Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/12/2022, 02:27
Behavioral task
behavioral1
Sample
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
Resource
win10v2004-20220812-en
General
-
Target
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
-
Size
312KB
-
MD5
8a07e324c39401883d4f3e928ed38b3d
-
SHA1
4cb51deef671271cc5a69d4530800705d7dcda43
-
SHA256
830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
-
SHA512
3d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
-
SSDEEP
3072:1RYfhn6IxI4BXzk6K6Tr5DOZeCzZPj8o3:rE5dXzkmMesL3
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Disables taskbar notifications via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 3 IoCs
pid Process 1304 winlogon.exe 1116 winlogon.exe 1360 winlogon.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syshelp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kis8.0.0.506latam.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avupgsvc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieSvc.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSFEEDSSYNC.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfind.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscenu6.02d30.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fwenc.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav32_loader.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atupdater.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoupdate.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defscangui.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-pf-213-en-win.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrl-421-en-win.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aplica32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pptbc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpf202en.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swreg.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clean.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navlu32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csinject.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edi.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsbgate.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpfnt206.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aupdate.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gibe.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcfwallicon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pptbc.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\swnetsup.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwntdwmo.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieSvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe -
resource yara_rule behavioral1/memory/1752-56-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1752-59-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1752-58-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1848-62-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral1/memory/1752-63-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1752-64-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x000a000000012302-68.dat upx behavioral1/files/0x000a000000012302-69.dat upx behavioral1/files/0x000a000000012302-71.dat upx behavioral1/memory/1752-72-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/files/0x000a000000012302-74.dat upx behavioral1/memory/1304-83-0x0000000000400000-0x0000000000437000-memory.dmp upx behavioral1/files/0x000a000000012302-81.dat upx behavioral1/memory/1116-89-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1360-90-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/files/0x000a000000012302-92.dat upx behavioral1/memory/1360-94-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1360-95-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1360-99-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/1116-100-0x0000000000400000-0x000000000041C000-memory.dmp upx behavioral1/memory/1360-101-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe winlogon.exe -
