75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29-11-2022 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe
Size

397KB
MD5

d1ff42bbf3cb032e645abb971be30e6c
SHA1

50c075163e3c1928d2e1d5e8bf8aa3826fdf3e85
SHA256

75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e
SHA512

84965cf4b07261748e6d3930e0f3cc27acb2e6d2568e206c4c246ced9bec593a38940b81cfb43f482b2a2216bfee887dba67fbac8858bb93bdc1121d7e5809a7
SSDEEP

1536:4yh5JT8iIHLryUCkffLUsKrqGloK6votWdZGu030J49+I+CZ3wes:4c558LHnyUbT/Io7B0843X3w

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
1148	winlogon.exe
572	winlogon.exe
1128	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swsc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nd98spst.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccpfw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin98.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleToolbarInstaller_download_signed.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavsched.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbscan.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfeann.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vettray.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav8.0.0.357es.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackice.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\localnet.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpftray.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2002s902.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bisp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shn.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tftpd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apvxdwin.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luspt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spyxx.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxquar.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanh95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsetmgr.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\deputy.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbmenu.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tftpd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet98.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kis8.0.0.506latam.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanpc.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trjsetup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpdos32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbust.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwinnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qconsole.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1316-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1316-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1316-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1316-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1316-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1316-71-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/572-87-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1128-88-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1128-92-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1128-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1128-97-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/572-98-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1128-99-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1128-113-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1316	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe
1316	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1760 set thread context of 1316	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	28
PID 1148 set thread context of 572	1148	winlogon.exe	30
PID 572 set thread context of 1128	572	winlogon.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://z211qkz25dilg36.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a00000000020000000000106600000001000020000000029beb01a1f2c180eb239b2d152193160228f2b3b59bd1dee60bb47f98790157000000000e8000000002000020000000b0daa4389a7567263d1f3700aeead679e8335733196fa540b0584f19d37c80e4200000005a4b6060c0429776ffb50fc9ed84864f8cfe682936dc1629263b5087f53e0efc40000000bc14ac69943b5f249c587eb5d8cf562f6282e73838eb049f22a5feb3d2a1b5fbd4b52ec43ae1aee38a09e9060f21ad62927385d996a01263074dfe930cdbafb2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://06fri5cagsimsjc.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://6wbko7cu4lu1sf2.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80aaacf9b304d901	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a0000000002000000000010660000000100002000000087e6244911cdb86aecd3d64ee81d894b081e13d94db4a38ed9f22e2ecc4d1649000000000e80000000020000200000008c5d641e854338a4bccab6b46e9dce41099554ba138f49baa80076dd1bd590e69000000053cc1041ae9377f2cdc3130155d62a06b5b4e68fbd9835088f4ff96298e8db596e625a8e408551f3570b90f62b84604305019ab09ea15fb29165ea3335e62afeb5cc63a343a0f5cbe9a0fa3266f0972b0ec6729e46b9b6aed685935d614758850973f71f64c6b790b2a8855684f94a08a1c3f7e08101967d0101f8001f9b0903baaba84b2ae655c7372e73589070e59a400000001052b51ac7bf75ed99ed8995213c4285e38cc8dd1ac2f76ab73be067572035cc5ff528345ebdec447dcea7903dd6a0191818ddcb6d378a429cc081dd33a836da	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376574857"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://x2g2tnod917l91m.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://jct0s856feux015.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://77wizn5bda1mvtm.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://kih7m505yj87b5l.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://504tww2c2nwxzni.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2C3547A1-70A7-11ED-9ECC-C253C434FFA8} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://5in739gx1xap1dg.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://5i1d036ukc0l34f.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1128	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1128	winlogon.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1988	iexplore.exe
1988	iexplore.exe
1988	iexplore.exe
1988	iexplore.exe
1988	iexplore.exe
1988	iexplore.exe
1988	iexplore.exe
1988	iexplore.exe
1988	iexplore.exe
1988	iexplore.exe

