88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f

Analysis

max time kernel
150s
max time network
178s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe
Size

1.1MB
MD5

1459db879cfdf0a4fdda31a2adf341b3
SHA1

52f8fbf0f100acae7fff0be35d89439d7e6d0127
SHA256

88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f
SHA512

724d9f651b476d8bba5ac36bde16945bde90a875b4c79421816f9eb3345d38a178caac3d31dbf0213598c301d37f6be6d16f6636e22a3c0c1ed4374d4ee93d68
SSDEEP

1536:X2n2z/NfmeGrObqqvg5uJhy1haQ2R27sbXu7VUFm10IMSPzY2y76ldFkQZbe4fyQ:wKBmZGqqvgyhy1QRZaum1HBY2uKVDf

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 5 IoCs

pid	Process
1364	winlogon.exe
1740	winlogon.exe
1256	winlogon.exe
948	winlogon.exe
1156	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navauto-protect.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdoc32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unzip.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UCCLSID.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alerter.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsmb32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HJTInstall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navrunr.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\neomonitor.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinperse.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmasn.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webtrap.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2servic.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccguide.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pptbc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppvstop.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fa-setup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbpoll.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdclt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccpxysvc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallControlPanel.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\localnet.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsysnt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netcfg.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep95.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Restart.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieCtrl.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVServer.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpfnt206.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\doors.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepnet.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edi.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrtcl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieRpcSs.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrecon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avrescue.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinject.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe	winlogon.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2008-56-0x0000000000BB0000-0x0000000000BEB000-memory.dmp	upx
behavioral1/memory/1896-58-0x0000000000BB0000-0x0000000000BEB000-memory.dmp	upx
behavioral1/memory/1940-55-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1940-60-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1940-61-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/files/0x00090000000126c9-65.dat	upx
behavioral1/files/0x00090000000126c9-66.dat	upx
behavioral1/files/0x00090000000126c9-68.dat	upx
behavioral1/files/0x00090000000126c9-69.dat	upx
behavioral1/memory/1940-71-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1740-74-0x0000000000980000-0x00000000009BB000-memory.dmp	upx
behavioral1/files/0x00090000000126c9-73.dat	upx
behavioral1/files/0x00090000000126c9-76.dat	upx
behavioral1/memory/1364-75-0x0000000000980000-0x00000000009BB000-memory.dmp	upx
behavioral1/files/0x00090000000126c9-79.dat	upx
behavioral1/memory/1364-81-0x0000000000980000-0x00000000009BB000-memory.dmp	upx
behavioral1/memory/1156-86-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/files/0x00090000000126c9-88.dat	upx
behavioral1/memory/1156-90-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1156-92-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/948-96-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1156-97-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1156-98-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1940	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe
1940	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1896 set thread context of 1940	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	30
PID 1364 set thread context of 948	1364	winlogon.exe	34
PID 948 set thread context of 1156	948	winlogon.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009430aaef10249341bc6f70c8c05d307700000000020000000000106600000001000020000000d6f7d629379997b88355323034af6078361994985218083fc5dc0674487f01da000000000e8000000002000020000000fcc9add2146faa15a47e76c8392c74c94c730c6d2d77c42a563c8012c97fc62220000000c8e6790b15b9a02f492772c952d769e946109170a97a535a5f10472e78519db040000000b06ad0e3c6b3bee2a7653c578d3883616b95953b2d10338a7b52f579a9152fb9bcccde578b6707318847efbef27d6a9aa85057f78bf9813585159fb17d325083	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376345743"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://7y90l95p2ettw11.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009430aaef10249341bc6f70c8c05d3077000000000200000000001066000000010000200000003b9fea4fb1a03bfd9c5675c9fc7a7a7e04f095ec401d946e021a7b974a3c01c5000000000e8000000002000020000000988ae2164d55e51e349295ff3fbeee0db3e66b8209bb25109c2576e11ea0898f900000007536dca405654515b387dd5ad0cdae654817a16a9234ddd6df3b1465176dbbeed09a6f2f2627c03efcf923ecb32f3a21b9691f693ca1e5e811218785caeb7e8edd3f59c2639e3125f9f291e41429e461a53f4a6cc549683131af4293d67822c5440792bd7bc8d1b67fe576013381b1d7724b729938702c3b078779b67c324743dde5a7af40a915ca547ccd995558515940000000bde4456fea31651b848d639bc08108900a75d59bcf84d20bd2225e07d28f6791b6a0ef7cdb3c38bc520b9fac4a9e63525bc897c9e5921aa295039687bf8f336d	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://20ldmro1a17h71d.