Loads dropped DLL 2 IoCs
pid Process 1752 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 1752 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 1848 set thread context of 1752 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 29 PID 1304 set thread context of 1116 1304 winlogon.exe 32 PID 1116 set thread context of 1360 1116 winlogon.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://kj3i67bz681xk38.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000022d995a02de83d44bb5a4a9b03b36c5300000000020000000000106600000001000020000000110dbaf7219b17b39db459e9056bf663075e5554a0bc5893c6a18f118475418c000000000e8000000002000020000000174d998e036f4f8cfc7d8445b9749382ee23961cae4f4886c7013d4e9112f01190000000af93ba74df91f190a74a4706bd3a4356fb5ce1e54ce326bcb980e9e8a7716b915fd7b37c220ea64b1b840b585528d17df2527f66e3a1071f2ef5ee0854caf213f3e91172ca1d9967c56b44b533f8e49f5eeb56cd6f3ea0432781ce2b6cb1b0c91fb975894b4767032247b5c5b3f14bfb989434ff5c709f47cfa45c2604d4715af2a5dbd63394d6ce2b9fb58629bc5e7f4000000084502b9b149e4e2c1b3d2238b20e3a2ad3bd80858d38060286e2246dd2c01a2b7a9c6fdac3a21bbc6d97abfc2dda53a4b5e3fcbc7225cb807e05ba1266355d48 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://do9mm7sz338271t.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://9276h92pt6w0nc5.directorio-w.com" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000022d995a02de83d44bb5a4a9b03b36c53000000000200000000001066000000010000200000006f417f25615b4d17de24ca19067c602089d4a452a9037f8efe86867b05fb7176000000000e8000000002000020000000f239b164915069f4c8444af105e2ec6f3cd965a11f6d95bdedca88d24a2176f62000000079a306d4676b6fa4bf577b068d0371e5778703c88d4306de49c290b06c22c9a2400000007286c99907f85868f3f4c4ffbf7d1298b7db186b5a40b4d1300fb40bcff19160022a31cc2b91d4f6f7c3760123b3fbc1db7464feca6338d35b6751b8027323e2 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a012add1dd06d901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://880ux4syx8v1wu0.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://tl1060lypry7ukp.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376812709" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://q225528wg55kgwx.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://kcduvoj3pg7wfm5.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://7h5d7svcriboisb.directorio-w.com" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F6DE20F1-72D0-11ED-9351-5A21EB137514} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://fqwl3rd0xh4g0g9.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://s36rz85y85jxh9l.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1360 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 1360 winlogon.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 288 iexplore.exe 288 iexplore.exe 288 iexplore.exe 288 iexplore.exe 288 iexplore.exe 288 iexplore.exe -
Suspicious use of SetWindowsHookEx 29 IoCs
