Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
25-11-2022 06:58
Behavioral task
behavioral1
Sample
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
Resource
win7-20220812-en
General
-
Target
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
-
Size
531KB
-
MD5
c4a0bfbd42a2e42e261ca21d6cf4f638
-
SHA1
329e7e3425e5da6632377ebdc243cf9645bdc5bd
-
SHA256
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
-
SHA512
fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
SSDEEP
3072:OwHl/Gnrl2wGELlyzXq4D2N3v5FQLffCv7oVJNpUpnrT8vp:tB4rlryzIFQLfqvsPfSUv
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
winlogon.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exepid process 3656 winlogon.exe 1496 winlogon.exe 5116 winlogon.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\callmsi.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcciomon.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmlisten.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guarddog.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notstart.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin97.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcleaner.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drwatson.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sofi.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SrchSTS.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hwpe.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallControlPanel.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinntse.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winsfcm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\EXTEXPORT.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mspatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcfwallicon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav8.0.0.357es.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clean.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamstats.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmias.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprotect.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsbgate.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gibe.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\routemon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\RDRSERVICESUPDATER.EXE winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netscanpro.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clean.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luall.exe winlogon.exe -
Processes:
resource yara_rule behavioral2/memory/2416-132-0x00000000005A0000-0x00000000005DC000-memory.dmp upx behavioral2/memory/2416-133-0x00000000005A0000-0x00000000005DC000-memory.dmp upx behavioral2/memory/5052-137-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/2416-139-0x00000000005A0000-0x00000000005DC000-memory.dmp upx behavioral2/memory/5052-140-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/5052-141-0x0000000000400000-0x000000000041C000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral2/memory/5052-147-0x0000000000400000-0x000000000041C000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral2/memory/3656-152-0x0000000000330000-0x000000000036C000-memory.dmp upx behavioral2/memory/1496-158-0x0000000000330000-0x000000000036C000-memory.dmp upx behavioral2/memory/1496-159-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral2/memory/5116-161-0x0000000000400000-0x0000000000443000-memory.dmp upx C:\Users\Admin\E696D64614\winlogon.exe upx behavioral2/memory/5116-164-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/memory/5116-165-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/memory/5116-168-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/memory/1496-169-0x0000000000400000-0x000000000041C000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe -
Drops startup file 1 IoCs
Processes:
