Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 07:48
Static task
static1
Behavioral task
behavioral1
Sample
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
Resource
win10v2004-20220812-en
General
-
Target
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
-
Size
1.4MB
-
MD5
cc12ec67eab006a43338a10951daa7bb
-
SHA1
72ef2f5b4572d1efa8d7c0f29be89e4873e8c541
-
SHA256
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece
-
SHA512
24136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac
-
SSDEEP
3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 14 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
Processes:
winlogon.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 3 IoCs
Processes:
winlogon.exewinlogon.exewinlogon.exepid process 2040 winlogon.exe 1976 winlogon.exe 528 winlogon.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitor9x.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostinstall.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SrchSTS.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkpop.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwcl9.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscanpdsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\programauditor.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdclt.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tracert.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\css1631.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaa.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\normist.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UI0Detect.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsched32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pathping.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2-nt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwsc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctrl.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-pf-213-en-win.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfagent.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syshelp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnpc3000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavw.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppinupdt.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rrguard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEDFix.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebloader.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppvstop.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmntsrv.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wingate.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alerter.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wink.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmitfraudFix.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwnb181.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleaner.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieBITS.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe -
Processes:
resource yara_rule behavioral1/memory/2008-56-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2008-58-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2008-59-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2008-62-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2008-64-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2008-63-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/2008-76-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1976-88-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/528-89-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/528-93-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/528-94-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/528-98-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1976-99-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/528-100-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Drops startup file 1 IoCs
Processes:
winlogon.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe winlogon.exe -
Loads dropped DLL 2 IoCs
Processes:
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exepid process 2008 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe 2008 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run winlogon.exe -
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exewinlogon.exewinlogon.exedescription pid process target process PID 1424 set thread context of 2008 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe PID 2040 set thread context of 1976 2040 winlogon.exe winlogon.exe PID 1976 set thread context of 528 1976 winlogon.exe winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
