Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
26/11/2022, 14:42
Static task
static1
Behavioral task
behavioral1
Sample
f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe
Resource
win10v2004-20221111-en
General
-
Target
f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe
-
Size
488KB
-
MD5
e0968638796261d3bd533c7f452095c0
-
SHA1
60b9e96a5d6e5cbf71a01e0530b89115f051a960
-
SHA256
f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
-
SHA512
e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
SSDEEP
12288:Y+j2RX5IOHj2XY0uo7vKzB1/xmXke2ovXtf0RS2w3CD9:Y+jS5IOD2I0h7v0B1/Wke2atf0ZwyD
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
-
ISR Stealer payload 22 IoCs
resource yara_rule behavioral1/memory/1680-65-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1680-69-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1680-71-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/1680-87-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1680-110-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1992-126-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/1992-136-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1992-165-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1992-169-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/780-184-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/780-190-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/780-211-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/364-230-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/364-239-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/364-280-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1292-295-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/1292-309-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1292-335-0x0000000000400000-0x0000000000454000-memory.dmp family_isrstealer behavioral1/memory/1752-351-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/516-394-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/1892-440-0x0000000000401180-mapping.dmp family_isrstealer behavioral1/memory/852-483-0x0000000000401180-mapping.dmp family_isrstealer -
Modifies firewall policy service 2 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe -
NirSoft MailPassView 9 IoCs
Password recovery tool for various email clients
resource yara_rule behavioral1/memory/1168-107-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1168-108-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1652-162-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1652-164-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/2004-206-0x000000000041C410-mapping.dmp MailPassView behavioral1/memory/2004-213-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/892-276-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/892-277-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView behavioral1/memory/1516-333-0x0000000000400000-0x000000000041F000-memory.dmp MailPassView -
Nirsoft 9 IoCs
resource yara_rule behavioral1/memory/1168-107-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1168-108-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1652-162-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1652-164-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/2004-206-0x000000000041C410-mapping.dmp Nirsoft behavioral1/memory/2004-213-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/892-276-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/892-277-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft behavioral1/memory/1516-333-0x0000000000400000-0x000000000041F000-memory.dmp Nirsoft -
Executes dropped EXE 44 IoCs
pid Process 676 winlogon.exe 1680 winlogon.exe 580 csrss.exe 1076 winlogon.exe 1168 winlogon.exe 1780 winlogon.exe 1992 winlogon.exe 1600 csrss.exe 1756 winlogon.exe 1652 winlogon.exe 1892 winlogon.exe 780 winlogon.exe 1124 csrss.exe 1924 winlogon.exe 2004 winlogon.exe 856 winlogon.exe 364 winlogon.exe 1560 csrss.exe 1544 winlogon.exe 892 winlogon.exe 1992 winlogon.exe 1292 winlogon.exe 1892 csrss.exe 580 winlogon.exe 1516 winlogon.exe 1928 winlogon.exe 1752 winlogon.exe 1676 csrss.exe 1912 winlogon.exe 1900 winlogon.exe 1412 winlogon.exe 516 winlogon.exe 1444 csrss.exe 1944 winlogon.exe 1904 winlogon.exe 304 winlogon.exe 1892 winlogon.exe 1748 csrss.exe 428 winlogon.exe 1088 winlogon.exe 1116 winlogon.exe 852 winlogon.exe 840 csrss.exe 876 winlogon.exe -
