47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9

Analysis

max time kernel
133s
max time network
216s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27-11-2022 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe
Size

1.3MB
MD5

b6450b36282b5589ad45736b72b5d71c
SHA1

c1a5e775670e6c0350b2136ff89b6140c2dc8815
SHA256

47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9
SHA512

40a545d04e20e861255c0cf4035fdc149a255119b7e9e632bce030781a8800fc1bad505646c1b53e410c5f0328b9adcccd96f51627eb736ce12012c6bd088cd2
SSDEEP

3072:1+kZqVeInSk82TfatZ9mD5fvNj6kECsjZ:1jaSk8iCtPmD5Hl6ysN

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
1936	winlogon.exe
892	winlogon.exe
1828	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\panixk.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmiav.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldscan.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pingscan.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rapapp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safeweb.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naveng.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navstub.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\popscan.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fix-it.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\programauditor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winrecon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2k_76_1436.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepnet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds2.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcons.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wfindv32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\exit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\padmin.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmntsrv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edi.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpostproinstall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieSvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPST.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsched32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mdll.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naveng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmias.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumphive.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcmserv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regmon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbust.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nc2000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pathping.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwinstall.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\supftrl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmgrdian.exe	winlogon.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2012-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2012-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2012-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2012-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2012-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2012-67-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2012-83-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/892-88-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1828-89-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1828-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1828-94-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1828-98-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/892-99-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1828-100-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe
2012	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1920 set thread context of 2012	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	28
PID 1936 set thread context of 892	1936	winlogon.exe	31
PID 892 set thread context of 1828	892	winlogon.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://53u9y1vzw2520kj.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://7fli9q9n051f4wl.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://8p586t02r1dh9w8.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://sd5jat54k55f172.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EDEB7B41-6F57-11ED-965B-E20468906380} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1e2307e36edc74d980ca12b80ac2f730000000002000000000010660000000100002000000013249efbdcd861ac6db91ef8947ea23045a5beb71c7ebee878c1bcaa3ec1858a000000000e800000000200002000000022209ccb8714aba2fb86f14939a26f6446b5c28d4d932ce89ca0d8060f7303c4200000002b092749d4455ad88f3e74b21dbbc1a2c0bc93e742e879c8c7383202bc9c161040000000dce916274ef7a14c8fcc7d17bfbd50d80af2161d16e556785075fbbc025a976fb857ce2613610a09b263f9276faaaa3cd9ee844ebc92abf9a35459ff1101fd25	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376430902"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://oq14gso3o49h0g2.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://ias81bg379rs2a1.