c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb

Analysis

max time kernel
151s
max time network
176s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
26-11-2022 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe
Size

1.2MB
MD5

c1dcd7f3def2daf60560daa4409a2621
SHA1

feed6679381752d1a9857877a057470c35eba4ea
SHA256

c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb
SHA512

66eaa2fa4bf3271584bb8ee22d1f04ca0c1653b0b3d42f922f1fcebdca2614879f8294e8d42083fc857c7ea7284a129f5049bd4f66a242ce5979b28770fd7f84
SSDEEP

3072:OwHl/Gnrl2wGELlyzXq4D2N3v5FQLffCv7oVJNpUpnrT8vp:tB4rlryzIFQLfqvsPfSUv

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 4 IoCs

pid	Process
1980	winlogon.exe
960	winlogon.exe
1972	winlogon.exe
1984	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bs120.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\proport.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syshelp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-pf-213-en-win.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nc2000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcupdate.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin97.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieDcomLaunch.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmoon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\borg2.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atupdater.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vccmserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wingate.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pptbc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zatutor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HJTInstall.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titanin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav8.0.0.357es.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntxconfig.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fslaunch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	winlogon.exe

UPX packed file 21 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1016-54-0x0000000001280000-0x00000000012BC000-memory.dmp	upx
behavioral1/memory/2036-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1016-58-0x0000000001280000-0x00000000012BC000-memory.dmp	upx
behavioral1/memory/2036-60-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2036-61-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00090000000139f7-65.dat	upx
behavioral1/files/0x00090000000139f7-66.dat	upx
behavioral1/files/0x00090000000139f7-69.dat	upx
behavioral1/files/0x00090000000139f7-71.dat	upx
behavioral1/memory/960-72-0x00000000000B0000-0x00000000000EC000-memory.dmp	upx
behavioral1/memory/2036-75-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1980-77-0x00000000000B0000-0x00000000000EC000-memory.dmp	upx
behavioral1/memory/2036-79-0x0000000001280000-0x00000000012BC000-memory.dmp	upx
behavioral1/files/0x00090000000139f7-76.dat	upx
behavioral1/files/0x00090000000139f7-68.dat	upx
behavioral1/memory/1984-84-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/files/0x00090000000139f7-86.dat	upx
behavioral1/memory/1984-89-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1984-90-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1972-94-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1984-95-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe
2036	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1016 set thread context of 2036	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	28
PID 1980 set thread context of 1972	1980	winlogon.exe	31
PID 1972 set thread context of 1984	1972	winlogon.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://wcnp0qyu7s2whk7.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://ta6qctnre77wzgo.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://8eqdit7q9xpf260.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://cdz4ru2pbp7f127.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5d8a1c05384874cb3585960e7b2cd3f000000000200000000001066000000010000200000008787dd5690390923aa87375c64dbeb12744942197dcd22a322711c75efd72fc0000000000e800000000200002000000047c63e2cbbaea44e526a8d7616202575c575998517486a0994d4447e2e84f8cf20000000d1a921d941d831c1202711f84b10c23b650ebff7f3d4053a0b7489c6dd969821400000006890d16cf4868360101d5403cc1ed6bc07e13da1a342ccd395d25f04b5b7d0e33eae7a6014665f5148b45a25e910a44c1f7fb3831924a6f4bf4f5c76bf80d9dd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{63E139D1-6E71-11ED-BD9E-FAB5137186BE} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c5d8a1c05384874cb3585960e7b2cd3f0000000002000000000010660000000100002000000079074f9c5e64f6fc820ec790163c37c36c5c91d0dbd9ab1ce914e7d0ce348e6a000000000e80000000020000200000002b3489e3b2a7002725af0c349e66ccc60dd5fcd028742e64c2468f2a1267ff0b90000000a195b099c076d77778fed37788698c25f5a39e35ea19487e632ee1d08c46075f37ea6990c387193f99901d196120e50faca10f5ee367565abd22e434489bd6aadefc040854da0d24d5461d2c83b2f2f7f504ceca16e1fef442cd147d62301d336020b9fbc9302c4fc34dd40c4de8bab5245e360d07327f49d3897eef08c984a9911c60e2c6838400c54b27c5a91d02c940000000654bc281e2b130dcd05eb9024a9ff8a43f09b5da76cb3560414f55a666ad73191558aeac2492763744ce4de923037d6d624db43d7f1446ff258d4efd5b10ccf7	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://yknpkris309o8e7.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376331868"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://kx8e2c2q4c8i05k.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0a1e73f7e02d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://iab49992arh3jkt.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://45n8a0r1ab264bd.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://p88y46v31051vi8.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://g16d88001yvfcon.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1984	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1984	winlogon.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