Processes:
winlogon.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
Processes:
iexplore.exewinlogon.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://fcms2253062c66j.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://v2882uaaj67qvum.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://5vt011e52z23hqb.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://tfy82xpx7rf6563.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://g3z309c3t8h9q92.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://p7oz5wqvy5prjei.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b03b0808dd00d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://jcd34f3wc02coy1.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000723cd79efa6a714aa2ba939d5ed37c9b0000000002000000000010660000000100002000000007b95244d5d7223755a05002caf2605312ddad1f3b841532ddc65f3abcb4bc18000000000e80000000020000200000000b8e19f1b94b657fb6fab2afa653e45628c5d9ac8305c914c1f4d61c3388d6f5200000008957221b39b5bae9cfbc473187c0e5d0a5b5834bbf3c8417ebad2f86435b19b14000000019e2872561d84c75724c9a97cb99917a3b9ac3ebf87f211e65d1c36bc6b6ec8113ee6c09a85d031f3a60a2e5e35a655eeb434b22796be7d16fa79358eaf6fabb iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://8r9i8xeu027rhu9.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000723cd79efa6a714aa2ba939d5ed37c9b00000000020000000000106600000001000020000000e3ceb7f27bbf7c21034b4a6ae53dcb0bad33538035ee1ed10c4c2624afd950bb000000000e8000000002000020000000ff6087c17d884058415708abf131d165c4deef7ceaebd177a926b90b5dd144b890000000b41797bc484bbd18edbf355697bc80f38006d9eb22b6995015efae0da23fef818b6d82f11dee25ce031f0bf805d75f358ba3ff8d4c0d9b27af852b237db2bc9bdf1011fb71ea4adef128848ebc15285eed2e236224713c19b6baf3785987756d761903ef6160c4d84dfaba815419eaa1dd38421dc65445aab68f5d6099f59c4d53c7fc987715a1ac8df68cc257f5ada1400000007d313906f15057eb334144155a282ac5f820948e13d45649e66af6c270a937a26c3c1786fda69fdd418ba84b9cf026719d6d8dec63cd6f6475a6e91aeb4b9311 iexplore.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{263EBAA1-6CD0-11ED-9332-6A94EDCEDC7A} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376152665" iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://3i87q77pe6nq98b.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://3ig4y32sz44u750.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
Processes:
winlogon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
winlogon.exepid process 528 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
winlogon.exedescription pid process Token: SeBackupPrivilege 528 winlogon.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
iexplore.exepid process 812 iexplore.exe 812 iexplore.exe 812 iexplore.exe 812 iexplore.exe 812 iexplore.exe 812 iexplore.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
Processes:
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exewinlogon.exewinlogon.exeiexplore.exeIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEIEXPLORE.EXEpid process 2008 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe 1976 winlogon.exe 528 winlogon.exe 812 iexplore.exe 812 iexplore.exe 1764 IEXPLORE.EXE 1764 IEXPLORE.EXE 812 iexplore.exe 812 iexplore.exe 1748 IEXPLORE.EXE 1748 IEXPLORE.EXE 812 iexplore.exe 812 iexplore.exe 1392 IEXPLORE.EXE 1392 IEXPLORE.EXE 812 iexplore.exe 812 iexplore.exe 1220 IEXPLORE.EXE 1220 IEXPLORE.EXE 812 iexplore.exe 812 iexplore.exe 1764 IEXPLORE.EXE 1764 IEXPLORE.EXE 812 iexplore.exe 812 iexplore.exe 2360 IEXPLORE.EXE 2360 IEXPLORE.EXE 528 winlogon.exe 528 winlogon.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exewinlogon.exewinlogon.exeiexplore.exedescription pid process target process PID 1424 wrote to memory of 1852 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe svchost.exe PID 1424 wrote to memory of 1852 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe svchost.exe PID 1424 wrote to memory of 1852 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe svchost.exe PID 1424 wrote to memory of 1852 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe svchost.exe PID 1424 wrote to memory of 2008 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe PID 1424 wrote to memory of 2008 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe PID 1424 wrote to memory of 2008 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe PID 1424 wrote to memory of 2008 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe PID 1424 wrote to memory of 