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B9A58861-6E91-11ED-9172-7ADD0904B6AC} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://7d4rf7a59kvq84c.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60916d939e02d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://1502sqo01ad36s1.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://k546brc93s235it.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://313cj5z2qd220i3.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://q3563vuqguvl74v.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://m6996y991wx108y.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://91771d2xgy94a1x.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://xeic8mru4db2f48.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1156	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1156	winlogon.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe
756	iexplore.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1940	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe
948	winlogon.exe
1156	winlogon.exe
756	iexplore.exe
756	iexplore.exe
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE
756	iexplore.exe
756	iexplore.exe
1380	IEXPLORE.EXE
1380	IEXPLORE.EXE
756	iexplore.exe
756	iexplore.exe
912	IEXPLORE.EXE
912	IEXPLORE.EXE
756	iexplore.exe
756	iexplore.exe
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
756	iexplore.exe
756	iexplore.exe
1920	IEXPLORE.EXE
1920	IEXPLORE.EXE
1156	winlogon.exe
1156	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 1932	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	28
PID 1896 wrote to memory of 1932	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	28
PID 1896 wrote to memory of 1932	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	28
PID 1896 wrote to memory of 1932	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	28
PID 1896 wrote to memory of 2008	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	29
PID 1896 wrote to memory of 2008	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	29
PID 1896 wrote to memory of 2008	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	29
PID 1896 wrote to memory of 2008	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	29
PID 1896 wrote to memory of 1940	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	30
PID 1896 wrote to memory of 1940	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	30
PID 1896 wrote to memory of 1940	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	30
PID 1896 wrote to memory of 1940	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	30
PID 1896 wrote to memory of 1940	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	30
PID 1896 wrote to memory of 1940	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	30
PID 1896 wrote to memory of 1940	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	30
PID 1896 wrote to memory of 1940	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	30
PID 1896 wrote to memory of 1940	1896	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	30
PID 1940 wrote to memory of 1364	1940	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	31
PID 1940 wrote to memory of 1364	1940	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	31
PID 1940 wrote to memory of 1364	1940	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	31
PID 1940 wrote to memory of 1364	1940	88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe	31
PID 1364 wrote to memory of 1344	1364	winlogon.exe	32
PID 1364 wrote to memory of 1344	1364	winlogon.exe	32
PID 1364 wrote to memory of 1344	1364	winlogon.exe	32
PID 1364 wrote to memory of 1344	1364	winlogon.exe	32
PID 1364 wrote to memory of 1740	1364	winlogon.exe	33
PID 1364 wrote to memory of 1740	1364	winlogon.exe	33
PID 1364 wrote to memory of 1740	1364	winlogon.exe	33
PID 1364 wrote to memory of 1740	1364	winlogon.exe	33
PID 1364 wrote to memory of 1256	1364	winlogon.exe	35
PID 1364 wrote to memory of 1256	1364	winlogon.exe	35
PID 1364 wrote to memory of 1256	1364	winlogon.exe	35
PID 1364 wrote to memory of 1256	1364	winlogon.exe	35
PID 1364 wrote to memory of 948	1364	winlogon.exe	34
PID 1364 wrote to memory of 948	1364	winlogon.exe	34
PID 1364 wrote to memory of 948	1364	winlogon.exe	34
PID 1364 wrote to memory of 948	1364	winlogon.exe	34
PID 1364 wrote to memory of 948	1364	winlogon.exe	34
PID 1364 wrote to memory of 948	1364	winlogon.exe	34
PID 1364 wrote to memory of 948	1364	winlogon.exe	34
PID 1364 wrote to memory of 948	1364	winlogon.exe	34
PID 1364 wrote to memory of 948	1364	winlogon.exe	34
PID 948 wrote to memory of 1156	948	winlogon.exe	36
PID 948 wrote to memory of 1156	948	winlogon.exe	36
PID 948 wrote to memory of 1156	948	winlogon.exe	36
PID 948 wrote to memory of 1156	948	winlogon.exe	36
PID 948 wrote to memory of 1156	948	winlogon.exe	36
PID 948 wrote to memory of 1156	948	winlogon.exe	36
PID 948 wrote to memory of 1156	948	winlogon.exe	36
PID 948 wrote to memory of 1156	948	winlogon.exe	36
PID 948 wrote to memory of 1156	948	winlogon.exe	36
PID 756 wrote to memory of 1920	756	iexplore.exe	42
PID 756 wrote to memory of 1920	756	iexplore.exe	42
PID 756 wrote to memory of 1920	756	iexplore.exe	42
PID 756 wrote to memory of 1920	756	iexplore.exe	42
PID 756 wrote to memory of 1380	756	iexplore.exe	45
PID 756 wrote to memory of 1380	756	iexplore.exe	45
PID 756 wrote to memory of 1380	756	iexplore.exe	45
PID 756 wrote to memory of 1380	756	iexplore.exe	45
PID 756 wrote to memory of 912	756	iexplore.exe	46
PID 756 wrote to memory of 912	756	iexplore.exe	46
PID 756 wrote to memory of 912	756	iexplore.exe	46
PID 756 wrote to memory of 912	756	iexplore.exe	46
PID 756 wrote to memory of 2244	756	iexplore.exe	48