resource yara_rule behavioral1/memory/1680-77-0x0000000002B60000-0x0000000003BEE000-memory.dmp upx behavioral1/memory/1680-88-0x0000000002B60000-0x0000000003BEE000-memory.dmp upx behavioral1/memory/1076-91-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1076-96-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1076-97-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1076-98-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1076-99-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1168-101-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1168-106-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1168-107-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1168-108-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1680-111-0x0000000002B60000-0x0000000003BEE000-memory.dmp upx behavioral1/memory/1992-131-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral1/memory/1992-140-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral1/memory/1756-152-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1652-161-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1652-162-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1992-163-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral1/memory/1652-164-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/1992-168-0x0000000002920000-0x00000000039AE000-memory.dmp upx behavioral1/memory/780-201-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/2004-213-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/780-214-0x0000000002A10000-0x0000000003A9E000-memory.dmp upx behavioral1/memory/364-243-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral1/memory/1544-256-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/892-276-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/892-277-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral1/memory/364-279-0x00000000029B0000-0x0000000003A3E000-memory.dmp upx behavioral1/memory/1292-317-0x00000000028F0000-0x000000000397E000-memory.dmp upx behavioral1/memory/580-320-0x0000000000400000-0x0000000000453000-memory.dmp upx behavioral1/memory/1516-333-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Deletes itself 1 IoCs
pid Process 1992 winlogon.exe -
Loads dropped DLL 20 IoCs
pid Process 1444 f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe 1444 f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe 676 winlogon.exe 676 winlogon.exe 580 csrss.exe 1780 winlogon.exe 1600 csrss.exe 1892 winlogon.exe 1124 csrss.exe 856 winlogon.exe 1560 csrss.exe 1992 winlogon.exe 1892 csrss.exe 1928 winlogon.exe 1676 csrss.exe 1412 winlogon.exe 1444 csrss.exe 304 winlogon.exe 1748 csrss.exe 1116 winlogon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe -
Accesses Microsoft Outlook accounts 1 TTPs 8 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts winlogon.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts winlogon.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts winlogon.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts winlogon.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts winlogon.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts winlogon.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts winlogon.exe Key opened \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts winlogon.exe -
Adds Run key to start application 2 TTPs 18 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\SubFolder\\SubFolder\\winlogon.exe" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Enumerates connected drives 3 TTPs 40 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\M: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\J: winlogon.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\K: winlogon.exe File opened (read-only) \??\L: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\I: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\H: winlogon.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\G: winlogon.exe File opened (read-only) \??\F: winlogon.exe File opened (read-only) \??\E: winlogon.exe File opened (read-only) \??\G: winlogon.exe -
Suspicious use of SetThreadContext 26 IoCs
description pid Process procid_target PID 676 set thread context of 1680 676 winlogon.exe 28 PID 1680 set thread context of 1076 1680 winlogon.exe 30 PID 1680 set thread context of 1168 1680 winlogon.exe 31 PID 1780 set thread context of 1992 1780 winlogon.exe 33 PID 1992 set thread context of 1756 1992 winlogon.exe 35 PID 1992 set thread context of 1652 1992 winlogon.exe 38 PID 1892 set thread context of 780 1892 winlogon.exe 40 PID 780 set thread context of 1924 780 winlogon.exe 42 PID 780 set thread context of 2004 780 winlogon.exe 43 PID 856 set thread context of 364 856 winlogon.exe 45 PID 364 set thread context of 1544 364 winlogon.exe 47 PID 364 set thread context of 892 364 winlogon.exe 48 PID 1992 set thread context of 1292 1992 winlogon.exe 51 PID 1292 set thread context of 580 1292 winlogon.exe 53 PID 1292 set thread context of 1516 1292 winlogon.exe 54 PID 1928 set thread context of 1752 1928 winlogon.exe 57 PID 1752 set thread context of 1912 1752 winlogon.exe 59 PID 1752 set thread context of 1900 1752 winlogon.exe 60 PID 1412 set thread context of 516 1412 winlogon.exe 63 PID 516 set thread context of 1944 516 winlogon.exe 65 PID 516 set thread context of 1904 516 winlogon.exe 66 PID 304 set thread context of 1892 304 winlogon.exe 69 PID 1892 set thread context of 428 1892 winlogon.exe 71 PID 1892 set thread context of 1088 1892 winlogon.exe 72 PID 1116 set thread context of 852 1116 winlogon.exe 74 PID 852 set thread context of 876 852 winlogon.exe 76 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI winlogon.