Suspicious use of SetWindowsHookEx 45 IoCs

pid	Process
1316	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe
572	winlogon.exe
1128	winlogon.exe
1988	iexplore.exe
1988	iexplore.exe
888	IEXPLORE.EXE
888	IEXPLORE.EXE
1988	iexplore.exe
1988	iexplore.exe
920	IEXPLORE.EXE
920	IEXPLORE.EXE
1988	iexplore.exe
1988	iexplore.exe
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE
1988	iexplore.exe
1988	iexplore.exe
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
1988	iexplore.exe
1988	iexplore.exe
888	IEXPLORE.EXE
888	IEXPLORE.EXE
1988	iexplore.exe
1988	iexplore.exe
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE
1988	iexplore.exe
1988	iexplore.exe
920	IEXPLORE.EXE
920	IEXPLORE.EXE
1988	iexplore.exe
1988	iexplore.exe
2188	IEXPLORE.EXE
2188	IEXPLORE.EXE
1988	iexplore.exe
1988	iexplore.exe
1576	IEXPLORE.EXE
1576	IEXPLORE.EXE
1988	iexplore.exe
1988	iexplore.exe
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
1128	winlogon.exe
1128	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1760 wrote to memory of 1252	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	27
PID 1760 wrote to memory of 1252	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	27
PID 1760 wrote to memory of 1252	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	27
PID 1760 wrote to memory of 1252	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	27
PID 1760 wrote to memory of 1316	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	28
PID 1760 wrote to memory of 1316	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	28
PID 1760 wrote to memory of 1316	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	28
PID 1760 wrote to memory of 1316	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	28
PID 1760 wrote to memory of 1316	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	28
PID 1760 wrote to memory of 1316	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	28
PID 1760 wrote to memory of 1316	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	28
PID 1760 wrote to memory of 1316	1760	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	28
PID 1316 wrote to memory of 1148	1316	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	29
PID 1316 wrote to memory of 1148	1316	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	29
PID 1316 wrote to memory of 1148	1316	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	29
PID 1316 wrote to memory of 1148	1316	75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe	29
PID 1148 wrote to memory of 1108	1148	winlogon.exe	31
PID 1148 wrote to memory of 1108	1148	winlogon.exe	31
PID 1148 wrote to memory of 1108	1148	winlogon.exe	31
PID 1148 wrote to memory of 1108	1148	winlogon.exe	31
PID 1148 wrote to memory of 572	1148	winlogon.exe	30
PID 1148 wrote to memory of 572	1148	winlogon.exe	30
PID 1148 wrote to memory of 572	1148	winlogon.exe	30
PID 1148 wrote to memory of 572	1148	winlogon.exe	30
PID 1148 wrote to memory of 572	1148	winlogon.exe	30
PID 1148 wrote to memory of 572	1148	winlogon.exe	30
PID 1148 wrote to memory of 572	1148	winlogon.exe	30
PID 1148 wrote to memory of 572	1148	winlogon.exe	30
PID 572 wrote to memory of 1128	572	winlogon.exe	34
PID 572 wrote to memory of 1128	572	winlogon.exe	34
PID 572 wrote to memory of 1128	572	winlogon.exe	34
PID 572 wrote to memory of 1128	572	winlogon.exe	34
PID 572 wrote to memory of 1128	572	winlogon.exe	34
PID 572 wrote to memory of 1128	572	winlogon.exe	34
PID 572 wrote to memory of 1128	572	winlogon.exe	34
PID 572 wrote to memory of 1128	572	winlogon.exe	34
PID 572 wrote to memory of 1128	572	winlogon.exe	34
PID 1988 wrote to memory of 888	1988	iexplore.exe	38
PID 1988 wrote to memory of 888	1988	iexplore.exe	38
PID 1988 wrote to memory of 888	1988	iexplore.exe	38
PID 1988 wrote to memory of 888	1988	iexplore.exe	38
PID 1988 wrote to memory of 920	1988	iexplore.exe	41
PID 1988 wrote to memory of 920	1988	iexplore.exe	41
PID 1988 wrote to memory of 920	1988	iexplore.exe	41
PID 1988 wrote to memory of 920	1988	iexplore.exe	41
PID 1988 wrote to memory of 1576	1988	iexplore.exe	44
PID 1988 wrote to memory of 1576	1988	iexplore.exe	44
PID 1988 wrote to memory of 1576	1988	iexplore.exe	44
PID 1988 wrote to memory of 1576	1988	iexplore.exe	44
PID 1988 wrote to memory of 2244	1988	iexplore.exe	46
PID 1988 wrote to memory of 2244	1988	iexplore.exe	46
PID 1988 wrote to memory of 2244	1988	iexplore.exe	46
PID 1988 wrote to memory of 2244	1988	iexplore.exe	46
PID 1988 wrote to memory of 2684	1988	iexplore.exe	49
PID 1988 wrote to memory of 2684	1988	iexplore.exe	49
PID 1988 wrote to memory of 2684	1988	iexplore.exe	49
PID 1988 wrote to memory of 2684	1988	iexplore.exe	49
PID 1988 wrote to memory of 2188	1988	iexplore.exe	52
PID 1988 wrote to memory of 2188	1988	iexplore.exe	52
PID 1988 wrote to memory of 2188	1988	iexplore.exe	52
PID 1988 wrote to memory of 2188	1988	iexplore.exe	52
PID 1988 wrote to memory of 2796	1988	iexplore.exe	56
PID 1988 wrote to memory of 2796	1988	iexplore.exe	56
PID 1988 wrote to memory of 2796	1988	iexplore.exe	56