winlogon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe winlogon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exewinlogon.exewinlogon.exedescription pid process target process PID 2416 set thread context of 5052 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 3656 set thread context of 1496 3656 winlogon.exe winlogon.exe PID 1496 set thread context of 5116 1496 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
Processes:
iexplore.exeIEXPLORE.EXEwinlogon.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d21a1ab6219cbe438ffc21e1bf8d6cd2000000000200000000001066000000010000200000004d76b6b1acef077b850f6ded087f088ccca8841beb819c67f2e3cd6927947ebc000000000e8000000002000020000000d50d7e70e08b5881c722af1eba99a29bb12e6ff36e2571e8ba075d1cf1c5bda22000000019c0d129b2dd68329dc2788f3147ec3fc7598dea9e203d995ae8393bc0ed3fda400000006eb7532a87e3aab38ceadcb040f815745ef68c853b7ffaa7184f9d45bf597047c56724c452b8b862c73cc48ff3f23b81030d6cb11b752697b976685f6efff645 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "535089212" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998739" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0062981fd300d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998739" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "535089212" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4B03F5E5-6CC6-11ED-B696-466E527D41B2} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "30998739" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://5qj416o6uenl44l.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "535089212" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d21a1ab6219cbe438ffc21e1bf8d6cd200000000020000000000106600000001000020000000b95674d12d7b6bebe2ffe1ecdacdab082e1ef824e4625c965fede79527d93ec7000000000e80000000020000200000004ca4c7a37c8353fd033caa3a8de8aafdcc9889f4fea4c5380fa0f9c74fcae348200000002b9c9ef50708b02028a51d4c77ee3bdf46808f8b33c01d8e7f2dd50a00a1fb3b40000000b29fe557db6779b008a46e76494cc54d482cadc04f2dd740fbc6dcc68a4387d29ec2b4238e9c1f13d7ff5d090409ecc4d1d4e9afa35ba058fc877bb54f102477 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://mslym73n93v7lsu.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d21a1ab6219cbe438ffc21e1bf8d6cd200000000020000000000106600000001000020000000977bfee949bd158cf25d8be5916208bacb7f35d646050032de672a0d5f6f2092000000000e8000000002000020000000c642aaae49dd1a925ab0fba5a13d774b88fe7f6de3466e00002703f48d0f0a4820000000b5ff23f3df7806cee05353684e07103c34238e89a144fdfa0d444571fc0c97c24000000056f82e0a5abdb0f1e98d243be5d1cae9d2b97625951f00408a44336cc6f46ccc86cfe93b946728b006fb8c4ac9d124b8725bedc33c5c5d3d1556c6799cff57f6 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04af42bd300d901 iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://4o4lh7do129l132.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://6zjj56x5h521z25.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\buscaid.com\Total = "1097" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 302c2f16d300d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998739" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://bl6z408nmobx2q1.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://05821x5da15x544.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www6.buscaid.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www6.buscaid.com\ = "1097" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "535089212" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\buscaid.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "1097" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4056bf32d300d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "30998739" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "662434955" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://7s7hv78m0bz7iik.directorio-w.com" winlogon.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d21a1ab6219cbe438ffc21e1bf8d6cd2000000000200000000001066000000010000200000009b8e6dbf7d6f6ca71246e486351af25ad1088e68c40ede788b3c4c1ce78475f1000000000e8000000002000020000000a845a928be239ab0f119bc2bb42df9236fc68f09af703b3272b283c9ddc39aed2000000092ced5ff2882650d72cb14d601446670a6c1bc60b55db7b0d6d958afcd1492414000000089efb356def729c644dfbf7aeaf22d3b088811e3e1dc71102e58c6e209c70ad33c4a25accc9dd030abe36c67376e2b8f9da45744110aba28dd7afcf53d5b0264 iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://236t5okhf4t703o.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://96m9au69dk07262.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