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 winlogon.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e winlogon.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 winlogon.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e winlogon.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1680 winlogon.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 1680 winlogon.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 580 csrss.exe 1992 winlogon.exe 1600 csrss.exe 1600 csrss.exe 1600 csrss.exe 1600 csrss.exe 1600 csrss.exe 1600 csrss.exe 1600 csrss.exe 1600 csrss.exe 1600 csrss.exe 1600 csrss.exe 1600 csrss.exe 1600 csrss.exe -
Suspicious use of AdjustPrivilegeToken 30 IoCs
description pid Process Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 580 csrss.exe Token: SeDebugPrivilege 1680 winlogon.exe Token: SeDebugPrivilege 1600 csrss.exe Token: SeDebugPrivilege 1124 csrss.exe Token: SeDebugPrivilege 1560 csrss.exe Token: SeDebugPrivilege 1892 csrss.exe Token: SeDebugPrivilege 1676 csrss.exe Token: SeDebugPrivilege 1444 csrss.exe Token: SeDebugPrivilege 1748 csrss.exe Token: SeDebugPrivilege 840 csrss.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
pid Process 1680 winlogon.exe 1992 winlogon.exe 780 winlogon.exe 364 winlogon.exe 1292 winlogon.exe 1752 winlogon.exe 516 winlogon.exe 1892 winlogon.exe 852 winlogon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1444 wrote to memory of 676 1444 f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe 27 PID 1444 wrote to memory of 676 1444 f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe 27 PID 1444 wrote to memory of 676 1444 f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe 27 PID 1444 wrote to memory of 676 1444 f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe 27 PID 676 wrote to memory of 1680 676 winlogon.exe 28 PID 676 wrote to memory of 1680 676 winlogon.exe 28 PID 676 wrote to memory of 1680 676 winlogon.exe 28 PID 676 wrote to memory of 1680 676 winlogon.exe 28 PID 676 wrote to memory of 1680 676 winlogon.exe 28 PID 676 wrote to memory of 1680 676 winlogon.exe 28 PID 676 wrote to memory of 1680 676 winlogon.exe 28 PID 676 wrote to memory of 1680 676 winlogon.exe 28 PID 1680 wrote to memory of 1200 1680 winlogon.exe 12 PID 1680 wrote to memory of 1304 1680 winlogon.exe 19 PID 1680 wrote to memory of 1344 1680 winlogon.exe 18 PID 1680 wrote to memory of 676 1680 winlogon.exe 27 PID 1680 wrote to memory of 676 1680 winlogon.exe 27 PID 676 wrote to memory of 580 676 winlogon.exe 29 PID 676 wrote to memory of 580 676 winlogon.exe 29 PID 676 wrote to memory of 580 676 winlogon.exe 29 PID 676 wrote to memory of 580 676 winlogon.exe 29 PID 1680 wrote to memory of 1076 1680 winlogon.exe 30 PID 1680 wrote to memory of 1076 1680 winlogon.exe 30 PID 1680 wrote to memory of 1076 1680 winlogon.exe 30 PID 1680 wrote to memory of 1076 1680 winlogon.exe 30 PID 1680 wrote to memory of 1076 1680 winlogon.exe 30 PID 1680 wrote to memory of 1076 1680 winlogon.exe 30 PID 1680 wrote to memory of 1076 1680 winlogon.exe 30 PID 1680 wrote to memory of 1076 1680 winlogon.exe 30 PID 1680 wrote to memory of 1076 1680 winlogon.exe 30 PID 1680 wrote to memory of 1168 1680 winlogon.exe 31 PID 1680 wrote to memory of 1168 1680 winlogon.exe 31 PID 1680 wrote to memory of 1168 1680 winlogon.exe 31 PID 1680 wrote to memory of 1168 1680 winlogon.exe 31 PID 1680 wrote to memory of 1168 1680 winlogon.exe 31 PID 1680 wrote to memory of 1168 1680 winlogon.exe 31 PID 1680 wrote to memory of 1168 1680 winlogon.exe 31 PID 1680 wrote to memory of 1168 1680 winlogon.exe 31 PID 1680 wrote to memory of 1168 1680 winlogon.exe 31 PID 1680 wrote to memory of 1200 1680 winlogon.exe 12 PID 1680 wrote to memory of 1304 1680 winlogon.exe 19 PID 1680 wrote to memory of 1344 1680 winlogon.exe 18 PID 1680 wrote to memory of 580 1680 winlogon.exe 29 PID 1680 wrote to memory of 580 1680 winlogon.exe 29 PID 580 wrote to memory of 1780 580 csrss.exe 32 PID 580 wrote to memory of 1780 580 csrss.exe 32 PID 580 wrote to memory of 1780 580 csrss.exe 32 PID 580 wrote to memory of 1780 580 csrss.exe 32 PID 1780 wrote to memory of 1992 1780 winlogon.exe 33 PID 1780 wrote to memory of 1992 1780 winlogon.exe 33 PID 1780 wrote to memory of 1992 1780 winlogon.exe 33 PID 1780 wrote to memory of 1992 1780 winlogon.exe 33 PID 1780 wrote to memory of 1992 1780 winlogon.exe 33 PID 1780 wrote to memory of 1992 1780 winlogon.exe 33 PID 1780 wrote to memory of 1992 1780 winlogon.exe 33 PID 1780 wrote to memory of 1992 1780 winlogon.exe 33 PID 1992 wrote to memory of 1200 1992 winlogon.exe 12 PID 1992 wrote to memory of 1304 1992 winlogon.exe 19 PID 1992 wrote to memory of 1344 1992 winlogon.exe 18 PID 1992 wrote to memory of 1780 1992 winlogon.exe 32 PID 1992 wrote to memory of 1780 1992 winlogon.exe 32 PID 1780 wrote to memory of 1600 1780 winlogon.exe 34 PID 1780 wrote to memory of 1600 1780 winlogon.exe 34 PID 1780 wrote to memory of 1600 1780 winlogon.exe 34 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1200