304	iexplore.exe
304	iexplore.exe
304	iexplore.exe
304	iexplore.exe
304	iexplore.exe
304	iexplore.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
2036	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe
1972	winlogon.exe
1984	winlogon.exe
304	iexplore.exe
304	iexplore.exe
1016	IEXPLORE.EXE
1016	IEXPLORE.EXE
304	iexplore.exe
304	iexplore.exe
1208	IEXPLORE.EXE
1208	IEXPLORE.EXE
304	iexplore.exe
304	iexplore.exe
876	IEXPLORE.EXE
876	IEXPLORE.EXE
304	iexplore.exe
304	iexplore.exe
2204	IEXPLORE.EXE
2204	IEXPLORE.EXE
304	iexplore.exe
304	iexplore.exe
1016	IEXPLORE.EXE
1016	IEXPLORE.EXE
304	iexplore.exe
304	iexplore.exe
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 1804	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	27
PID 1016 wrote to memory of 1804	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	27
PID 1016 wrote to memory of 1804	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	27
PID 1016 wrote to memory of 1804	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	27
PID 1016 wrote to memory of 2036	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	28
PID 1016 wrote to memory of 2036	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	28
PID 1016 wrote to memory of 2036	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	28
PID 1016 wrote to memory of 2036	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	28
PID 1016 wrote to memory of 2036	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	28
PID 1016 wrote to memory of 2036	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	28
PID 1016 wrote to memory of 2036	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	28
PID 1016 wrote to memory of 2036	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	28
PID 1016 wrote to memory of 2036	1016	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	28
PID 2036 wrote to memory of 1980	2036	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	29
PID 2036 wrote to memory of 1980	2036	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	29
PID 2036 wrote to memory of 1980	2036	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	29
PID 2036 wrote to memory of 1980	2036	c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe	29
PID 1980 wrote to memory of 1208	1980	winlogon.exe	30
PID 1980 wrote to memory of 1208	1980	winlogon.exe	30
PID 1980 wrote to memory of 1208	1980	winlogon.exe	30
PID 1980 wrote to memory of 1208	1980	winlogon.exe	30
PID 1980 wrote to memory of 960	1980	winlogon.exe	32
PID 1980 wrote to memory of 960	1980	winlogon.exe	32
PID 1980 wrote to memory of 960	1980	winlogon.exe	32
PID 1980 wrote to memory of 960	1980	winlogon.exe	32
PID 1980 wrote to memory of 1972	1980	winlogon.exe	31
PID 1980 wrote to memory of 1972	1980	winlogon.exe	31
PID 1980 wrote to memory of 1972	1980	winlogon.exe	31
PID 1980 wrote to memory of 1972	1980	winlogon.exe	31
PID 1980 wrote to memory of 1972	1980	winlogon.exe	31
PID 1980 wrote to memory of 1972	1980	winlogon.exe	31
PID 1980 wrote to memory of 1972	1980	winlogon.exe	31
PID 1980 wrote to memory of 1972	1980	winlogon.exe	31
PID 1980 wrote to memory of 1972	1980	winlogon.exe	31
PID 1972 wrote to memory of 1984	1972	winlogon.exe	33
PID 1972 wrote to memory of 1984	1972	winlogon.exe	33
PID 1972 wrote to memory of 1984	1972	winlogon.exe	33
PID 1972 wrote to memory of 1984	1972	winlogon.exe	33
PID 1972 wrote to memory of 1984	1972	winlogon.exe	33
PID 1972 wrote to memory of 1984	1972	winlogon.exe	33
PID 1972 wrote to memory of 1984	1972	winlogon.exe	33
PID 1972 wrote to memory of 1984	1972	winlogon.exe	33
PID 1972 wrote to memory of 1984	1972	winlogon.exe	33
PID 304 wrote to memory of 1016	304	iexplore.exe	39
PID 304 wrote to memory of 1016	304	iexplore.exe	39
PID 304 wrote to memory of 1016	304	iexplore.exe	39
PID 304 wrote to memory of 1016	304	iexplore.exe	39
PID 304 wrote to memory of 1208	304	iexplore.exe	42
PID 304 wrote to memory of 1208	304	iexplore.exe	42
PID 304 wrote to memory of 1208	304	iexplore.exe	42
PID 304 wrote to memory of 1208	304	iexplore.exe	42
PID 304 wrote to memory of 876	304	iexplore.exe	44
PID 304 wrote to memory of 876	304	iexplore.exe	44
PID 304 wrote to memory of 876	304	iexplore.exe	44
PID 304 wrote to memory of 876	304	iexplore.exe	44
PID 304 wrote to memory of 2204	304	iexplore.exe	46
PID 304 wrote to memory of 2204	304	iexplore.exe	46
PID 304 wrote to memory of 2204	304	iexplore.exe	46
PID 304 wrote to memory of 2204	304	iexplore.exe	46
PID 304 wrote to memory of 2624	304	iexplore.exe	48
PID 304 wrote to memory of 2624	304	iexplore.exe	48
PID 304 wrote to memory of 2624	304	iexplore.exe	48
PID 304 wrote to memory of 2624	304	iexplore.exe	48