winlogon.exepid process 5116 winlogon.exe 5116 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winlogon.exedescription pid process Token: SeBackupPrivilege 5116 winlogon.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
iexplore.exepid process 4756 iexplore.exe 4756 iexplore.exe 4756 iexplore.exe 4756 iexplore.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exewinlogon.exewinlogon.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 5052 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe 1496 winlogon.exe 5116 winlogon.exe 4756 iexplore.exe 4756 iexplore.exe 4256 IEXPLORE.EXE 4256 IEXPLORE.EXE 4756 iexplore.exe 4756 iexplore.exe 1908 IEXPLORE.EXE 1908 IEXPLORE.EXE 4756 iexplore.exe 4756 iexplore.exe 5016 IEXPLORE.EXE 5016 IEXPLORE.EXE 4756 iexplore.exe 4756 iexplore.exe 2748 IEXPLORE.EXE 2748 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exeda5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exewinlogon.exewinlogon.exeiexplore.exedescription pid process target process PID 2416 wrote to memory of 4328 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe svchost.exe PID 2416 wrote to memory of 4328 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe svchost.exe PID 2416 wrote to memory of 4328 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe svchost.exe PID 2416 wrote to memory of 2108 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 2416 wrote to memory of 2108 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 2416 wrote to memory of 2108 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 2416 wrote to memory of 5052 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 2416 wrote to memory of 5052 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 2416 wrote to memory of 5052 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 2416 wrote to memory of 5052 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 2416 wrote to memory of 5052 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 2416 wrote to memory of 5052 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 2416 wrote to memory of 5052 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 2416 wrote to memory of 5052 2416 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe PID 5052 wrote to memory of 3656 5052 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe winlogon.exe PID 5052 wrote to memory of 3656 5052 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe winlogon.exe PID 5052 wrote to memory of 3656 5052 da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe winlogon.exe PID 3656 wrote to memory of 1548 3656 winlogon.exe svchost.exe PID 3656 wrote to memory of 1548 3656 winlogon.exe svchost.exe PID 3656 wrote to memory of 1548 3656 winlogon.exe svchost.exe PID 3656 wrote to memory of 1496 3656 winlogon.exe winlogon.exe PID 3656 wrote to memory of 1496 3656 winlogon.exe winlogon.exe PID 3656 wrote to memory of 1496 3656 winlogon.exe winlogon.exe PID 3656 wrote to memory of 1496 3656 winlogon.exe winlogon.exe PID 3656 wrote to memory of 1496 3656 winlogon.exe winlogon.exe PID 3656 wrote to memory of 1496 3656 winlogon.exe winlogon.exe PID 3656 wrote to memory of 1496 3656 winlogon.exe winlogon.exe PID 3656 wrote to memory of 1496 3656 winlogon.exe winlogon.exe PID 1496 wrote to memory of 5116 1496 winlogon.exe winlogon.exe PID 1496 wrote to memory of 5116 1496 winlogon.exe winlogon.exe PID 1496 wrote to memory of 5116 1496 winlogon.exe winlogon.exe PID 1496 wrote to memory of 5116 1496 winlogon.exe winlogon.exe PID 1496 wrote to memory of 5116 1496 winlogon.exe winlogon.exe PID 