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1344
-
C:\Users\Admin\AppData\Local\Temp\f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe"C:\Users\Admin\AppData\Local\Temp\f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1680 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\DENkyEoTx0.ini"5⤵
- Executes dropped EXE
PID:1076
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\xuCvAZcgzx.ini"5⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1168
-
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 1680 -proc 1680 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"6⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Deletes itself
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1992 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\IbLZAWG7x9.ini"7⤵
- Executes dropped EXE
PID:1756
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ZL1xSUU7aU.ini"7⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1652
-
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 1992 -proc 1992 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1892 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"8⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:780 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\cTGGjwmILH.ini"9⤵
- Executes dropped EXE
PID:1924
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\R7Wzqz56M3.ini"9⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:2004
-
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 780 -proc 780 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1124 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"9⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:856 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"10⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:364 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\khm5GQ0RNm.ini"11⤵
- Executes dropped EXE
PID:1544
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\ZM3ibmRqbt.ini"11⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:892
-
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 364 -proc 364 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"11⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1992 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"12⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1292 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\2t080Vpw1S.ini"13⤵
- Executes dropped EXE
PID:580
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\4osgNOlLlM.ini"13⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1516
-
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 1292 -proc 1292 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1892 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"13⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1928 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"14⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1752 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\M9XT423hJm.ini"15⤵
- Executes dropped EXE
PID:1912
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\9T6JdJ0dln.ini"15⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1900
-
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 1752 -proc 1752 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1676 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"15⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1412 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"16⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:516 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\UlgDRCmvSt.ini"17⤵
- Executes dropped EXE
PID:1944
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\akcqoLE0SH.ini"17⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1904
-
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 516 -proc 516 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1444 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"17⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:304 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"18⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1892 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\OA8ofNf10r.ini"19⤵
- Executes dropped EXE
PID:428
-
-
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\RzRfPKpYtm.ini"19⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
PID:1088
-
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 1892 -proc 1892 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1748 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"19⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:1116 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe"20⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:852 -
C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe/scomma "C:\Users\Admin\AppData\Local\Temp\UmWxL1jrKI.ini"21⤵