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe
"C:\Users\Admin\AppData\Local\Temp\75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:1252
- C:\Users\Admin\AppData\Local\Temp\75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1316
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:572
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1128
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:1108

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:600

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:537609 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:920
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:799767 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1576
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:668697 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2244
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:799791 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2684
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:1717272 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2188
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:2896920 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2796

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5138a22c0c4156c1b2f9ad291e3cadc6

SHA1
2246262c5c8c94d242129415349e344744f38a07

SHA256
581b947db93287c18ce5cffd2d2c517153199f68c9fb1696842fb4a710270778

SHA512
68fe54c4c666d4a75e1319056e8103da610553a1b68876a40ebdca1f5dd6527358bcae40458ec0ec3532071f08f33eeefe6e9d95b2a4153c1bead6b9780f0858

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
8f58cd30443a495eed3ec0d9827550c1

SHA1
fd0f53d2acc63ae015b7b42155136ade5841ebc7

SHA256
333a3cae36081ea37371e32dc9587faacfda5970daa476b3b36cd6f587ce1594

SHA512
43f072fb9bbf61d6e8ac2632970b9d05571ae1408ec9f649213d2b0b4fba7e36d70108811399afc96eef82167717a47895702c6fd57ce9cdc5e3a442f1de5dda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
cf43495aac85e698cd9b029867f9c178

SHA1
763dc926c1175bf360ca5726709ab1f247d6a2b1

SHA256
73b2e77ef4daecb5955fe6b7605c4fa318a29f2bf545d43f63c8e63fe164639d

SHA512
336c8e5b3af70d584b5a86ba9bce52ac0454ce3cd02b9ee655c4e91f72a1a37ae8e93a6755f445ee29952ab106014071a85eee299c5a33bd63d1e4e64e63691a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
e85494c6f080f84f2426bdee34a14251

SHA1
e0827a9983bb27b4085384ba2831412d4b3abe73

SHA256
a3d8d89ddc578495f043e2db4a8a326feb6c3d6697be2ab95ef95d784e8a093c

SHA512
3589cd8f343bbf30ea564b98e76f01e3db25d4edacd549850c9f35d6dc17342ec166cbc4b78a672e3a7dba448c5f554e0a3992055907b096a7894b0505d41d26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
97d1b6e4dafcb8a6a3357ee140aa5c81

SHA1
115404ea6e01d17ece15fd4fbfbba9aa7a55bd60

SHA256
027c8c3a62420c55d3a3720f46a9b0598aec4b645ec221ea375bc73f0099f355

SHA512
83d8c8a22e580102d042d8041709916c7192d485422e4b383bd116873c38f2d6555370e8e3a590488f4fd4916de72af127641a6b316b538a2a03ab4a7efbf70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
2ee1f791cc5c6df8dbebe5e262267ed1

SHA1
2c66dd0976db3ac441b048288ea0ad26552a05d6

SHA256
a3dfdc87378b6e1bd6ce06ea7e9fe7c356718efef546299123ae7f02a6c36b3f

SHA512
5cea9fe272314e59d9632dcfc8a1b62a694018e4f18d4223a09d02ad09b994d37210958933ceda738bd05d2faa0f4f412cd49d7da3ecde2de5e9cfc81acf9944

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
6753ec161e67bf97a85d09062109d96f

SHA1
15282732eb151fadaef4e12df0566a5eedd4ddf6

SHA256
b4d09471f33d94ca1fcfc45b14032460daa65221704c0e875fbc2507e9ed83bd

SHA512
337ec3be4322b6d6b423e2cca36fad3f2ac198d843e88f0524e6afa2fc0b017e67b3a75af8c424141402e4c3c2375bf54156787cf54337dec6164fd48d466f1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
1c0069e702ef4ab68921abb56befd6e8

SHA1
4af129a0162782d7229f25a2e7589f8b1111c8da

SHA256
527ce97d84f0193884204549ca7faab5c939516195a4085f73737a409714fa00

SHA512
30305929c8f0c4530681522408cd7833aebfeb980eb355424abc16215d7d4a9c47820d51b606e9769c62c0c8bdb04a071b4cf00b0de37b339c9792884fe81084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ef02c14e08beff04b87c80bc6830f47a