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a1e2307e36edc74d980ca12b80ac2f7300000000020000000000106600000001000020000000e47100ca1c993d9cf258fa72bcd5384909021d9b9617e209432aac7d3ad9b76b000000000e8000000002000020000000ae02524e065ec2997a85b583fd42e971cd90e339495443d4681192e53790803190000000bd46d0428b67fec426356d963ad5a59e3ada71bd02a3065fc18cece49e8d5495a55a3527c6372acc488bf576ffe81142d7c67ffe46554351510dfe15603cfd56f1c1705bd3d56bbd7e3ce86688bfa3c2acbed6c01d227b6e9af66dcfc7df77ba17b9c39a554e8f55b720b9ae62ebf5ca854dc125ffac9f8b50310983abb58d67307a52d2799c90b1fa29d3b87eaa5c11400000008a43aa4d1cca67e9be1e92638e3f52dabd52cd2eafe8026195f36bf2dcbcae56ddbb35ce6de3ea0c3f31359498092e2754900c84e053664d0d445ab111e9b62f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://6oh5s83x54p1072.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0e03cc36403d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://m735w90088p9y7a.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://t5o6p2n2897afi0.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://t51a36ze018vkqc.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1828	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1828	winlogon.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1876	iexplore.exe
1876	iexplore.exe
1876	iexplore.exe
1876	iexplore.exe
1876	iexplore.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
2012	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe
892	winlogon.exe
1828	winlogon.exe
1876	iexplore.exe
1876	iexplore.exe
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1876	iexplore.exe
1876	iexplore.exe
1068	IEXPLORE.EXE
1068	IEXPLORE.EXE
1876	iexplore.exe
1876	iexplore.exe
1608	IEXPLORE.EXE
1608	IEXPLORE.EXE
1876	iexplore.exe
1876	iexplore.exe
1112	IEXPLORE.EXE
1112	IEXPLORE.EXE
1876	iexplore.exe
1876	iexplore.exe
1952	IEXPLORE.EXE
1952	IEXPLORE.EXE
1828	winlogon.exe
1828	winlogon.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 1920 wrote to memory of 1996	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	27
PID 1920 wrote to memory of 1996	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	27
PID 1920 wrote to memory of 1996	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	27
PID 1920 wrote to memory of 1996	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	27
PID 1920 wrote to memory of 2012	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	28
PID 1920 wrote to memory of 2012	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	28
PID 1920 wrote to memory of 2012	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	28
PID 1920 wrote to memory of 2012	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	28
PID 1920 wrote to memory of 2012	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	28
PID 1920 wrote to memory of 2012	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	28
PID 1920 wrote to memory of 2012	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	28
PID 1920 wrote to memory of 2012	1920	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	28
PID 2012 wrote to memory of 1936	2012	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	29
PID 2012 wrote to memory of 1936	2012	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	29
PID 2012 wrote to memory of 1936	2012	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	29
PID 2012 wrote to memory of 1936	2012	47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe	29
PID 1936 wrote to memory of 1084	1936	winlogon.exe	30
PID 1936 wrote to memory of 1084	1936	winlogon.exe	30
PID 1936 wrote to memory of 1084	1936	winlogon.exe	30
PID 1936 wrote to memory of 1084	1936	winlogon.exe	30
PID 1936 wrote to memory of 892	1936	winlogon.exe	31
PID 1936 wrote to memory of 892	1936	winlogon.exe	31
PID 1936 wrote to memory of 892	1936	winlogon.exe	31
PID 1936 wrote to memory of 892	1936	winlogon.exe	31
PID 1936 wrote to memory of 892	1936	winlogon.exe	31
PID 1936 wrote to memory of 892	1936	winlogon.exe	31
PID 1936 wrote to memory of 892	1936	winlogon.exe	31
PID 1936 wrote to memory of 892	1936	winlogon.exe	31
PID 892 wrote to memory of 1828	892	winlogon.exe	34
PID 892 wrote to memory of 1828	892	winlogon.exe	34
PID 892 wrote to memory of 1828	892	winlogon.exe	34
PID 892 wrote to memory of 1828	892	winlogon.exe	34
PID 892 wrote to memory of 1828	892	winlogon.exe	34
PID 892 wrote to memory of 1828	892	winlogon.exe	34
PID 892 wrote to memory of 1828	892	winlogon.exe	34
PID 892 wrote to memory of 1828	892	winlogon.exe	34
PID 892 wrote to memory of 1828	892	winlogon.exe	34
PID 1876 wrote to memory of 1952	1876	iexplore.exe	39
PID 1876 wrote to memory of 1952	1876	iexplore.exe	39
PID 1876 wrote to memory of 1952	1876	iexplore.exe	39
PID 1876 wrote to memory of 1952	1876	iexplore.exe	39
PID 1876 wrote to memory of 1068	1876	iexplore.exe	41
PID 1876 wrote to memory of 1068	1876	iexplore.exe	41
PID 1876 wrote to memory of 1068	1876	iexplore.exe	41
PID 1876 wrote to memory of 1068	1876	iexplore.exe	41
PID 1876 wrote to memory of 1608	1876	iexplore.exe	42
PID 1876 wrote to memory of 1608	1876	iexplore.exe	42
PID 1876 wrote to memory of 1608	1876	iexplore.exe	42
PID 1876 wrote to memory of 1608	1876	iexplore.exe	42
PID 1876 wrote to memory of 1112	1876	iexplore.exe	43
PID 1876 wrote to memory of 1112	1876	iexplore.exe	43
PID 1876 wrote to memory of 1112	1876	iexplore.exe	43
PID 1876 wrote to memory of 1112	1876	iexplore.exe	43