1496 wrote to memory of 5116 1496 winlogon.exe winlogon.exe PID 1496 wrote to memory of 5116 1496 winlogon.exe winlogon.exe PID 1496 wrote to memory of 5116 1496 winlogon.exe winlogon.exe PID 4756 wrote to memory of 4256 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 4256 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 4256 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 1908 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 1908 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 1908 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 5016 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 5016 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 5016 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 2748 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 2748 4756 iexplore.exe IEXPLORE.EXE PID 4756 wrote to memory of 2748 4756 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 6 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe"C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
-
C:\Users\Admin\AppData\Local\Temp\da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa.exe
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4756 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4756 CREDAT:82952 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4756 CREDAT:17418 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4756 CREDAT:82958 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0684275E946EA5A526A0B9446D8D1B31_8BC55A34553CE38DA9A256FD39734BE9Filesize
1KB
MD5c1035784218995a89069bf7eed56770a
SHA1edb7e3843aaaf74ac098cff3c8e91dace0800edc
SHA256314c6b0a75d27cec302c9ac5937f32bab3a10c1fbdda2d2d1a213aba5ad20d39
SHA51259229b6bb17938f434b0baa6ac3be3384d58fb6ffe050543ab9f6ef27b136875c9740e53358fc48208dcce7ca8356dcf503740476982c0c3ce95e27c3a65cb56
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\08B8D8C1791AA7714DD4D760C5F42C55Filesize
503B
MD5c74ff3a5e1404a75a2104a1cc9e02721
SHA13435780a0a850ab859afa3cd172960df5cb823b7
SHA25645fedcfc62ec4b46563e776676b4f6918293eec31cb42ac00a07077bf775e4ed
SHA512a6190754cc7e8a5ca38757b8bc09af5feda007418be0f40eb2cd7cc86ed436ad7841e5fe83263918637f25d70dc351d0f5516b3851520c5dd1a20e3e7723a43e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771Filesize
1KB
MD5ff7a1328d03d89f85e161952e93005e3
SHA1aecdf98ae95f71037554588c495b547051435260
SHA256d19e8153c488f20af0d680a62fa4b97d4936f737142fa8abe72f8eb24bff0d10
SHA512d98ee4f86b3d12de51af1823533bfddf854a101090fc799764b973cb9c00b4c38e298055f02f41fac0091e29e81fc3433483f1186f49d7bf6c6e41e52c03c124
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD579341a72b77d23e92e284c609042d185
SHA1abf2442e615b28ac099c688be99b89e6355573c4
SHA2560cd273ef624d3e69706595982ee7b74e4e04a6215365b26e77d140442b099ade
SHA512959810157c0c9af762427aa7810790a82be5a5c28db50c2af64c730aa9bb3e2e8185e88fb5a5812a32f88aeabfaa411c0eba237f7dfd862932223c307c219bf3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4Filesize
472B
MD576544babbcf6515110bd81aaee8e7e63
SHA1043497692868c67ac84cdfe70d0a484517abd1c2
SHA256a19d5958d683662375a2469d1d7e551188469b967eb6f2bae2d5e43dac51a4f0
SHA512a23198710b8898b9fe8f9d62841567995b30be60938ebba2a3aad94c4dc7687d5e5d188f3388f939d27833e44a9aec275cdadc815e01d6ce32ae3b9b07d4a561
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD5a42abb21be3940a88a73771b18ed0f35
SHA1de12f2f619852ef135ee726614c43c2033ec5743
SHA256edaf1fb1f6ca2a0caf5f4d85b3f13507bd5df4971fa9ea8a6e08c1227f1ec667
SHA512c1f775deb2bcb2e0c48ed74dec1cd95f34690ca16d6465175d52d60ae45e746201cc608a58b6f8f080b7e6a7893993b61093c7d9ff63fa735ebaba61ddd0ebf7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562Filesize
1KB
MD5b8914a9f1a906f927cccce6ced9b2d0a
SHA1416b18e429e5666f291b0b1c2a027540ccac9d98
SHA256368fea95d9e90df28a6bfddc6b5a4541a082e521f28dca1fda3c0451926fa10d
SHA512c182123030362c722735903641739a02f42a625f0a0080495b99a70150bbfb5e7a81cb6c88a0bf21b5547308621e1b487947298c8c5ab302b94a7e4bb72190d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26Filesize