2008 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe PID 1424 wrote to memory of 2008 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe PID 1424 wrote to memory of 2008 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe PID 1424 wrote to memory of 2008 1424 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe PID 2008 wrote to memory of 2040 2008 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe winlogon.exe PID 2008 wrote to memory of 2040 2008 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe winlogon.exe PID 2008 wrote to memory of 2040 2008 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe winlogon.exe PID 2008 wrote to memory of 2040 2008 60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe winlogon.exe PID 2040 wrote to memory of 960 2040 winlogon.exe svchost.exe PID 2040 wrote to memory of 960 2040 winlogon.exe svchost.exe PID 2040 wrote to memory of 960 2040 winlogon.exe svchost.exe PID 2040 wrote to memory of 960 2040 winlogon.exe svchost.exe PID 2040 wrote to memory of 1976 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1976 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1976 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1976 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1976 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1976 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1976 2040 winlogon.exe winlogon.exe PID 2040 wrote to memory of 1976 2040 winlogon.exe winlogon.exe PID 1976 wrote to memory of 528 1976 winlogon.exe winlogon.exe PID 1976 wrote to memory of 528 1976 winlogon.exe winlogon.exe PID 1976 wrote to memory of 528 1976 winlogon.exe winlogon.exe PID 1976 wrote to memory of 528 1976 winlogon.exe winlogon.exe PID 1976 wrote to memory of 528 1976 winlogon.exe winlogon.exe PID 1976 wrote to memory of 528 1976 winlogon.exe winlogon.exe PID 1976 wrote to memory of 528 1976 winlogon.exe winlogon.exe PID 1976 wrote to memory of 528 1976 winlogon.exe winlogon.exe PID 1976 wrote to memory of 528 1976 winlogon.exe winlogon.exe PID 812 wrote to memory of 1764 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1764 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1764 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1764 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1748 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1748 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1748 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1748 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1392 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1392 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1392 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1392 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1220 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1220 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1220 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 1220 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 2360 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 2360 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 2360 812 iexplore.exe IEXPLORE.EXE PID 812 wrote to memory of 2360 812 iexplore.exe IEXPLORE.EXE -
System policy modification 1 TTPs 6 IoCs
Processes:
winlogon.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe"C:\Users\Admin\AppData\Local\Temp\60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵
-
C:\Users\Admin\AppData\Local\Temp\60fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece.exe
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe4⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:734219 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:668694 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:1061904 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:812 CREDAT:1324057 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
1KB
MD579341a72b77d23e92e284c609042d185
SHA1abf2442e615b28ac099c688be99b89e6355573c4
SHA2560cd273ef624d3e69706595982ee7b74e4e04a6215365b26e77d140442b099ade
SHA512959810157c0c9af762427aa7810790a82be5a5c28db50c2af64c730aa9bb3e2e8185e88fb5a5812a32f88aeabfaa411c0eba237f7dfd862932223c307c219bf3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4Filesize
472B
MD576544babbcf6515110bd81aaee8e7e63
SHA1043497692868c67ac84cdfe70d0a484517abd1c2
SHA256a19d5958d683662375a2469d1d7e551188469b967eb6f2bae2d5e43dac51a4f0
SHA512a23198710b8898b9fe8f9d62841567995b30be60938ebba2a3aad94c4dc7687d5e5d188f3388f939d27833e44a9aec275cdadc815e01d6ce32ae3b9b07d4a561