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe
"C:\Users\Admin\AppData\Local\Temp\c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:1208
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1984
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      PID:960

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1312

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:304
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:304 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1016
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:304 CREDAT:799755 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1208
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:304 CREDAT:865304 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:876
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:304 CREDAT:1061902 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2204
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:304 CREDAT:1520661 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
d01f6845062b8f1cb3ef9fb108c16755

SHA1
0743777e9ebf074330b32dba956a8fbaf1dc4a9a

SHA256
bf61698a982c8c89bfb36fe0d63ce8890de405af4f30ff2c017f3190d48e9a06

SHA512
3b81b9062ea3c2f0240cbc60f800c0aaf495a053385b1b086436c2859cfc622384f60aad9ec287ac93b11fda461246882d3c282dc88be6c474def823a4d6e521

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
9f6cc8d3fe9092a6d3901e873a87fd87

SHA1
2e0aac117a4cc57596efb3d6f6624c269f94b031

SHA256
e73982e62b92abac3d15b161f4525448cc2bc8b9bacefdcbfc6f87b74ec372e4

SHA512
9736a099967d7ad595439768e45c633ff7d34de92f7cb0c19cd3d4590c4a6dd4fedfcd1b5617c81652e61f4ffe919057507f622f4c6d8d626cfc40234ad2c757

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
993614098803429208a7beacf874b277

SHA1
4aac1b194d1d0523224804e1a415e18248bd6ae6

SHA256
4658f2ba3c631a0203558b3feab08757b6bd7f66acec8f10c3e02982b006f6ce

SHA512
48b20b42a4069641ecd45c1ccef9275110a0db02e5d306434611b57e4e72266a7e8f841e61bea1ed96af3c67b917fc23f45a9946212a99291a728d5e0973feb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
2729b3dc45f5c3549781096d2f953abf