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe
"C:\Users\Admin\AppData\Local\Temp\88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1932
- C:\Users\Admin\AppData\Local\Temp\88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe
  2⤵
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:1344
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      PID:1740
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1156
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      PID:1256

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1420

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:756
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1920
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:406536 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1380
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:734225 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:912
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:756 CREDAT:865306 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
f2080851a6780703a0f3764645202ce1

SHA1
6e16ec7fe0404b0fe43ebd271ca47ffba9fc9588

SHA256
d3969401d4fc819669b9ce997251cc41d4883a31c4f43271b088944fadce3a83

SHA512
50e5661d1b5c66073c34d164b49733d7c1c1d7b2782611596646b60dae81321c5c92f9e64dce980cea8306b29db6136e582dcc07f1a951580c1f9f4d69643121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
9f6cc8d3fe9092a6d3901e873a87fd87

SHA1
2e0aac117a4cc57596efb3d6f6624c269f94b031

SHA256
e73982e62b92abac3d15b161f4525448cc2bc8b9bacefdcbfc6f87b74ec372e4

SHA512
9736a099967d7ad595439768e45c633ff7d34de92f7cb0c19cd3d4590c4a6dd4fedfcd1b5617c81652e61f4ffe919057507f622f4c6d8d626cfc40234ad2c757

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
1b3b8f713880b3ea49f4007bf1bb5236

SHA1
d477e779a5410ada34327526d7a0796160a9a0bc

SHA256
a4c99fdb0502a7056def84ddefe11d03d39fb3b35682ff2138a29b3364b582ec

SHA512
a9cfbf8c6ffed392a0a469cdb3c58d2a11e3cea483a34ec76945206433ad1754f52559e577e6dffc7a670727a22110c2f3fc547273a5f4aaee218b8f800feb4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F463A8EC6EA3A214C73FB4FC74B1B1BD

Filesize
434B

MD5
f1443597fcff43e98cf17eb8f9b1093a

SHA1
62d309051fdde1260cb89c9056385708ca5cd283

SHA256
b822350aa6b79e19042217701c714cfc02b80e404c85b158724c516849bd7137

SHA512
24cb38b6644ad82548afe3c7aff69d12ecb0fe4c76b960fd1480adbfcf59890304773908ba6d6b0e45939bbb6898a965901cb019a845d551d0959220d5bb652c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
920f097816481cec4131b9980da7a308

SHA1
f587ad95674d5772cc6828347d15b8402c03b5ba

SHA256
c743b58346a4344f5a24fe9cecb7d5d08ba71f9cb976e11b66f6bf1e0c749780

SHA512
ebe967f8f105892cef811bdc59a1c200fd93e2d1ebdc7681cece8a50b8dc66a2fa1e8a4259aec00e55479983558f427aad9801bee2e7755afe86cb954374afee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
002b6b6f5d9921185ffa6c2ddd568fa2

SHA1
83da4b767fdcbfbeb397de6e0ecd163de353447b

SHA256
877046dc1159671f3ee8b7d2d2c4ca14edc48b2961de17287632475dac11300a

SHA512
b422de449746a90af70db9a47615983c4325e9da35e0fdd5c9a1578a1742030b9e29d577cf142762d6b77bad1dca67cfe189d02e4b281012e91818033b92696c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
9e697905f51b140346e398fcbda56de7

SHA1
1b83d6af35e5c3bfb50d12fae9d34f48f41f1a34

SHA256
b0e6d76f704857e56a8aebcb1163aed204df9dfffe06f912b06d2c91d27e5b8d

SHA512
9c31b44cb7a7dc896d85c9ec60d789fbb97176c10d4074eb5e72ae8d9352c5c003177c8ac0d6dc2bf925d83a6045590e935e809e13e7281412d07b40bcbedb39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d06c1b2ebd52b919ef5221f55ecff09d