pid Process 1752 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 1116 winlogon.exe 1360 winlogon.exe 288 iexplore.exe 288 iexplore.exe 768 IEXPLORE.EXE 768 IEXPLORE.EXE 288 iexplore.exe 288 iexplore.exe 1032 IEXPLORE.EXE 1032 IEXPLORE.EXE 288 iexplore.exe 288 iexplore.exe 2200 IEXPLORE.EXE 2200 IEXPLORE.EXE 288 iexplore.exe 288 iexplore.exe 2580 IEXPLORE.EXE 2580 IEXPLORE.EXE 288 iexplore.exe 288 iexplore.exe 768 IEXPLORE.EXE 768 IEXPLORE.EXE 288 iexplore.exe 288 iexplore.exe 3044 IEXPLORE.EXE 3044 IEXPLORE.EXE 1360 winlogon.exe 1360 winlogon.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1848 wrote to memory of 916 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 28 PID 1848 wrote to memory of 916 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 28 PID 1848 wrote to memory of 916 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 28 PID 1848 wrote to memory of 916 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 28 PID 1848 wrote to memory of 1752 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 29 PID 1848 wrote to memory of 1752 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 29 PID 1848 wrote to memory of 1752 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 29 PID 1848 wrote to memory of 1752 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 29 PID 1848 wrote to memory of 1752 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 29 PID 1848 wrote to memory of 1752 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 29 PID 1848 wrote to memory of 1752 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 29 PID 1848 wrote to memory of 1752 1848 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 29 PID 1752 wrote to memory of 1304 1752 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 30 PID 1752 wrote to memory of 1304 1752 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 30 PID 1752 wrote to memory of 1304 1752 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 30 PID 1752 wrote to memory of 1304 1752 830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe 30 PID 1304 wrote to memory of 1336 1304 winlogon.exe 31 PID 1304 wrote to memory of 1336 1304 winlogon.exe 31 PID 1304 wrote to memory of 1336 1304 winlogon.exe 31 PID 1304 wrote to memory of 1336 1304 winlogon.exe 31 PID 1304 wrote to memory of 1116 1304 winlogon.exe 32 PID 1304 wrote to memory of 1116 1304 winlogon.exe 32 PID 1304 wrote to memory of 1116 1304 winlogon.exe 32 PID 1304 wrote to memory of 1116 1304 winlogon.exe 32 PID 1304 wrote to memory of 1116 1304 winlogon.exe 32 PID 1304 wrote to memory of 1116 1304 winlogon.exe 32 PID 1304 wrote to memory of 1116 1304 winlogon.exe 32 PID 1304 wrote to memory of 1116 1304 winlogon.exe 32 PID 1116 wrote to memory of 1360 1116 winlogon.exe 35 PID 1116 wrote to memory of 1360 1116 winlogon.exe 35 PID 1116 wrote to memory of 1360 1116 winlogon.exe 35 PID 1116 wrote to memory of 1360 1116 winlogon.exe 35 PID 1116 wrote to memory of 1360 1116 winlogon.exe 35 PID 1116 wrote to memory of 1360 1116 winlogon.exe 35 PID 1116 wrote to memory of 1360 1116 winlogon.exe 35 PID 1116 wrote to memory of 1360 1116 winlogon.exe 35 PID 1116 wrote to memory of 1360 1116 winlogon.exe 35 PID 288 wrote to memory of 768 288 iexplore.exe 39 PID 288 wrote to memory of 768 288 iexplore.exe 39 PID 288 wrote to memory of 768 288 iexplore.exe 39 PID 288 wrote to memory of 768 288 iexplore.exe 39 PID 288 wrote to memory of 1032 288 iexplore.exe 43 PID 288 wrote to memory of 1032 288 iexplore.exe 43 PID 288 wrote to memory of 1032 288 iexplore.exe 43 PID 288 wrote to memory of 1032 288 iexplore.exe 43 PID 288 wrote to memory of 2200 288 iexplore.exe 45 PID 288 wrote to memory of 2200 288 iexplore.exe 45 PID 288 wrote to memory of 2200 288 iexplore.exe 45 PID 288 wrote to memory of 2200 288 iexplore.exe 45 PID 288 wrote to memory of 2580 288 iexplore.exe 48 PID 288 wrote to memory of 2580 288 iexplore.exe 48 PID 288 wrote to memory of 2580 288 iexplore.exe 48 PID 288 wrote to memory of 2580 288 iexplore.exe 48 PID 288 wrote to memory of 3044 288 iexplore.exe 51 PID 288 wrote to memory of 3044 288 iexplore.exe 51 PID 288 wrote to memory of 3044 288 iexplore.exe 51 PID 288 wrote to memory of 3044 288 iexplore.exe 51 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe"C:\Users\Admin\AppData\Local\Temp\830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe2⤵PID:916