SHA1
db954efe7c9e9948d579a44efbcad78a8720dffd

SHA256
12a0607343d847606b3fac170a80c5f64ce70457e1a54fe6a245411b6ddc8593

SHA512
108b6a338f4043cfef8da285c7135924b20edef5d9740bac2e7396775b0abf81339c95da9400042486afea6bbf39c0455f2b3ddcc65f7ab050e4988ff45ecba5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f5b497d5a984ec337bdda6cd508af858

SHA1
bb1de9f86c1b6d024df7a413ac332b1b8704dd72

SHA256
2fb6a117b4d91d804d0fe1dbe13732fe7a576e4d74a648621be664fb35e6e8cf

SHA512
638c776909e1ad6400db597575f0c3fd01c38b0cab883380c53d10ef764b61a35c117e1793b1a24b30ac2671cf30b20ffe15d410144f27bd580b9e2c430e2939

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
cd9437063b2f6098671dc2e2cb8f0a37

SHA1
a1db2b6fb157dab4ae97f71f59b3e82169318f60

SHA256
968c9ba8ad4a8fe4322369988341274999d99069237c22960a98b1efb7744479

SHA512
d4216744ccad02551ea3454d764019aaae1dc88a0089801fa2e96e643aa08c86c136ea9576b7b8e2d89de6047ef7e5b5ac8bff867ef1c39979183db49933d8a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
942bbc05eb7acab2708cb18cf700203f

SHA1
784805d458d6a76c670d1f305948824dc23fa6de

SHA256
1d685337521ca460c8b6bad192d2630677ecaed1d82a60fae5ed7f8702439988

SHA512
d7122a2bcefa1c6f42b827a8a8acc64e00f7dcdf7b0fa65f89c9530fd5308c1f24cbfc017e59315d74b4c2dac1bb4a2363b49cde935d1184e3b4bdad22ce5ea7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d239e32448e1374ce4be532fa532e7c0

SHA1
1b641bd23601986eb72ec12c9e5aa68244706d6b

SHA256
135680255540ed889591e23cceccae6641935b4c7d33c444f43fcb7ef236741e

SHA512
b9f90597d5182967f43d7d2de9a174f8debbb279d825ac8c86f1dc81262482c6d390a85ed85d3bd437e115a617a398c8c1f6c7c8a8a7925d96825733053422b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9f2707234c02608737187d7c16b135e

SHA1
9fa8bddefe1d09c7df4467983b21327f2b4d9875

SHA256
87d0673ff8596864c904e4271dcd69d915081958b05fc8893614dcf7a366f8ab

SHA512
650a6ba4c5a03a8701d65a1eda9a6c6397804e91322625cb032cb0d90e27226c5e74f80e4e9fc30ceffdbb9946668eacaa62d507ebd6ac5b265f2dd047204411

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d221d616d08795fd2879d12717c30cb

SHA1
f72f81414ad2331cd86a89fc970b8c1b1d66632c

SHA256
fceb4a8d8e318d2ae49c238c22b95931d55b1ce82232b285e346a3bd82b74b0b

SHA512
ae2172f72e988599177e4899e1cd44b2cf4d45cefa57b2db867bec87158aa217b521fa1232bebeec8bdf8c6502d06891818d7d2fa8180dde4e661cdeff4a3204

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b177ab3ab3a60d2e6bf3cf7eec9cf70

SHA1
aa2e052d4c42cf3c67030deaeb3fda6504c598a7

SHA256
7eba3e7486bb6c9bcfbb439244dcd0ba225e412d27c860a007c4ee679603d676

SHA512
cd7ea97a90fed2b67c2079395edee0f866aa137b01685ce1144922458e0fbc08277d235944fce2d0769ca87a8bf10a507718b9d5e0b035904e4fcc4bf7f60e20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
235a75efc44d1c2cc96a96ce27846d3b