SHA1
b3aecdfef6c830a0aebf4327c0b00065652a5cbb

SHA256
023c4a331a9617c389b3751fb3873fc43ffae48be0830ec556474b845a7cf931

SHA512
2473654435331ddf3e5d5ede01125cd3b90b080b5d8a6b4dc158fe023fb9b363187241adc84dd1c8afae9bdaf936e31d3762732bfd4708fe8093a0a53fc80acc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eea564e647860fa0d3db4131f4e96699

SHA1
729c909a03bceb603bb5768f9416c240bbc9ffe6

SHA256
5fa5c8be173df77602abeab0c1e3bbcf2edf7cf8fd27711268b0c2469149c66e

SHA512
a700d70999a0231e36f61d9e4fb9c3be547994bf3c8d7b1c37f999623942958f08b9f7a64fadc3b482957ac7949ffe2048da60f3b54e3627e86528aff955d96a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11b9d70eabdba4ce2ddfcfd7b23c3eb9

SHA1
44a1d5be01758c3a348b5532a63de37f587e6655

SHA256
766e11dc68a0706cbf1bd3794801fdd8b11fbabfb1a8f8612f0e577855b39c68

SHA512
738655df551fdf2f2390893968b8a222ea9d17008b96005a762c8fb5ada1ca88b51499e337593de2d074e5eb0d92bbe3c9053ad6e4b2436c1eeeaf4d4fb7c627

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1e8fe6151e872bc9e6c5f80b303fb32

SHA1
83a901a282e72ea0c26a48d70443c01532caf1ca

SHA256
fcdebe1ff13ce517797c4c4e08925681bbf06f3d1130df1c5e081fc0935a0f87

SHA512
67a1ad274cf1b0dfcfc731b1a0200e6a319b305fc4fb0b55be58abeb6419a3f3752342fc19a85e1e1e941d2988cfc48685d582e6f2a2ef8332beff4238712b83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a6d7290e885f3d1fb026923e54f92b4

SHA1
99157f865bdc9a67cce5ed301ab08fd534acdaa6

SHA256
629accf23deb58bcb5c987ceba6f334a6b6a65820922586a4f145ab24acf16cb

SHA512
bce53a32bdf8da7d824cb6fd8634ad4b9c6d9681f1336dc03ac3e7cb43f1f9061f5061f8675c514fb5b7f3de15bdc64eba3dea116445aac874d0fe8672b88e10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5560e43caf93ac1ee8bd0736c1144da7

SHA1
0c55ebed190527e6006e501904b6e982f0954c11

SHA256
1111b70e16aeb08245cf5c84607646daa087499a560a6c9751535e3bf3f86f6e

SHA512
cec7d448285a4573b1e3ebb26a53d05764985ec6fbd0415d4526b84acef4b12fe91cae6e4cb7a995900dd2b8a3ba18e4b12a4307ccb3e3df3bf8959d7ee6a08b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
092175653cc8bdb863ac4494d8ccd60e

SHA1
e9f4ee96ea91544583439da9e50da6df9c49bb84

SHA256
92b6d8e306521763fa736c073639af0b0569574a4fd7ced14103732d972e8681

SHA512
6b60a9652fa3a73713e92c6e5369b7b984cfc2268d16d703f9a7731b1986f100378532fd99f862ae02abd9177ad61a970ea0d22bcca57aa3c059dc850882dc0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3646dbb5e5e1f68e57f4a2e237d21d60

SHA1
c9dba93eea639cb74df76b6af7429d3335068fa3

SHA256
4366f96e91c699a887b1a52d5dbf6097b92559b75a7a0586052a46721d81eaa9

SHA512
b714799d329b788a80fabeafa1b147fc1a887e1268efd613fbdee21e8d355f3410ee639b3dc9a86b3b1f164127de86b764a673e0311b1ea96a2b00b34e1ecd9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F463A8EC6EA3A214C73FB4FC74B1B1BD

Filesize
236B

MD5
ea7091282564602389f869ea21e2dd15

SHA1
01029673515cb9f27c4992c69fa5e3213c2e5cb5

SHA256
02f53b7ad490cb694a25989ccfc924827d95b23dea5062becbdb14e3b926f3a1

SHA512
54f2df57daa1b50d4a7bf612bea4bc7b2120a3a4549ad2a2c27b4f62bad9683b713576d0da90edec6f2c31b70efe7ab33f19f30cb8d9c330ea0c19e868fee4b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\MP7SY338\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\HMYQ5VMA.txt