-
-
C:\Users\Admin\AppData\Local\Temp\830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf.exe
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\\svchost.exe4⤵PID:1336
-
-
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1360
-
-
-
-
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:1108
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:288 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:768
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:288 CREDAT:865287 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1032
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:288 CREDAT:799761 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2200
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:288 CREDAT:930830 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2580
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:288 CREDAT:799786 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3044
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5a7652d8d56f0f500b6c0fa4dee99ed1f
SHA1a3913bd6da9fe9abd1eb627580cffd4b4e93de11
SHA256208b49176d7716f9cdcde3c2d36911d006e2dc6e0f8a80ae0d992e1c9e29b208
SHA51278ec13fde969f281f6ffb2cea08580bc18856f70d658bd3d1bd4cdac11a4291a0460dbdc2c59dec70120079576bdf81f1e4d9ec0d77e86dc878ec3de82610451
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4
Filesize472B
MD51377c2956f6d4d989e6fafbe01600b49
SHA17a550dd67e42a8f1ba1468646af02691d0580345
SHA2564e0206cd8e1112cdefa7f974876461a968bbcbbf016b1b1c2e3af77346507886
SHA5120c559b1d2e6d1772aba8cc7a9dc8891522dc2df68558d4285ecaa87da4fabd81808f5ee8a599ceb7e26641029f7f9b3d27f33c2f42b0bd1f1a3fc5612083ed09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
Filesize1KB
MD564cf1c314650b593f140c04a540e4111
SHA1b33c47c7b494a26d93562be339a7b6363818ca23
SHA2568528a21bbb18d9e4271b3abee3137611790e826405e812fa4d22dbd969cf971d
SHA512429b543d58b587487865f798ca7a901de87032f58e64a03ea41193300de1039585f4e3e981146059fed56125edcd0f8e926c5c9a030f63ac90931ade71df1d7d
-
Filesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
Filesize1KB
MD546197022f50b794909b3561af3f42e02
SHA13cbde28ec6529125305948aa8169db7f80cafd16
SHA2565ef10b6c0050600b4c72a137de042e696668cbbda0938bee53249ca4a46a3733
SHA512780410317edaa0e0853f8035e1729b830b64fdf3bbefa7637d8efa61106ca5cc18a9fceec1789926820dddde87a40d4cc53bbb810674f921ac6f2fca6893bd7c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize724B
MD5f569e1d183b84e8078dc456192127536
SHA130c537463eed902925300dd07a87d820a713753f
SHA256287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413
SHA51249553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD5b55957a79979d49d69760696710da552
SHA1bf7d80df083cefeca9e862f34ebee87b780f29e9
SHA256992865a6a5295890cc8ff31ea40d54f6f74a9a63df82a52dbab1329cc73bc140
SHA5127811f3429bc0df542be23e97c7401ae0862b2b85274fffb551e60442a83d9ffe62a5f5879ddaabe6a1f2761f71f5ac6013e56a2791121178e11c4bb86b77f254
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4
Filesize402B
MD50a975b0022065a2ebde2e2c88359a3f4
SHA13f4542fd1c6b3d5b6b52b5f472d813962ffac5b9
SHA256bce82f18081ae301bf7d3913b9e1f7ec067b733914c67d8755fad30985ce1222
SHA512b30ec5b92ec6f9e7754dd422e39aa49cb3d7220fd9d7f85d8bb8d4356ffdc0d425911a024872e6d5b7ae066c52c00cdb4214beb3ed4d3f55bc11d279f60a44d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562
Filesize466B
MD51dbe0498b7365c0ef9a0e92a7cf340f6
SHA118881c6898a987ec8fc9dd3f05ab7eb5144e89df
SHA25695c8e2d3cf8dae7a1cac4952729e679c5b0902aa329dd278a7430d3942ac1e4b