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe
"C:\Users\Admin\AppData\Local\Temp\47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:1996
- C:\Users\Admin\AppData\Local\Temp\47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:1084
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:892
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1828

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1952
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:603142 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1068
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:930825 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1608
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:537628 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
fa2f4fe6b4e02ebfa21a01c219278f9e

SHA1
a0decddca86f980dad0411daf7857c914155c913

SHA256
56bae264deeba255115db948586b5ebeddf4ddc275986043a23c01c365270994

SHA512
f447a951e2386f6d5e9719d20de4c3816f7904c595038e9cbf43a3bf49a944cfa2605d2e56433900233b26df32805b7784cbc6cb1d1dffefb5d9e9176b3e7e45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
03ad9fc0b00b5df3165dc2fb1e3b0a3e

SHA1
f8243335a8bc24d989bddd346048a055e1d0bdeb

SHA256
366b28d491f7fd632e31c1ce97f939555f7dcee14bb6875737ed2d3e96fa32ec

SHA512
a3cd8a001366e6c1b96d2b920d56e6efd34e9b69b9805e1a2b0c270346712e22420366f8bd18bbb1dd16fa60d481ad65b13385a66a3f1fa0d7aadaaa27b99796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
be112f7c1f349b67cbb28abf8c33c3d7

SHA1
32d04a77bd4384f19198bbf3f61cc434cef3abd4

SHA256
c07eae71a081f3523dbe14cf72712aaf6e2fe667659bb0b7c2684677078031d1

SHA512
e4f09392a6354c58b93cf0c576fe65016ba4be4db0e882d35c111058c5ac322f309ab56f7515c811bfc5afdf4e35f9f227d907f3cf6e515255e5f07b460425d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
3dcf580a93972319e82cafbc047d34d5

SHA1
8528d2a1363e5de77dc3b1142850e51ead0f4b6b

SHA256
40810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1

SHA512
98384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
404997839859de2ccb073bfc7b6c48f5

SHA1
5f2a9301fb8a054c73dccd3793e5cb905ba4b9f1

SHA256
3999492b6913fe14ab646002ae2717c4e089774141fa7c60ae7904b369fcccfd

SHA512
e4ab1c276a172429cdd57f0ae9411241bf53dddc6d750ea1559244ef6904fd2394883d3e4c741e33b854db33f9eb3de3c4fb57a0fa4c1eeb045a29c5523ab73c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f42319f6d4bfa43cf7e3da1a24a68e40

SHA1
e3975bbe7ec18e6e83504994427b7d68241ab81e

SHA256
93607d293967bd371fd11e3d90aa99c6f78baf1612d7d65642e704b2cadb14cf

SHA512
78e357cfd2702ca43a9d694d3592bc2ad03cbf53d8a80cd2f3fa56dc8471e35fb812f777ff74e9ac50808b40c1ab346a80d67c53680f75e9c16084c0c9e4f611

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
2f2b0182473d99e5b80f990bc8f5fe24

SHA1
7e26fb6abd58fb7a3e1687cc797519e3b9927f8e

SHA256
604147eef07461aa7bff4458138688acb4bb0c946030a16963a9dcf10bd93ea3

SHA512
d4d63bb03630f7d4837e6efcfb4aeee4fe7b2526ce18d6139768c38b670047e0cf9857c980017318d17fb2f51cc093de7df90089d8878d890bedfd000778ea4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
933c23017b09bf3070c49af6cebdb8d9

SHA1
f8e57539ff4554792128945b4914e757d74f912d

SHA256
85aedd5900d1cc9bc0281dcacc7080cc25dd6a5c2035c28c39f483b60276d1e3

SHA512
52bab8c581b744ad625df8686e8a8d03dd8b608d4a897c52e0cdea95fb876eb2db32f2cb22e73daaeedd2d514ece98cdc0aab5bf7c0ba914f236a295ab709f57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6cb00afe0db60ca7901370a7ce123471

SHA1
906cac1ad51b4363ec2f21524e14052042ad22f9

SHA256
a8c53dfb0a2bb5c71e23011d77d942dccc7c7ff3e8bc58dc4c9d493038483ac5

SHA512
02f88af17600d59249e56749725d7b7be10829b25fc7e9a403527f7f0a62c4dc99a294f883e04105f3a56944b2f39d4b218d2283ff0a99c4114b4e9f26cd2580

