cf4f638
SHA1329e7e3425e5da6632377ebdc243cf9645bdc5bd
SHA256da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
SHA512fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
531KB
MD5c4a0bfbd42a2e42e261ca21d6cf4f638
SHA1329e7e3425e5da6632377ebdc243cf9645bdc5bd
SHA256da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
SHA512fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
531KB
MD5c4a0bfbd42a2e42e261ca21d6cf4f638
SHA1329e7e3425e5da6632377ebdc243cf9645bdc5bd
SHA256da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
SHA512fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
\Users\Admin\E696D64614\winlogon.exeFilesize
531KB
MD5c4a0bfbd42a2e42e261ca21d6cf4f638
SHA1329e7e3425e5da6632377ebdc243cf9645bdc5bd
SHA256da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
SHA512fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
\Users\Admin\E696D64614\winlogon.exeFilesize
531KB
MD5c4a0bfbd42a2e42e261ca21d6cf4f638
SHA1329e7e3425e5da6632377ebdc243cf9645bdc5bd
SHA256da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
SHA512fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
memory/276-71-0x0000000000000000-mapping.dmp
-
memory/948-65-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/948-64-0x0000000076401000-0x0000000076403000-memory.dmpFilesize
8KB
-
memory/948-57-0x000000000041AA70-mapping.dmp
-
memory/948-56-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/948-60-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/948-72-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/948-61-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1124-55-0x0000000000240000-0x000000000027C000-memory.dmpFilesize
240KB
-
memory/1168-54-0x0000000000000000-mapping.dmp
-
memory/1696-83-0x0000000000441670-mapping.dmp
-
memory/1696-88-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1696-87-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1696-82-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1696-94-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/1760-92-0x0000000000E90000-0x0000000000ECC000-memory.dmpFilesize
240KB
-
memory/1760-74-0x000000000041AA70-mapping.dmp
-
memory/1760-93-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1832-58-0x0000000000240000-0x000000000027C000-memory.dmpFilesize
240KB
-
memory/2040-77-0x0000000000E90000-0x0000000000ECC000-memory.dmpFilesize
240KB
-
memory/2040-68-0x0000000000000000-mapping.dmp