SHA1
574151794ad6d10690ec99109472290eaa113303

SHA256
9ae3ac88a30eb752488ff607ef984dbf7bdc0f23691401e730ab2b75b0fc2eee

SHA512
d1be21427bcccc96f1191a3e3c821df447d98f7a735151f46dbc015d3576ce8935ab82ff4649de084f28afc684146c8e38a361055aa50978ecec26d8d4512850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
419a55a77c07ba948837ee02b5554c27

SHA1
73a3239898cc1f607e3735c5371f96ccf35029ae

SHA256
4fd5c6e26003e4186c19b660b003824bca048b98603e0435b4d449144a591964

SHA512
f41bfa19455f08e6b3fe5b44e9469984540c5dff8c467153f99bee58ab12077af5136e584683d2cf5b00a7361cdacf2feb6209fb8df2c2599d1f8f90c8910368

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
2aaa4e75ac3c5bd14331059c1d922217

SHA1
f762b6b81f7f12f14ff1d39501169cc5e31dada7

SHA256
da0d7778366f921b1b3aaf56f2a1332c6acb58d80307acc7fb875cd691aaaf8c

SHA512
657b3985d36e9e028e07a1b070c98e87a1f0c8263f33a32f31e387e3ce137818bff74746fac39bedc8efdd834cf395fbd2e93e0aaf707be606eac87d8c10f852

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c9063789cf6ac93b688ce1e2117fbe8b

SHA1
05da6803e4af1ed367dc475a48ea097783fc5565

SHA256
4a2049b14925bf80e3da74d50784892c7f81f61b785dfd94034ffeed938ba220

SHA512
aeef9c9e8cfb2cf9b3d4f63c4e8fc16a2523229ec87f3744f7ad0e4c97d9de072494af496134b72286e3ca67620db713329e098c2fe7b5a1e57219444af62d96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
c0d81d0211fa21cc0c0011724ad6a8c0

SHA1
81450ad24a24f58d8c63138c7b41aa280719b536

SHA256
0b9137c1d203bcdf827f5936aa4dc2776d8c6031b231988a23dee66b27936389

SHA512
e8cf835bf9cc18c48e8b3ef9e9a38d620879c3ee5ff81a65320fb7781420c41fe3bb86f972a704610644164d14f035e428cfe819c1bb72f6da8cc71050fd412b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9f1de5b85ff0ea5100bb7b55fc4927e4

SHA1
3d9188935c1895891dc4a712625ff07ff17c9f91

SHA256
a169cfbead82815d6ec9638af5e6d9ce6c7945eebd19a529d02b5d66b94a6db8

SHA512
3b6d8001788291835da74f29649276284c51de1953c37864a9a0e890ce8988d78cfe2d4ef13bcacd86af321b5003d6c3b9b5f71a73678e414f1ba4e4ab7f7450

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
e28e7dd236579b85e8cbb5639178b1c6

SHA1
7a910a8706476cc3c6e7fdc47b13a8465c3ada4b

SHA256
0bccd872907df6f487219389f5f3abcbd81707bc9f76f66dbf3b7eac59207e88

SHA512
9e192c9f7fb2961f55acbb59076dbdca63337e95eadd32b69772bff23d226b46a50fd92010fd1889ce2a4944431df15f03015cded3e9051beed62e6347b0f9ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9ac57344ccfdc4deea9a7ae4881877b7

SHA1
b9df5ba2d62df218f21e1292a012f65901da300e

SHA256
f0ee199f70067715222a43c63bd2be3ea50aad359b031ed91c174ec0d283de62

SHA512
951553ddbd4fc4d9bc8e1ee03dc591bd3af561ce200cca3c5dd5b1af42cb9df37b236feb84a0db977d9aaf4697ef022b4bb4750595cb5f23b71f57030ffdc4cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
fc573cb188d71146b7206568a23bd891

SHA1
9ee7bd668a5c0a002954f4f2757102141171091a

SHA256
e94549864c4c745207e030bab42c173833a883fe1ccdab6be0910318ba874f91

SHA512
a06c3d6ffac04b733a3cbefb38365a54e4b0174253742d0e06ac90cc55bb15c1d23978f3150a1f68172902810b05c91ad1188a0dbd42a57b23bd145f9a4d9485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
019bae654566df92e28d9b214e5058ad

SHA1
900f76242a553ed028c6378691fedf93ce0810f9

SHA256
1f5be8b9935ce9a1df7da51667d29ca2684581027f9297d141ba72010a398b7e

SHA512
1e721d83930fe62d6ce7781d1f80bf4ed7edb956d30ebdcda8587cf52e3385b6c9a791daf8f0863f3eb3ec931a570401de03b6642284dc7f0d6f2a5859f5cbc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
f45a59ae7ae568434924b115b222373c