1KB
MD5d416222752f135ed236e638a9446d727
SHA1705876fb8232b28d61bc23d3a48a42ad293106ed
SHA256d86e5758fb2d4f5cb0ea9be687e11c7056f094dc24a445971c75e23b97e8d24b
SHA51225f495232f2f28d41335eaed9a400af4e2942b0d25997b171b9ea9d06a42ebe316a7456d5b08814b47ab924f2f4db0ccad6726a8c62382fa1d3c004e56bcb555
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_B49B51C2F61192D2C0D20E671D9EF51EFilesize
472B
MD5312d6119e2a9865fd7bd8752bcf62563
SHA1fcddb4e1098fe901119e2ec5de135e26b586f897
SHA256ed8c44b9621baf009fe6320d2c54a97d18fad60c5cc54646ea00384a0198e734
SHA51250bed9947a82e244a3864fe7bd040d76ac6cb4814ed8aee4ded8442d984ef402eb23f2e53920aa00d52824b7013bf3cfcf9ad1efcd9da132d655eb2c5ecaa099
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0684275E946EA5A526A0B9446D8D1B31_8BC55A34553CE38DA9A256FD39734BE9Filesize
458B
MD58b47bafa1a6760e128d5c3b1b4ef0e4a
SHA1190eeaff080a4d1646ebf51c70191e13fbfd9c63
SHA256feefb314f9411261d3e64fe22602ab84cacc01b96dfa20a9004f6f272cd6008d
SHA512a091f5597607daf13d7a9da6e1a6f9bd4fef8758c3beb228ae1fb81c2dfd46e58dba095e6fad4a46331040031c69c5f1235d481b39d71f3dd8c8c0e736c2955f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\08B8D8C1791AA7714DD4D760C5F42C55Filesize
548B
MD5dc25ee89225507618a395ee373831d4d
SHA120af3b3d7c3a8c24a2e0e767ee538fe1822dc5f6
SHA2567fdc2eeab8cc29c9ef97af28c35f555812c229512b29010cf85d981e1ec0a66e
SHA51261a4d90150fea757e37385389751d5f783e299cd0ecc004de81a38ebbe415fdc8ab82d11b8485d4ed1340cd9a7eb790185af7e1b0f025c538734d1a5ec95eb27
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5c359587958a33aad82414a5933f00cb1
SHA1da460a24c35956f38340e27f06a0ba32a33a865f
SHA2567c12e894546c8974c22af8ff472361f5c04870a0a85c056b99aa343c3d825192
SHA512ef3efb3fa63a283be705b1e6b3be9defc3ba555bc3153c2a8556ac0c7bf10e1c8140417d1c8609c5045073c892a58e2fcbbeb445915ac919a055ae5f6fc71364
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771Filesize
450B
MD58ff5113c0eaff213ad7f99a23fe0bbfb
SHA1eb187dca1d3e80b350fc9ac66a2d31f229ab5b2a
SHA2568aa12e1a90c6425a80144080eba817cf06e24fa14a4fc496336bd2b79e297e1f
SHA512c3ebc303414e4fe0ac441860b774548c8b50a8f3257beb5620bd4ea800eb4651f3d54334c8699e9eedd2fdb51834e127f653489a5db0aa03eb61570d2e2da1a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5bfcdf434fab7b370a11e53fa86a7448b
SHA1c142a866bd98ced5a84d25b4fc929b3120254a70
SHA2564c353b48ca493f3d0793cf9bc768bde9d857ecbd2e1eb810ffa6b6fa5cb34386
SHA512fd3b5a3d3e8c8b18e4475299afc00e4fee5aad1f97575a478f695134611baa66a9313b9c8b0629d43def7efac5c1b5b5a4041ad88695eff655f7d91530fb49c9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4Filesize
402B
MD5018c9e9bb464000e0ab5910724621bbf
SHA146fc2b1ad6814385ca8902eac90924888032e983
SHA256ea28c1b245b9de214c089ad47202e3e2249d351b607cdb7f89d2d7418c2746a4
SHA5123ea42b3e37363eb7ac9426a920320a3d175382efdf589417d42ccc78480994f473a378163b04f4d0aaa1e1eb982e5776825520567c46a2d769943a69d657c253
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
434B
MD580210abb9d5ad5627d8ba722683c118e
SHA1fbeb4c42a6b401d99f772f223410b65988621c12
SHA256d9576c3f2c3db0be6a5614dddd0977c5d724264a1618b9fa160c4ea6fe555b55
SHA512b32337f6dde6370d99b0016927fae73164f3019503f4cbc3fd0d705d34c6c3c2d675f80909d48b31efaa68a1d31cb3e0da032fdc671f35335798f3fd07d300bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562Filesize
466B
MD52ea057d13184048d41722dd8dea34666
SHA1e9259732fadda3e72463db5167da7cd3e65fa0e3
SHA256cd53b81143dfb4b8c2bc2c89c29b5a8001ee4875e2e3f3de61daa303e58f8ae1
SHA5121160470f37d46eda0b94e6410a93dc20c30836c2607bc24421faf0f51f4f832f4b04ca18f8f42e621ae4dd514039d4c7ca60772b405303e0593736e224005e20
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26Filesize
470B
MD517e83f44c97c818f5cfacd89e323f88f
SHA1b35e89c331415e4ec6d148c9704b53d3f1b3a7e7
SHA256855542157fdba629a39944066671fddcb1c2d35a24fd6875d13cfb1ddd7973b2
SHA5122fd545b2fc5f6856952c55df864269f9dd302b7e969c0389cede649e6c30346ff3901fdf198922a97c74ae33ab2b5b0e1ee01a133cee6380cf2aa9b6385d4d50
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD5b2516fbf5318fcf47e1a069b420d9e15