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562Filesize
1KB
MD5b8914a9f1a906f927cccce6ced9b2d0a
SHA1416b18e429e5666f291b0b1c2a027540ccac9d98
SHA256368fea95d9e90df28a6bfddc6b5a4541a082e521f28dca1fda3c0451926fa10d
SHA512c182123030362c722735903641739a02f42a625f0a0080495b99a70150bbfb5e7a81cb6c88a0bf21b5547308621e1b487947298c8c5ab302b94a7e4bb72190d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD53dcf580a93972319e82cafbc047d34d5
SHA18528d2a1363e5de77dc3b1142850e51ead0f4b6b
SHA25640810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1
SHA51298384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26Filesize
1KB
MD5d416222752f135ed236e638a9446d727
SHA1705876fb8232b28d61bc23d3a48a42ad293106ed
SHA256d86e5758fb2d4f5cb0ea9be687e11c7056f094dc24a445971c75e23b97e8d24b
SHA51225f495232f2f28d41335eaed9a400af4e2942b0d25997b171b9ea9d06a42ebe316a7456d5b08814b47ab924f2f4db0ccad6726a8c62382fa1d3c004e56bcb555
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAFilesize
410B
MD5bb649aaffa55cfcfbbdc8aaa0df71a7c
SHA180c27ae299b7ebc0b24ed93ba20d6f0f0a8627d2
SHA2561182806843382b5cc87aa231128fb2c5c7c21a3bbff91b0e0d5b4ad06287fda1
SHA512255322c29347c6908f0e95c08ee5b98eccfba05b762d18a51b1b2b83987fa94bbf8062d6d9872f5c326e7b959812b24f13d2d38090b5b160747c3da9bb025b3f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4Filesize
402B
MD5a1ed665516bf20bcb8f6a6f14287efd7
SHA1a75ce54fec86dfbbb4a9e06918ee548536d3344b
SHA2567132e7605ee8ba3ba831435dd3c24296bdc23144dd6a1a1ead7395cbe6b99069
SHA512457b4c947b521a4656156ee63cdc3df709e1341e2074f615e5ac5ba574965ae0aacb74ed2931b344394b5b0ceba025af9b8f537dd34e58d3138e786e0e611d03
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562Filesize
466B
MD527fa89a476e8243dcb56a973724561ee
SHA185136ed254ab25a1c4254de0b60a1fed7ddccec1
SHA25685a9c3b346ccd2fa1a69710ef3a3e41389d204d62d394f2834618b46acbb4627
SHA512df85e02f5ead43ba8439cd997e57d8e40b399fa087c2f5ca131d341a4de400c9fe0d40a0ba7d24d6fd47a138cc6e04976871901d7506901096657cc7ed1716ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD546b1b30fdbf8686dab6ae7e49b9ff1c0
SHA1ff4c641c287f444190d0a78c407e7731c2e99769
SHA25602df2a3276b2946648d4b4e0ae7fa627398e27c32d6d2ec16d3fc7879f31276d
SHA5122a8c2f5017b159bb8a42d4691ed1be6c1a580a69bc208002bec30e6b3a75c0ebf8c214e33e73cfb44e8fa8c8d6383b8355c785e867b6669f818073a594334c87
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5a05342a1e4c0e7aafe27e73cdedd54bb
SHA14338d977a68abd34fbac4c027e067e7e80f14a62
SHA2569dd1f70dd60793de846ef12a5445441f7458e0519556ad89b881aaeaf3896afb
SHA5121d7fe30d3aeb2ec17fbdc706df2945a2426ddd33bb9bc22cbb694599d4e7511815bff56162e73940ac2bddac9bc882828f36800abcf1dfcfb395ab80d912f1a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD53b2c4584edc1db75a24a8aa179045b92
SHA1c5ce878b45ed6b5927c412704245cc60ef304ad6
SHA256a903a6bfde7ff936d6e6d8bc2585c96b1c458be34a2a43161ba9ca85cd4c6745
SHA512033c174972f6c4e2b9b92a58d036326a806f98a76d079cf47ee36b46ba2ab0d00b0b63eb88388bbc43333970971ad517f8730518cb5530c1d06c51b02c02ed6d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5ab8537027342bfe60ae2c7852dbbf9d8
SHA1f36a3029e8cc51c36b4ae4456725b62ca9452689
SHA256fb009dd8f9ae53812da1903fdb94c880ab2f6ad2592fe463dd777316feec19f4
SHA512038e73f63a326140d3dc80d49203b6ef8706c110ff4d00fdd224450c6d735dc95fa70c8e5ea0061430f6ebe48969761002eef35c4c7774f86b003e28a06733b0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bcca18c14c1b5e8e5d21350ce4363db2
SHA100bdc6fc14bc851a864351c95e64be6e3cf966a4
SHA2569455c727cfbcb319a12cb98c965c3e328f22a4c88fb7fbd8eea57366e475f130
SHA51261bb304ae8a99d489167ca3f4e1bc6b0a76ef6635ca30c946e36e5254504d115a26ad37976f055f85790c639a48ccca3072d5475cb4924f9e37489a5b07518db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD5bcca18c14c1b5e8e5d21350ce4363db2
SHA100bdc6fc14bc851a864351c95e64be6e3cf966a4
SHA2569455c727cfbcb319a12cb98c965c3e328f22a4c88fb7fbd8eea57366e475f130
SHA51261bb304ae8a99d489167ca3f4e1bc6b0a76ef6635ca30c946e36e5254504d115a26ad37976f055f85790c639a48ccca3072d5475cb4924f9e37489a5b07518db
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD549922a2579e01037820785cd302ceaaa
SHA13e3b1171cce3418b941a1670c5cf53687184e76c
SHA256e1fd64937c3c120ed376845f780c89357f7341240be8fd49aca5684047496501
SHA51238a6b1294100a86accba62feaf48298f2848e9b32b6b3c9108a2b89c707989972cddb87cb89d5cdbb09aed6ee9d488beb263f7be022d109afdeb5f7dce0ec9c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
342B
MD536d95ff53d36912674eb742c3d52f2b0
SHA176eae24b152e33aabf5f077555b9595da4c42458
SHA256c0dab6eb1816001964691bd78d4dff56d9cfa41fd2d2fd653e55ef4fcf0c8f9b