SHA1
6f4bd2859368b00b08a6a6d447e7975e9b67f9e0

SHA256
2b45b3bda4fcefa46d423cd9567c8478749f197ffa04cfad0a1a0827edf014d8

SHA512
7e83a5a7bc12960885269a853de145218c556e41782e9b75db2bbd25f20b2cd584b0f1f2c5880e3b3ad3ffb38e1ffa5fcb1729d481cc31d83421cf66f9bd25ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
57b0a696c3578ef41a3ae1e4a7aac77b

SHA1
a9461ba6f1dfa9c1c0246b7b37819ac8990813c6

SHA256
3607275b5e2fc6efdab30343d7e9ed4d08bf1e17fe3109199108309e5a84af65

SHA512
e3128b13dbe5788ac70000dcde936b982940cb0d90fa4ec97359fa8975ab05fab30c2ff247583f9adddf7315e7f75c2288888e4823d76c488a8ac0b074c2a0d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\GBKIMXL0\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\ZME1UWXW.txt

Filesize
601B

MD5
012779260d92643dd9288c4c63c42091

SHA1
75f433abd4ce328a13439b845be16b187e73abb8

SHA256
39f7273d35a7d08abad1e2bafc4e9466992b02738c668611da11eea7f981ce09

SHA512
ed8ad1e01d76d10e17b57905d5d7dff7ca84f8d03fde16700ddebeba9ffd09cf3fd981915eeda6bb21e53bf3b4317c9ba8cf3d81b620547b78249ac5deea7d43

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
397KB

MD5
d1ff42bbf3cb032e645abb971be30e6c

SHA1
50c075163e3c1928d2e1d5e8bf8aa3826fdf3e85

SHA256
75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e

SHA512
84965cf4b07261748e6d3930e0f3cc27acb2e6d2568e206c4c246ced9bec593a38940b81cfb43f482b2a2216bfee887dba67fbac8858bb93bdc1121d7e5809a7

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
397KB

MD5
d1ff42bbf3cb032e645abb971be30e6c

SHA1
50c075163e3c1928d2e1d5e8bf8aa3826fdf3e85

SHA256
75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e

SHA512
84965cf4b07261748e6d3930e0f3cc27acb2e6d2568e206c4c246ced9bec593a38940b81cfb43f482b2a2216bfee887dba67fbac8858bb93bdc1121d7e5809a7

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
397KB

MD5
d1ff42bbf3cb032e645abb971be30e6c

SHA1
50c075163e3c1928d2e1d5e8bf8aa3826fdf3e85

SHA256
75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e

SHA512
84965cf4b07261748e6d3930e0f3cc27acb2e6d2568e206c4c246ced9bec593a38940b81cfb43f482b2a2216bfee887dba67fbac8858bb93bdc1121d7e5809a7

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
397KB

MD5
d1ff42bbf3cb032e645abb971be30e6c

SHA1
50c075163e3c1928d2e1d5e8bf8aa3826fdf3e85

SHA256
75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e

SHA512
84965cf4b07261748e6d3930e0f3cc27acb2e6d2568e206c4c246ced9bec593a38940b81cfb43f482b2a2216bfee887dba67fbac8858bb93bdc1121d7e5809a7

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
397KB

MD5
d1ff42bbf3cb032e645abb971be30e6c

SHA1
50c075163e3c1928d2e1d5e8bf8aa3826fdf3e85

SHA256
75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e

SHA512
84965cf4b07261748e6d3930e0f3cc27acb2e6d2568e206c4c246ced9bec593a38940b81cfb43f482b2a2216bfee887dba67fbac8858bb93bdc1121d7e5809a7

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
397KB

MD5
d1ff42bbf3cb032e645abb971be30e6c

SHA1
50c075163e3c1928d2e1d5e8bf8aa3826fdf3e85

SHA256
75b8be410e2039671a02f38f56e7bb3048bed72b99ccefccd8f1d21d9299159e

SHA512
84965cf4b07261748e6d3930e0f3cc27acb2e6d2568e206c4c246ced9bec593a38940b81cfb43f482b2a2216bfee887dba67fbac8858bb93bdc1121d7e5809a7

Download Submit
memory/572-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/572-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1128-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1128-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1128-126-0x0000000003BF0000-0x00000000046AA000-memory.dmp

Filesize
10.7MB

Download
memory/1128-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1128-113-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1128-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1128-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1316-66-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1316-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1316-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1316-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1316-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1316-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1316-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1316-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download