- Executes dropped EXE
PID:876
-
-
-
C:\Users\Admin\AppData\Roaming\csrss.exe"C:\Users\Admin\AppData\Roaming\csrss.exe" -keyhide -prochide 852 -proc 852 C:\Users\Admin\AppData\Roaming\SubFolder\SubFolder\winlogon.exe20⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1304
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:2040
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1644
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1144
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1956
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize2KB
MD58cd381eca2d5342e36b1e65a9b7f82d5
SHA1d9b529576e1ea26e8daf88fcda26b7a0069da217
SHA25617ff373fb2deb3ef3931ae098202097211226848ea6c581ceb9514e7a6e49369
SHA512c888bcac5413df3eac3b068d37c866362d37915f1a25508743d818f79ce5b0518fe7ec7a4ff29be51d2404eb5f999b5d2238e60a8670375b82a8a96566101154
-
Filesize
61KB
MD53dcf580a93972319e82cafbc047d34d5
SHA18528d2a1363e5de77dc3b1142850e51ead0f4b6b
SHA25640810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1
SHA51298384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize1KB
MD58641ac0a62e1e72023be75ceed4638a9
SHA1a347dbd79e99d81cdd6ec77783008fec9f7e7d42
SHA256d291f90a287f0bf8702208bab880ef95c5b2bd22a2c21762e828a707a004da2c
SHA5129a12e4baf2ca8bc5c4ca5a8606a9200241da8fb413e50ef6c0b6b4597c25a2636915bd9dfd7e9a97e0f58a15859629bad9222188dccdaf4efdbb8e14884d0ffe
-
Filesize
472B
MD5b5170f55c5fd102cd23a641a76db5095
SHA19c9855182d6d8c7d281a88eb74c4ad964c166d51
SHA25687cd0f31cae591c772a1ce76a198c8480e575b163cfcde3a0a191ae7a491e6e8
SHA512b503d73c7b9e99a0f43c0fea92a2b8f49bfb164a2ef290f69860dd20623c735199f6b3abbaac472585365d71c3551e006bcef504456fcd728d7f781fe1d568c0
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize488B
MD565c16e2d53d5abccbae2f3c2f6321ffd
SHA18458786642509057205deaf1ef54df9879f5a008
SHA25680fd8941d38275554f74fd4df450d1f714c83ea9930476e3b8be98ca3b1253a7
SHA5120e6a0e7febacd3d9d8c3406e9bb380e8552a7b74937d85e38c3a963ec81f40101e599d6bf9d073239542b105a230824754d426a50078552ef9e4eadae046c685
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c2956f0adc2053bbd5e46ba055f0bf17
SHA161547d25d91638fd39550205cf40cdc6e7f3b6ca
SHA2561f578e7fd436b4083c214382489aac9a434e993d326c6fe15707ff04bad23ead
SHA51284dbb321390c26aeed8fc3edc4b28f349a28fc92c64ae639a8ac67a1748bd133d23355b62c0a4777cfc3b50e3f4f51b1a14129855509774dc80832c77fb9052d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
Filesize482B
MD5035d87da73c6a32398ad04c0d2c1ce56
SHA1098501d5b29ef0dc7281302a31e4cc3fd47fbdfc
SHA256402014f32278c7ecdb2e80c8d6eed6093a28e5ac5535171cb05a24529b82487f
SHA51221253231bd57791f55ca49e75a3feaf15b64b021ebed317a12721f9f850c0108675fabef095d5fdaa7d776099b20da4516eb9e88053102665a6ebc91a4b33477
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C6872375A2E1BC120603F5605C3CEC71
Filesize484B
MD5eee81dce3f31686c73ad90f1d64163df
SHA1ef360eea2984439127cf92db0ae2d3545a71a33e
SHA256989d17807e8301480d2dc8cb8032f80cf0fcb60bf2bf2d2898771804ce894185
SHA5122d1379426cd920a31f9e21d25d65e10e878a1694bff0b8d89bb2bb779f97de7bdb1009b1bc7b48f7cde9a64fc72ce6e7a9a6a937eee0dbb50fe66269d5e0446f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5a968e8a74225049514c143032a3328e2
SHA10748a55a80283f1ad7f2d79f2239c86bf47f07d4
SHA2569cbcdbb13f54f21e93d1ae49b0ad87ce6b709aa3dd7d3feacc53ab22d241cc1b
SHA51247d3fcdddb42819d0ec5400dc55d13c6f711c70618a545d32f02ddf232f3c05a9a615f83758803f2b70b1059664dff6ef11251e82cbabbb2228d7eccdcbc29fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\TAR9OKL9\index[1].htm
Filesize162B
MD54f8e702cc244ec5d4de32740c0ecbd97
SHA13adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA2569e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA51221047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z4TAQ562\index[1].htm
Filesize162B
MD54f8e702cc244ec5d4de32740c0ecbd97
SHA13adb1f02d5b6054de0046e367c1d687b6cdf7aff
SHA2569e17cb15dd75bbbd5dbb984eda674863c3b10ab72613cf8a39a00c3e11a8492a
SHA51221047fea5269fee75a2a187aa09316519e35068cb2f2f76cfaf371e5224445e9d5c98497bd76fb9608d2b73e9dac1a3f5bfadfdc4623c479d53ecf93d81d3c9f
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
5B
MD5d1ea279fb5559c020a1b4137dc4de237
SHA1db6f8988af46b56216a6f0daf95ab8c9bdb57400
SHA256fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba
SHA512720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
255B
MD5f6fc0afddf9cf80c3dda729d47ab8aa6
SHA1536cb06ced0255f23695a7ae717d3b1d3a437fcb
SHA256aa50a48b8f00017cd1dc20090d06f2fd60214d9dd2865c231c8ba91e8fbc9916
SHA5120615429df4220effde278be9028407f781b75575f018c7b3cec7e1f7f85b4284ae8fae9990049805ce5195187008159fc9712cd873aa1dc8256bb992bdf9d1fe
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45
-
Filesize
488KB
MD5e0968638796261d3bd533c7f452095c0
SHA160b9e96a5d6e5cbf71a01e0530b89115f051a960
SHA256f0db4ce49381eaa871a8bb7301265136eef1f88a1c291b72022c8e94cdf8f97a
SHA512e0890b6464f9a2d3ccf1c09b99c8d2fdb16f554b483e6480d896ffb10e314ea7908c1a9d4f4740cb4eb1eea5eae29e4ad1e7a21f3f3950d5d0198f1079153d45