SHA5129e677049dab2dbabefdbe6ba0593e1fbeb8f1b69f27ca88ce6c4f564d541870b1dbad24acc01640ecf5cb4a5a7b896cdb9bc34585461fa31bdb871781f08f085
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD529f4028d4b7fe0b4b2f00a66f17b87ed
SHA1ff5352c7b2c98b338018a2d4fb62602f44900487
SHA25664c7ff6b838d2883ba490fc660d24254b4276a7214186508972b445ad03e6af6
SHA5129afb5ede345d655de3cfe1ad91c00c483e191c8dc81192d38b0f655bec8715b761db05bd0195be2e0a22e38c443180aa3cc654b711073a3164b45d5863b88d5e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51e7200f3663e7e8285df6e76e45cf34c
SHA11f225d78c0e2ac641ecc321e52f4beefbe052377
SHA256b2498b853da3e9a74c4df0eafc361aa765f0e96c87b822858fb98fbb4713d5ef
SHA512f01889235389baf965f018f69b77d9416f032d550892413f3437b1acc7d3a8870e1113cf17cdaafa612127d42eb938fed037def4a5b2ec533673f9ff1b44c57b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5dfff4d4b004afa17982190b90df10628
SHA18d2a46cf85e15ecf5bd87f4c56dd08579d8cbce2
SHA2568484697a6dcc9f62ceec35b7db578f5ee32ab4c258a75ddd377bf69cccfbb68f
SHA512d0a210db24201dce786c6fc81e890ab3e7f4472c71aac6dce70d60ee0da9ac0e4a7fbd94786fa2eefaeedd25dcf0c3a27d2181b7f985fc93b3f16204292a9778
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5605f55b9bb3c819e78a76c7e79329fbc
SHA126777fb186cf5756bc28e3f6759562a55448b69f
SHA256b17000d5e0f2754bccb6dbdeb8320221974d96471d236aab19960607c587013d
SHA512dc42a0ab3c39b42a64e6c33225f02238002ab090938d0df76da03bc3d904d7f4e5492d78b6840e63a62ec66a1bffcc13ba343bf9ad25ee0e18a59c0fdfeda91d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55bbd24d278b797bf8642a8e4eb15dea0
SHA104e508c205bed4d07614c79f7a4444574d48f43a
SHA2560f9f73ae3aaaf0155ac3406c3f34956b42ec4ecd0dff77aa1827309c2846b430
SHA51233438d67cfc7414f09aaf8881f5bcb5957a5ec5561c29c67ceff9c4020377cdef4c8e025c096590f7ce3e54831bd20d7a3248abaaa9e688b13f84b5e00ae8b92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0c1c0612946de0079f4f94d13fba4ff
SHA152187be1ab789b0bf65c4a70d19744c2159a09ae
SHA256075323d45ac7e4e924d16c6a08d817db8a3d2c55ab78b780e87109368756c2da
SHA51281a29456f1b9ea28858985327d6adacb54a6c0e942e26dd57f759fa78d0639d9549381a7b6b288b41f009cc8654818e6674019072efa4653d7d048f280e16630
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58daf4c82ec49ed9b7f607bb1901245aa
SHA19abb71dd058aec60c9fc8fecc12c0611d507f08c
SHA2566b6beb83a60e3314812168692c875ac3e66b7671d83cf5983fd82bcae132b25e
SHA512746dc81fcc400289263e97ce419b21864b73f1ab5edb8d1287d15d7e14b60b25b38c170636c6932426685d89d763ae134346838ab20516540d0a1d5c79da91d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d9d83b815fd0a40486e0f406975469a
SHA1a8f91db16453ae78db8cf71a64ac25c2e2156c93
SHA2566faa5bcecff51fecf4feab698104d295094e11284c347efbd65ea9530386f891
SHA5123f35c0504f929645a0e57e7cefe707f1ea5c60732984f04f4ff1cc8aa8b1db767153d16b8bc353ff6edf90453722aea8f5778fafb99fb16b9de99bed0efaab07
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD594a9f8d84b02a3a43e4051ae03ec6723
SHA1cd27420caa989599abd61bac6487d2fb3aee8ef6
SHA256fabe19e1591f2642b66092356ad65aab4f4b31fc847f27fd65f22af11175ea34
SHA51246ef5d4b7ff136330f31f1af15c25ae31ca63a3cc751e23324401398600cd1f201e6c16b28deb7e768b359b05f376cce026f82c33b460fd8f6e1cb79fc48843a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD576651e135c98c66bb553a20e9a038564
SHA1e6e05a68e812add82dfe4e273d6444de5a1f5d41
SHA256d2b4d4bb387c43bdc1cc6dfcf730e1cc10f5adb88c6fbc3ebe83360afa4286f6
SHA512df279ec8ce6015739b4d975c712bc23fcfccd6ed782856649cb5ae3be0fa124ad6d30970561b7e8ec895b00a98a13c15054b45dd6248fc7b4117ff7b02c15754
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567eda2a87e03d3366dc4a92ec228bc18
SHA1f1283cf70e563fed59839a7fe548bd6ae50d56ec
SHA25692ec0080ccc44650ab2aec7e47d42eba92cb876d254273f34d089f9fdb79a506