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
919a587ed835a81383684bcbfae832db

SHA1
df83e9c9a8e240abfa485b87f8fce7c991358648

SHA256
b99fb95f6820c61f57b86ccbe311021f77b63565e020878b80626e39ee7ffe8f

SHA512
50f5dfb0a2f79e66b32f3102fd16c5952fc2226a71d70578a97280e4a1292a23385f1c132680863c258505bfb8f9dfebd9c507a082823f6b73e71c882d4f44c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0b6ba68226818e0a68d047238556fbc

SHA1
8ea6e8c6326fe8eb78c56bab9cc707fefce7c814

SHA256
13e2acd3699e9e24e9dbd6a0281df9dbdc88d95a5c0733bd595b371b553636eb

SHA512
9be33a7b8b3d591fe05913293f79c2a0eb21c2c9e07b9b801389025bc74402923c494bc8f94ac79038a701c630e1a42906e4577e15a0f7c90e2fe8252aa4694a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b333e044c1d076f46593d2bf88d71ec8

SHA1
28ed151515c95ce9103433fb56c51ec1ba3c0742

SHA256
539a891df953f4393247802cb2dae29286a2eb0d5725e7683a8e7956a94d44e6

SHA512
fb3ed1aef0547ac76771fcb52b2914db389f2c08edc305a87036077aa6a71ca6064707bf422146c9adce03787d2be68fe26cf2896f6b9b0b79c98ee9e095ff81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab8b11cbbffc2cc6dc0f632ffe804154

SHA1
86b59567aea4993c8af416c58d3b608d69f7675d

SHA256
e9fd0ffc37663aa53e12823521e4df1bdea0757b1ac46e24cdd096acf3b810bc

SHA512
87de211d7da1c285028044e6cd6d13f37fc6e0fe4e1fc798a5ea9c3599935528eadb6d6eeaa911b2079a612b34ae1cb7cecb234bf1e12c627bf123b6c12bf4db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0334f42a92cbbcd006a17a98cdcfd700

SHA1
d0b6a5c0e50983e0db0d3789ee84ff8b30f9a026

SHA256
35f8b48850415e8ecc7525454579fe17450a530405cd6f320cae03eaa27cd6b5

SHA512
a661958d288f81b5bbd071e9b4c6b37b6f278d733b4a3b69f0b1e2d658fd351797d248fe002aa4f5e6dd447826a92a91057dd113a19aa779d2090f21ceedc6ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6349820524d58409a079076a4bba5b6

SHA1
fc170938a23d8513c5de264796c837adb359ff6f

SHA256
08e320b4e0ca11af1981274d647d983d178fdb83ca4a7c273be1a03cc96d325e

SHA512
c385356bfaf08e8c38d873a769fc5baabeb85575a87c031f0649eb83e30c1e29f79b24a8bccc8cdbac27e9071c34e8fe29a01f1550bd7142570864a5fab93826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
9f61668a76926c07233c41fe8c27173e

SHA1
2ee0cc53c89c51607718cf5044c070abfc28113c

SHA256
5f7d3ffba3a28ae40d931afc35e02eb420c61cc86fa38ea78c8bed8f83f2a94d

SHA512
7263dd79ae7f9135ffe1f023a13574035b9f9fdc72a9536ea2dbd9ccfb451148455d13356fca11b07cbdf03b76801ef7298d022b1f649926f34d058d2ee70bac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
06627e2a6f531f64c5dd5f681a9a074c

SHA1
770bbe296935c029e87933608cbb833ba13ed517

SHA256
d5bb8de8ead1c879b375d4fcc9352a45be153eaf4a1e7f0acf887ec6e8410ef4

SHA512
497ade9829813067c8f695690d79111a287fe177225ca3e00947c9d353481b2edcfc856529101c254c7feed76bb75bbe4e7c407fa63798339dda99b406e43918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
47c44f2c23f1a367d65c5add24e46a26