SHA1
65d596ebac5c52520fab7af9007b0a818abb1dbc

SHA256
a23d81aea1e8751147ca8178b1fda71310b1e86d79f7c6563008da29f8bcb309

SHA512
73973c6e7f00519bcf81400a13844c5cf4a7e1efa2abcd29c5ed7cecd9fc5f593cc02dc0766def67989d6736074a269a4840a250c8e870e2317dde13ff6095cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a719b0e30d2a5683950678b9a902eab

SHA1
d2c61a9200e3f94412711c498800cc8b98a3764d

SHA256
8420812d1ca679a3df878a472c11ecfc4ac5c3e98776c11bf4a1481c1842dc96

SHA512
bf77a7852f4f6893debedab0ab65b39a08a774d24d67166a6b6ab0e91cc80880bb27cdd820a1a277f186749e25ff217e6382acc1f930d438b41bc6dd65da09f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a005fafba0ec925fc167fa269b5a3ec

SHA1
63302101d00214aeb5de071a58ee1836ac98fbf1

SHA256
876ef01ee3f543519ceb5b19f565e593ba06e5245fc47a4fb9c1e0dfceffa8c8

SHA512
ed2c02425ce924f2250241c704f776658b5361b6b213fb21dab3d8214e5b6b0d780dfc4217121b899534c913c6ce00dd6f6387a0fe87eadd7b979837f6aba242

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62d2aa048833052194bd03ac09245131

SHA1
57399034a6755ebbde3b2f690b292cf41efb0192

SHA256
addcded8b6aeac8963e6d2237e25f07b382f68ca62945e885e089114995baa1d

SHA512
a76a2f58c9e592c4ab2fac24ccb742bb67191ddfc55d419b0c594f2414c39a07345a5deb60d962687f1f90c0c37eb156c48d97af9196f3fe63a7579f3a295342

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
7d22b558fee1d987e3c4d25533ce15ae

SHA1
15abe773163c65a83d5526a8af8613140d7add46

SHA256
988a94642661fb3de9c464a78193ed89ed355557dbd510720045a358fc681027

SHA512
edc394d9775081f09ae93139ff03bd2ee848fe05511e5503f8c74b759041cfb84dc94411954c316ccdcc42b99e14fa7500c746cb2982728b965faf4419065d8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
a70c97f61e5b57eeb8ad4d0c840c10c7

SHA1
8b5c9f53bdf7596e98db951cc619e3b32acc15a8

SHA256
e9efb49f8b1b5f1d0c5b94afbb1ec8a613f140bb528cd7e892ab1d771ce171e1

SHA512
0edee3cab565edbfa11df95203b0c562641f83608d4498ccd754831804884ace4585aec08f381d4887643e36efc184d1cffba9ce05550ac7c924065eb225441f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
c978b772224e79be196ab6b33a755616

SHA1
e8034a13e7320d0c155e672b9eb942632fa9ae5f

SHA256
2375af31e3797d95d407107f66e1481bb332ecf8d082693a70529ea205b407a0

SHA512
f8965c632cf7d8cc88a4cbe08098fc3f8bbef7e3c8fdf6ec05d4ba62985ff3c9523735a011f0197914b843bd0279b2c32b311670f71860f4cf96babba9f031bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\JK7MEOIT\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NFLQS9JC.txt

Filesize
608B

MD5
8fc91c0bd8912e32e5584b3bd0c60566

SHA1
f1fb049b0b9cb908f04d2ff91b4bc0ab3527b3b9

SHA256
a2ea2db85b37a58a58322ae615b34ee0ec316d076a178b46f60467f232c1f201

SHA512
76efc7003e16a68935c54aebc122b149e216f5090561e2eeb5e7a8c5b6cf8aa44e5015398a8f1a8dd39049a73415ea93e7506c2dbb3fb1493637a81403ea2323

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
c1dcd7f3def2daf60560daa4409a2621