SHA512a0180bdbebb27188c66f31392ffef18733b0b6a6a30d3a0f11798832d8695fde06371a9892d207762b65ba576c1c450ecffe0a914fc58083df3a3c19a4dd339c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26Filesize
470B
MD5387c9162b83bd8bc4481808a46b7da9d
SHA1f9024926c16f94c71bd35942d124c5e8012f62c1
SHA2569ff9415babd6a776217ac80d319545b17a3fd947434914592afd7d7197948b70
SHA512f25a7170370f77b6d0626aa623034d473ddd18c26bfed123f8fab2b692a4a8340c66853bc594343bb7fc8ff9a7798a62079cf9110064e5f9e1f122155c4a8c2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAFilesize
392B
MD57226036bd78fb5483947c3e494a1e55e
SHA13e6baa12567496c52d5472cdf99184d2db981a15
SHA256ae024c139a242b938338ab68f0218337dac37cfe1e97a1e9520019124316d60d
SHA5120eb2f45238cf715594922cd1f303f34093e5329c78fee24ccedbdfd14cb868a4f4f68be28c1fc814e0597ecdf195659e2e166bd07a5be05d013505394fe06e3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357Filesize
242B
MD5d6d2bf51979c9a35ebc929aedf5583d1
SHA18d968e0210fab884ddd3f4bde585d1142727d908
SHA256873da10ac90cd33063a768b19edd1306ded9b88b6b60f8b5f4c477a21614ab81
SHA51230a05f4ea4c4f3e121d0aa0f8f0587d4cad806d3c1a0c754d528fa9b4c2eaf30446c789e6d3761abe0836004e7ce59805558e67fafea8be0291714c67a15ff1e
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\712M22PI\www6.buscaid[1].xmlFilesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\M1HJWZ9U.txtFilesize
601B
MD5c71fefc576c79e9cb6a0df7d9ed96767
SHA130368077abf53de358916762ffcd540cbb9f988e
SHA256e0b96a583952cf3847d01dcec8e8137be90e5ef660bbf8abc3c400b19cf697c0
SHA5123cedc1043819eb7008d101cf6c5595d02cc2989f1fb5833234bb0e8439d03c9e52b23b324a75e86f8bb4abe889ee9f243ad16349b6fa66d697a487d0fbf2e44f
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.4MB
MD5cc12ec67eab006a43338a10951daa7bb
SHA172ef2f5b4572d1efa8d7c0f29be89e4873e8c541
SHA25660fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece
SHA51224136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.4MB
MD5cc12ec67eab006a43338a10951daa7bb
SHA172ef2f5b4572d1efa8d7c0f29be89e4873e8c541
SHA25660fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece
SHA51224136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.4MB
MD5cc12ec67eab006a43338a10951daa7bb
SHA172ef2f5b4572d1efa8d7c0f29be89e4873e8c541
SHA25660fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece
SHA51224136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac
-
C:\Users\Admin\E696D64614\winlogon.exeFilesize
1.4MB
MD5cc12ec67eab006a43338a10951daa7bb
SHA172ef2f5b4572d1efa8d7c0f29be89e4873e8c541
SHA25660fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece
SHA51224136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac
-
\Users\Admin\E696D64614\winlogon.exeFilesize
1.4MB
MD5cc12ec67eab006a43338a10951daa7bb
SHA172ef2f5b4572d1efa8d7c0f29be89e4873e8c541
SHA25660fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece
SHA51224136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac
-
\Users\Admin\E696D64614\winlogon.exeFilesize
1.4MB
MD5cc12ec67eab006a43338a10951daa7bb
SHA172ef2f5b4572d1efa8d7c0f29be89e4873e8c541
SHA25660fc6ebe7a7c8c1b44977f169e4dfa9a36aae132a3406dd5f4ca298b1e15bece
SHA51224136b20415c05eda8ec8efdd75ae3c5b046f8163b93085d19929a4f02178ee88595432d39ceeb6d2db08d6e35a8322c676c6212f7eeb9c5a905ab43cf8bccac
-
memory/528-98-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/528-93-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/528-90-0x0000000000441740-mapping.dmp
-
memory/528-89-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/528-94-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/528-100-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/528-124-0x0000000003B50000-0x0000000004BB2000-memory.dmpFilesize
16.4MB
-
memory/960-72-0x0000000000000000-mapping.dmp
-
memory/1852-54-0x0000000000000000-mapping.dmp
-
memory/1976-88-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/1976-80-0x000000000041ABB0-mapping.dmp
-
memory/1976-99-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2008-76-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2008-67-0x0000000076151000-0x0000000076153000-memory.dmpFilesize
8KB
-
memory/2008-63-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2008-64-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2008-62-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2008-60-0x000000000041ABB0-mapping.dmp
-
memory/2008-59-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2008-58-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2008-56-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2008-55-0x0000000000400000-0x000000000041C000-memory.dmpFilesize
112KB
-
memory/2040-70-0x0000000000000000-mapping.dmp