SHA1
66fbee4857c6b651c97dda86a1a8d08ffc39210e

SHA256
cd15d37220b660b68ae68af67ed5209a2257096ebcadf13e34115d6025d88b3c

SHA512
b0e1334d6e9e07f2945652b4bb5e75bd4a8ab202f78344feedc3e42cd3c926245073aae386c52f9c79d32d553beed6f506327d3c5906d8f611a53206c900730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\NQ9IAGMR\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NPCAR4MD.txt

Filesize
601B

MD5
0ad627213a9802c46f5220e004e30ae5

SHA1
6b1e66a43e4dd0224b725d9dabeb1955fd4c5f52

SHA256
420cfd9554b6a179e56764d7a12b6437fd3e8b9cfa5849a6626d8d68d443634d

SHA512
84251e4dc9776a1342bdbdbba367e44fa8ad09d5dc1f2ccba1b7738d4d9868eae5fefba8611d24f5d6fd8c3d1fc30f492f9567080dc4a340abdb14a5686fae25

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.3MB

MD5
b6450b36282b5589ad45736b72b5d71c

SHA1
c1a5e775670e6c0350b2136ff89b6140c2dc8815

SHA256
47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9

SHA512
40a545d04e20e861255c0cf4035fdc149a255119b7e9e632bce030781a8800fc1bad505646c1b53e410c5f0328b9adcccd96f51627eb736ce12012c6bd088cd2

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.3MB

MD5
b6450b36282b5589ad45736b72b5d71c

SHA1
c1a5e775670e6c0350b2136ff89b6140c2dc8815

SHA256
47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9

SHA512
40a545d04e20e861255c0cf4035fdc149a255119b7e9e632bce030781a8800fc1bad505646c1b53e410c5f0328b9adcccd96f51627eb736ce12012c6bd088cd2

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.3MB

MD5
b6450b36282b5589ad45736b72b5d71c

SHA1
c1a5e775670e6c0350b2136ff89b6140c2dc8815

SHA256
47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9

SHA512
40a545d04e20e861255c0cf4035fdc149a255119b7e9e632bce030781a8800fc1bad505646c1b53e410c5f0328b9adcccd96f51627eb736ce12012c6bd088cd2

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.3MB

MD5
b6450b36282b5589ad45736b72b5d71c

SHA1
c1a5e775670e6c0350b2136ff89b6140c2dc8815

SHA256
47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9

SHA512
40a545d04e20e861255c0cf4035fdc149a255119b7e9e632bce030781a8800fc1bad505646c1b53e410c5f0328b9adcccd96f51627eb736ce12012c6bd088cd2

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.3MB

MD5
b6450b36282b5589ad45736b72b5d71c

SHA1
c1a5e775670e6c0350b2136ff89b6140c2dc8815

SHA256
47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9

SHA512
40a545d04e20e861255c0cf4035fdc149a255119b7e9e632bce030781a8800fc1bad505646c1b53e410c5f0328b9adcccd96f51627eb736ce12012c6bd088cd2

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.3MB

MD5
b6450b36282b5589ad45736b72b5d71c

SHA1
c1a5e775670e6c0350b2136ff89b6140c2dc8815

SHA256
47b6246e5087c51145ea7fd05b8ee8ba05f0b668d4f5a514fecbe46142d64df9

SHA512
40a545d04e20e861255c0cf4035fdc149a255119b7e9e632bce030781a8800fc1bad505646c1b53e410c5f0328b9adcccd96f51627eb736ce12012c6bd088cd2

Download Submit
memory/892-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/892-99-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/892-79-0x000000000041AC00-mapping.dmp

Download
memory/1084-72-0x0000000000000000-mapping.dmp

Download
memory/1828-89-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-90-0x00000000004417D0-mapping.dmp

Download
memory/1828-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-123-0x00000000039A1000-0x000000000484D000-memory.dmp

Filesize
14.7MB

Download
memory/1828-94-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1828-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1936-70-0x0000000000000000-mapping.dmp

Download
memory/1996-54-0x0000000000000000-mapping.dmp

Download
memory/2012-67-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2012-66-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/2012-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2012-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2012-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2012-60-0x000000000041AC00-mapping.dmp

Download
memory/2012-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2012-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2012-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2012-83-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download