SHA1
feed6679381752d1a9857877a057470c35eba4ea

SHA256
c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb

SHA512
66eaa2fa4bf3271584bb8ee22d1f04ca0c1653b0b3d42f922f1fcebdca2614879f8294e8d42083fc857c7ea7284a129f5049bd4f66a242ce5979b28770fd7f84

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
c1dcd7f3def2daf60560daa4409a2621

SHA1
feed6679381752d1a9857877a057470c35eba4ea

SHA256
c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb

SHA512
66eaa2fa4bf3271584bb8ee22d1f04ca0c1653b0b3d42f922f1fcebdca2614879f8294e8d42083fc857c7ea7284a129f5049bd4f66a242ce5979b28770fd7f84

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
c1dcd7f3def2daf60560daa4409a2621

SHA1
feed6679381752d1a9857877a057470c35eba4ea

SHA256
c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb

SHA512
66eaa2fa4bf3271584bb8ee22d1f04ca0c1653b0b3d42f922f1fcebdca2614879f8294e8d42083fc857c7ea7284a129f5049bd4f66a242ce5979b28770fd7f84

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
c1dcd7f3def2daf60560daa4409a2621

SHA1
feed6679381752d1a9857877a057470c35eba4ea

SHA256
c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb

SHA512
66eaa2fa4bf3271584bb8ee22d1f04ca0c1653b0b3d42f922f1fcebdca2614879f8294e8d42083fc857c7ea7284a129f5049bd4f66a242ce5979b28770fd7f84

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
c1dcd7f3def2daf60560daa4409a2621

SHA1
feed6679381752d1a9857877a057470c35eba4ea

SHA256
c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb

SHA512
66eaa2fa4bf3271584bb8ee22d1f04ca0c1653b0b3d42f922f1fcebdca2614879f8294e8d42083fc857c7ea7284a129f5049bd4f66a242ce5979b28770fd7f84

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
c1dcd7f3def2daf60560daa4409a2621

SHA1
feed6679381752d1a9857877a057470c35eba4ea

SHA256
c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb

SHA512
66eaa2fa4bf3271584bb8ee22d1f04ca0c1653b0b3d42f922f1fcebdca2614879f8294e8d42083fc857c7ea7284a129f5049bd4f66a242ce5979b28770fd7f84

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
c1dcd7f3def2daf60560daa4409a2621

SHA1
feed6679381752d1a9857877a057470c35eba4ea

SHA256
c270160d8254b84bd6764c519dab824090f54cd29c69fa68f097f20278f846cb

SHA512
66eaa2fa4bf3271584bb8ee22d1f04ca0c1653b0b3d42f922f1fcebdca2614879f8294e8d42083fc857c7ea7284a129f5049bd4f66a242ce5979b28770fd7f84

Download Submit
memory/960-72-0x00000000000B0000-0x00000000000EC000-memory.dmp

Filesize
240KB

Download
memory/1016-58-0x0000000001280000-0x00000000012BC000-memory.dmp

Filesize
240KB

Download
memory/1016-54-0x0000000001280000-0x00000000012BC000-memory.dmp

Filesize
240KB

Download
memory/1208-70-0x0000000000000000-mapping.dmp

Download
memory/1804-55-0x0000000000000000-mapping.dmp

Download
memory/1972-74-0x000000000041AA70-mapping.dmp

Download
memory/1972-94-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1980-77-0x00000000000B0000-0x00000000000EC000-memory.dmp

Filesize
240KB

Download
memory/1980-67-0x0000000000000000-mapping.dmp

Download
memory/1984-84-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1984-85-0x0000000000441670-mapping.dmp

Download
memory/1984-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1984-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1984-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2036-75-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2036-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2036-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2036-64-0x0000000075F51000-0x0000000075F53000-memory.dmp

Filesize
8KB

Download
memory/2036-57-0x000000000041AA70-mapping.dmp

Download
memory/2036-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2036-79-0x0000000001280000-0x00000000012BC000-memory.dmp

Filesize
240KB

Download