Filesize
608B

MD5
f4101162e24c02a859c4817a4ceebee8

SHA1
28802277058dbc59c9ebd4f6ba71c76ed63cd419

SHA256
78ac70b9d314f665fe762595880ec3b03f0985e166c340dc7854c833d7865bfa

SHA512
238c64ec5ce6839709f30b8d165f01a11bb3f7ebca7d4b0526686d26f8e3405875b3c07a30bc3ec5e1e83ec1b2574109004ba6dbb1f4c5735120325798a65b7e

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
1459db879cfdf0a4fdda31a2adf341b3

SHA1
52f8fbf0f100acae7fff0be35d89439d7e6d0127

SHA256
88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f

SHA512
724d9f651b476d8bba5ac36bde16945bde90a875b4c79421816f9eb3345d38a178caac3d31dbf0213598c301d37f6be6d16f6636e22a3c0c1ed4374d4ee93d68

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
1459db879cfdf0a4fdda31a2adf341b3

SHA1
52f8fbf0f100acae7fff0be35d89439d7e6d0127

SHA256
88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f

SHA512
724d9f651b476d8bba5ac36bde16945bde90a875b4c79421816f9eb3345d38a178caac3d31dbf0213598c301d37f6be6d16f6636e22a3c0c1ed4374d4ee93d68

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
1459db879cfdf0a4fdda31a2adf341b3

SHA1
52f8fbf0f100acae7fff0be35d89439d7e6d0127

SHA256
88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f

SHA512
724d9f651b476d8bba5ac36bde16945bde90a875b4c79421816f9eb3345d38a178caac3d31dbf0213598c301d37f6be6d16f6636e22a3c0c1ed4374d4ee93d68

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
1459db879cfdf0a4fdda31a2adf341b3

SHA1
52f8fbf0f100acae7fff0be35d89439d7e6d0127

SHA256
88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f

SHA512
724d9f651b476d8bba5ac36bde16945bde90a875b4c79421816f9eb3345d38a178caac3d31dbf0213598c301d37f6be6d16f6636e22a3c0c1ed4374d4ee93d68

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
1459db879cfdf0a4fdda31a2adf341b3

SHA1
52f8fbf0f100acae7fff0be35d89439d7e6d0127

SHA256
88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f

SHA512
724d9f651b476d8bba5ac36bde16945bde90a875b4c79421816f9eb3345d38a178caac3d31dbf0213598c301d37f6be6d16f6636e22a3c0c1ed4374d4ee93d68

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
1459db879cfdf0a4fdda31a2adf341b3

SHA1
52f8fbf0f100acae7fff0be35d89439d7e6d0127

SHA256
88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f

SHA512
724d9f651b476d8bba5ac36bde16945bde90a875b4c79421816f9eb3345d38a178caac3d31dbf0213598c301d37f6be6d16f6636e22a3c0c1ed4374d4ee93d68

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
1459db879cfdf0a4fdda31a2adf341b3

SHA1
52f8fbf0f100acae7fff0be35d89439d7e6d0127

SHA256
88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f

SHA512
724d9f651b476d8bba5ac36bde16945bde90a875b4c79421816f9eb3345d38a178caac3d31dbf0213598c301d37f6be6d16f6636e22a3c0c1ed4374d4ee93d68

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.1MB

MD5
1459db879cfdf0a4fdda31a2adf341b3

SHA1
52f8fbf0f100acae7fff0be35d89439d7e6d0127

SHA256
88812afd0432a4b86690d91eba4aa05cbb7e764cc512903ba92507ec6a3d6a1f

SHA512
724d9f651b476d8bba5ac36bde16945bde90a875b4c79421816f9eb3345d38a178caac3d31dbf0213598c301d37f6be6d16f6636e22a3c0c1ed4374d4ee93d68

Download Submit
memory/948-96-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1156-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1156-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1156-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1156-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1156-86-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1156-120-0x0000000003D50000-0x0000000004DB2000-memory.dmp

Filesize
16.4MB

Download
memory/1364-81-0x0000000000980000-0x00000000009BB000-memory.dmp

Filesize
236KB

Download
memory/1364-75-0x0000000000980000-0x00000000009BB000-memory.dmp

Filesize
236KB

Download
memory/1740-74-0x0000000000980000-0x00000000009BB000-memory.dmp

Filesize
236KB

Download
memory/1896-58-0x0000000000BB0000-0x0000000000BEB000-memory.dmp

Filesize
236KB

Download
memory/1940-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1940-61-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1940-60-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1940-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1940-64-0x0000000076181000-0x0000000076183000-memory.dmp

Filesize
8KB

Download
memory/1940-72-0x0000000000570000-0x00000000005AB000-memory.dmp

Filesize
236KB

Download
memory/2008-56-0x0000000000BB0000-0x0000000000BEB000-memory.dmp

Filesize
236KB

Download