SHA51206c70b11868535fd59ce80c6287f0af23cd819b6f09a841c88efda41ae8796b78f15e8ef3dd19118f5cdfa56a4735c5618a1b6127646b6acf6c1757d7c22d566
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b420debc7cdf5b17248c6524f347ddd8
SHA195027905c27c5bd295903047593cb448d1481972
SHA256be97fea3b45bd16c5af778c3c1b1eec4abe03d15b8df49eedf7050d68da5bf38
SHA5126a5514c75f5732c0910575f6d9ebc0d62bd7395d30a1d0ac630624f9279f6e918739fc7da764c6c289173dc6ad62fa4db37ca6d7977377734b085650175fd40b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26
Filesize470B
MD53cb201b5a500f3f9c9e52b6217b7984e
SHA191c92497eec6f7a385d68120abc44d848b0478c9
SHA256dce6e34f4bb4cf8343fcd95dedeb0ada2241086e9f79a4b1562429fd12da83e7
SHA512cdd8461f861d642152b6015234825933d352b7b7f198c1b6008a8db04dc1ca72cd5a515a40eb50deae28ccdbf16bf30b667d76865f996be9679bf66a38046611
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD5905d6fd9a7a997702fb0799ca593b933
SHA152f3d944e3de55ffe26eb43786c68c3f163f094c
SHA2568d16891c9da082b6d3193748dc36ad7b35591e5ae0f727342b96608d59a3ac19
SHA512559bf6488395ae4095543114c1dd8e99766194469fa055b5bbe1cb00834a70c0a6b9b52f7f0d9a7d64bdba96a3eb15fe2824b04eaeba17b954697c61abaeb557
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD56b79ecdf7481fde66fb5e76bf2ca17c7
SHA109012749e669f52e2b197a6a2f63ffad6c70eea1
SHA2569207cc612e786088c68166f7f666e8d37c7a5055885d4d8e5f38e01e12fe9786
SHA51213eadfc7f9d8141c8cf6ec5493406f2a4aec61b61bd64b987037c232578cb378664d612309bab52e52236985ae497de95bf8c2201c643a13c5c99b7706f5665e
-
Filesize
13B
MD5c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA135e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA5126be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed
-
Filesize
533B
MD50b0a44c5766c0bb11802ce3f0699ba0a
SHA117ac34c3ce2ad08feebe43c8221e17b5bdc808ab
SHA256af357519e1b91c3085fe5c5dd5b94a799968ee3d05a90cbc88bf179c7f62f7c7
SHA512f2844241f33ce6133b6c05c26c4a8c230ce9617a6e377003cb0c9c01db3b3ca2b1022456c60af8997e0ab3e6d405b113c5d128465fe57dd616d7117d28713306
-
Filesize
111B
MD54d95d806659d01c324dea8682d2f0e4d
SHA141ead824bd942936651c737e0d8a3ca39db33a19
SHA25662d1727273a78aaeecd8dfde63d7b9fcf6c7e0d1e2425f08c8b72c4cea3b4bb4
SHA512ec54624e261c6d3331f2c1b6d5d61c71d913174f07c30b69e3f1aa4d6b1a4e7dc7ade7d59f6795f8ec5f1b9cce77af7b58b0bf5e38d8daa755f9134665a53a89
-
Filesize
312KB
MD58a07e324c39401883d4f3e928ed38b3d
SHA14cb51deef671271cc5a69d4530800705d7dcda43
SHA256830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA5123d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
-
Filesize
312KB
MD58a07e324c39401883d4f3e928ed38b3d
SHA14cb51deef671271cc5a69d4530800705d7dcda43
SHA256830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA5123d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
-
Filesize
312KB
MD58a07e324c39401883d4f3e928ed38b3d
SHA14cb51deef671271cc5a69d4530800705d7dcda43
SHA256830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA5123d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
-
Filesize
312KB
MD58a07e324c39401883d4f3e928ed38b3d
SHA14cb51deef671271cc5a69d4530800705d7dcda43
SHA256830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA5123d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
-
Filesize
312KB
MD58a07e324c39401883d4f3e928ed38b3d
SHA14cb51deef671271cc5a69d4530800705d7dcda43
SHA256830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA5123d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6
-
Filesize
312KB
MD58a07e324c39401883d4f3e928ed38b3d
SHA14cb51deef671271cc5a69d4530800705d7dcda43
SHA256830573b04db1bac3f5c890a7dad7e2d1e5dce8ea3210a814391318a1521fcdbf
SHA5123d147d1899608645a81fcc012076dc31bc7b782d76b13ea790e895984119cf816937953d5337bc6096a3a61b092904229446d600f3983b9f5dee65126211f3e6