SHA1032777617ec52150ef9ee0c798e6889d4eaf0d08
SHA256a62a449beb603d3d88039924766c412eb6d133de2f50192469dc95c9cf210a9b
SHA512dde77066db3b6d6501839425f62aa21f378740646f059c10d5bf9bfca5047623be05d1072a8e6fbb822bf13daa2685b8164488bdd98ceaddbaebfbcc565195cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_B49B51C2F61192D2C0D20E671D9EF51EFilesize
402B
MD542e4cce072d012aeef5eab30e5d7dc7f
SHA16d3b318211488adfde975c195f9240edc9b53ccf
SHA25670ce29f3cbb7fdf14cb7a02bdb7e4d814072046927d9d6371b50c2886e3aec20
SHA512b95461f72f11a40614b1d520a967200d666a452a3afa4b97db6b87070030a4fe26bfd41a658dd2c34208a9f09d3f2e888117795e8028e726b0cbb50f59c27144
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\P06G4KMW\www6.buscaid[1].xmlFilesize
1KB
MD53fc259591916c1882a439b910f095b02
SHA1c74a1a037ea984c1ae95d9533a0be6c796c653a8
SHA2563779071cfa177a51658ece78c08b0d6321bf524b475edfcc885462cb46eed42c
SHA512d77121a8f36cde1d0491fdb89bf0dffe28bf9bd9a243b555dc4ec54d9b35f393f5ae81d6148fb829aff4f1b7e9df67e6877e36ce38082e024b2b5f1157d62bd7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\26HZJLHZ\RB5YTRT2.htmFilesize
2KB
MD541f66bb0ac50f2d851236170e7c71341
SHA159bcec216302151922219b51be8ad8ab6d0b8384
SHA256ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073
SHA512d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DUHIRKGY\Q9L0335L.htmFilesize
2KB
MD541f66bb0ac50f2d851236170e7c71341
SHA159bcec216302151922219b51be8ad8ab6d0b8384
SHA256ec99cca58b612ce268e6ada818dfcec0acc22dd1bbe372487be9abbdd07ce073
SHA512d0d223b93236d62d60974d638d9916901c37c32a4b8ef3faebd336850bc1af8b73ce27ac57205a00d97f38ccdd0ad655c9df7e1d7da6ae89de40b173a8639fa6
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
531KB
MD5c4a0bfbd42a2e42e261ca21d6cf4f638
SHA1329e7e3425e5da6632377ebdc243cf9645bdc5bd
SHA256da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
SHA512fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
531KB
MD5c4a0bfbd42a2e42e261ca21d6cf4f638
SHA1329e7e3425e5da6632377ebdc243cf9645bdc5bd
SHA256da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
SHA512fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
531KB
MD5c4a0bfbd42a2e42e261ca21d6cf4f638
SHA1329e7e3425e5da6632377ebdc243cf9645bdc5bd
SHA256da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
SHA512fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
531KB
MD5c4a0bfbd42a2e42e261ca21d6cf4f638
SHA1329e7e3425e5da6632377ebdc243cf9645bdc5bd
SHA256da5171fca762e1e33a717a3e3cbf5a04a3bff7566f77f6c2014edb4f425c3efa
SHA512fe71f3b2afd76d509b684c5030b078f6a128a2c9dfc16c3940f2442052fa803c53938f64cb32969db0eacf4e39bc7e0630ec28384fc19f1f5f0ec6322e76a5d3
-
memory/1496-169-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1496-159-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1496-158-0x0000000000330000-0x000000000036C000-memory.dmpFilesize
240KB
-
memory/1496-149-0x0000000000000000-mapping.dmp
-
memory/1548-148-0x0000000000000000-mapping.dmp
-
memory/2108-135-0x0000000000000000-mapping.dmp
-
memory/2416-132-0x00000000005A0000-0x00000000005DC000-memory.dmpFilesize
240KB
-
memory/2416-133-0x00000000005A0000-0x00000000005DC000-memory.dmpFilesize
240KB
-
memory/2416-139-0x00000000005A0000-0x00000000005DC000-memory.dmpFilesize
240KB
-
memory/3656-152-0x0000000000330000-0x000000000036C000-memory.dmpFilesize
240KB
-
memory/3656-144-0x0000000000000000-mapping.dmp
-
memory/4328-134-0x0000000000000000-mapping.dmp
-
memory/5052-137-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5052-147-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5052-141-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5052-140-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/5052-136-0x0000000000000000-mapping.dmp
-
memory/5116-160-0x0000000000000000-mapping.dmp
-
memory/5116-168-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/5116-161-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/5116-164-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/5116-165-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB