ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e

Analysis

max time kernel
151s
max time network
183s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 16:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe
Size

110KB
MD5

1a2698e2eefabcf1e346e11aecf91c67
SHA1

bfc10e233ea998f01ebfaabb8ae88ed41465359f
SHA256

ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e
SHA512

a8a5a33f1ec187fd1839a54e6598436c4d5f8f22d96f9121906f0c3d31771ef72683ebb70f2ce0e5efa4732a10f154ca8aee6019d7f45f5f1dfad32bbbefe018
SSDEEP

3072:p9p0voWmo1tZAWu7HBS9XsjjHKyWULfEPNU:PmwSDXus9gjHKyONU

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
836	winlogon.exe
1004	winlogon.exe
320	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Process.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcip10117_0.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tca.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UCCLSID.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavsvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fch32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav80try.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ChromeSetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srwatch.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w32dsm89.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\programauditor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinperse.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fameh32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallControlPanel.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmasn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lockdown2000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsaa.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sphinx.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitornt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanhnt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcdsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedapp.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwin95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfind.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmlisten.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavsched.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnlan300.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\watchdog.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scvhosl.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vshwin32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-stopw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmitfraudFix.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sbserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/948-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/948-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/948-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/948-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/948-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/948-66-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/948-83-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1004-89-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1004-88-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/320-90-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/320-94-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/320-95-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/320-99-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/320-100-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
948	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe
948	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1996 set thread context of 948	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	28
PID 836 set thread context of 1004	836	winlogon.exe	31
PID 1004 set thread context of 320	1004	winlogon.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://845alrd7k8r3y8w.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://1816y5rhpnzcscy.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D0FB9081-7365-11ED-A94D-C6F54D7498C3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376876641"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0db91a07207d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://34mlp50mbqdb160.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c1d3bd051bae974d94bc4390abe1dc10000000000200000000001066000000010000200000001b321af9b91e9f39ba1e2f2057297145e68983454869a3f4ebd0c79f48a5e7cd000000000e800000000200002000000048556bb207288beff017d367813966fb92aa8b754b76cd919240e2fd0c8a6e3220000000ce12df4a1d3eb3ec4527e1c5f125c88fa4721633b0443b0342a883897ed1d7fc40000000b39f2d2c8eaf730f1175f614fd7e7b0d3eaf76262b4c925760841937e11c761c552ae4f029cbc9bfa323aed1f9b4b53198def3cf1084d1c954ba85fce3a014a1	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://7fcjryq86r5n9n9.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://3i5ms6rj46pb8ny.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://yf70w9kita6nw8u.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://cy36nv208y58pn6.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://luo9h62g7e1cp6o.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c1d3bd051bae974d94bc4390abe1dc1000000000020000000000106600000001000020000000ad39ca3ac6cf196d3a6aed7406e92443cf8a16138264bda521f6185c50d751f7000000000e800000000200002000000048e620f79d26782be8fd24dd94a547ccdccf9458de9b1135ead93e948f40fe5390000000d4a30c1821b478d7fe6b4537e6d3d3b56e7c6de70b217abca2d1bb5c691e0c5c7835213a41ec701ffac2b152cbf509d84771a72284bdf7f7a2c34dd5bd4e0d7e6c0081da84c5d1f75158324a9889fd7be2bf7ed2a8d352d0d5d61791bede63fc96bd1fbe9c4e1e187c349f3292b07d021f385a14b9501f818a4b3a59ba933180bcd470f63e348edce6345eadaa05bbb0400000008032c3c6aa5a265c55dc54d925a8c0870a79d5aca5d58812121a2e0b49d7ff8a54164635b77552add43504535f056e2b0e71e21c00098d9918e00ef963c39702	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://ylwb3b3dqk8fcl6.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://yll40luav5xb2ur.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
320	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	320	winlogon.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
536	iexplore.exe
536	iexplore.exe
536	iexplore.exe
536	iexplore.exe
536	iexplore.exe
536	iexplore.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
948	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe
1004	winlogon.exe
320	winlogon.exe
536	iexplore.exe
536	iexplore.exe
924	IEXPLORE.EXE
924	IEXPLORE.EXE
536	iexplore.exe
536	iexplore.exe
572	IEXPLORE.EXE
572	IEXPLORE.EXE
536	iexplore.exe
536	iexplore.exe
772	IEXPLORE.EXE
772	IEXPLORE.EXE
536	iexplore.exe
536	iexplore.exe
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
536	iexplore.exe
536	iexplore.exe
924	IEXPLORE.EXE
924	IEXPLORE.EXE
536	iexplore.exe
536	iexplore.exe
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 960	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	27
PID 1996 wrote to memory of 960	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	27
PID 1996 wrote to memory of 960	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	27
PID 1996 wrote to memory of 960	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	27
PID 1996 wrote to memory of 948	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	28
PID 1996 wrote to memory of 948	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	28
PID 1996 wrote to memory of 948	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	28
PID 1996 wrote to memory of 948	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	28
PID 1996 wrote to memory of 948	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	28
PID 1996 wrote to memory of 948	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	28
PID 1996 wrote to memory of 948	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	28
PID 1996 wrote to memory of 948	1996	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	28
PID 948 wrote to memory of 836	948	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	29
PID 948 wrote to memory of 836	948	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	29
PID 948 wrote to memory of 836	948	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	29
PID 948 wrote to memory of 836	948	ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe	29
PID 836 wrote to memory of 648	836	winlogon.exe	30
PID 836 wrote to memory of 648	836	winlogon.exe	30
PID 836 wrote to memory of 648	836	winlogon.exe	30
PID 836 wrote to memory of 648	836	winlogon.exe	30
PID 836 wrote to memory of 1004	836	winlogon.exe	31
PID 836 wrote to memory of 1004	836	winlogon.exe	31
PID 836 wrote to memory of 1004	836	winlogon.exe	31
PID 836 wrote to memory of 1004	836	winlogon.exe	31
PID 836 wrote to memory of 1004	836	winlogon.exe	31
PID 836 wrote to memory of 1004	836	winlogon.exe	31
PID 836 wrote to memory of 1004	836	winlogon.exe	31
PID 836 wrote to memory of 1004	836	winlogon.exe	31
PID 1004 wrote to memory of 320	1004	winlogon.exe	34
PID 1004 wrote to memory of 320	1004	winlogon.exe	34
PID 1004 wrote to memory of 320	1004	winlogon.exe	34
PID 1004 wrote to memory of 320	1004	winlogon.exe	34
PID 1004 wrote to memory of 320	1004	winlogon.exe	34
PID 1004 wrote to memory of 320	1004	winlogon.exe	34
PID 1004 wrote to memory of 320	1004	winlogon.exe	34
PID 1004 wrote to memory of 320	1004	winlogon.exe	34
PID 1004 wrote to memory of 320	1004	winlogon.exe	34
PID 536 wrote to memory of 924	536	iexplore.exe	38
PID 536 wrote to memory of 924	536	iexplore.exe	38
PID 536 wrote to memory of 924	536	iexplore.exe	38
PID 536 wrote to memory of 924	536	iexplore.exe	38
PID 536 wrote to memory of 572	536	iexplore.exe	41
PID 536 wrote to memory of 572	536	iexplore.exe	41
PID 536 wrote to memory of 572	536	iexplore.exe	41
PID 536 wrote to memory of 572	536	iexplore.exe	41
PID 536 wrote to memory of 772	536	iexplore.exe	44
PID 536 wrote to memory of 772	536	iexplore.exe	44
PID 536 wrote to memory of 772	536	iexplore.exe	44
PID 536 wrote to memory of 772	536	iexplore.exe	44
PID 536 wrote to memory of 2088	536	iexplore.exe	46
PID 536 wrote to memory of 2088	536	iexplore.exe	46
PID 536 wrote to memory of 2088	536	iexplore.exe	46
PID 536 wrote to memory of 2088	536	iexplore.exe	46
PID 536 wrote to memory of 2616	536	iexplore.exe	50
PID 536 wrote to memory of 2616	536	iexplore.exe	50
PID 536 wrote to memory of 2616	536	iexplore.exe	50
PID 536 wrote to memory of 2616	536	iexplore.exe	50

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe
"C:\Users\Admin\AppData\Local\Temp\ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:960
- C:\Users\Admin\AppData\Local\Temp\ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:648
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:320

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1272

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:924
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:865291 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:572
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:406544 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:772
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:1061902 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2088
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:536 CREDAT:1455132 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
11acbd1ce7fe1ce8a86bf584c02067d4

SHA1
fb871afaf09064ce8d079f5e39aaed3a4bdc0a57

SHA256
f24e309dd00df0d4bb5e7c4992a985f60b21b90aa1bbc7a2806053f2a6661596

SHA512
f6348b65224116a591d011a83b7fbf947c7c9ab00a58fab927fad7fb4cef952f0fb4ecc88babe3ee20dbaab18059d9fababf326f8bf9a0ca248a054939051662

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
1377c2956f6d4d989e6fafbe01600b49

SHA1
7a550dd67e42a8f1ba1468646af02691d0580345

SHA256
4e0206cd8e1112cdefa7f974876461a968bbcbbf016b1b1c2e3af77346507886

SHA512
0c559b1d2e6d1772aba8cc7a9dc8891522dc2df68558d4285ecaa87da4fabd81808f5ee8a599ceb7e26641029f7f9b3d27f33c2f42b0bd1f1a3fc5612083ed09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
9f76a7ec7f14ab969c7c0fb6598b6bfc

SHA1
721c3560f67baa18d66c6305afb900798ede8067

SHA256
a70094c484798e16b0dfcf8c0267018fb13f3f5356ed800dbdededd72ee067e4

SHA512
5c13bcded1d74bfbbcab574938c560b425c0a95d6b226a0e43518404bddb2040b45f87f52a649ff0045767d0f39e7f839cf030d11e972aec3a7ed7e4fd71c49b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
3275c832af6321b17787b97afb70448a

SHA1
58358143ea819766796df59cac1b9c634301f12d

SHA256
404d67d1b57d1eef04fec96af6c776cd6d922a6bd37cdf9266e568fc53345275

SHA512
19f9982b0579a9f6e408fc6da5588e7f77ebf49a5b25f5b75128c42621368a597ae3eed936b5c20574d092c49e68a990fce01419993ab2122e8ee7019d9fd072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d3c8b1085eeb4aeb5abfb875d41a7f1a

SHA1
f8a35e28bd5bdb1d11d55643258796b9c2da794b

SHA256
ce13f01befa684ddf21e6763addf9e8f3ac0acb48bb85beb92901dd26610270f

SHA512
a5606408b106f7b8db82e56add100f4f1eef582f31ae5e43174c6b7467b18e2306e98b75ccb5fd77a59479647cd9b73065edc35aa2738f217bfeb63cf73cf87e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
508abdb3e528ad4d0c80ca756996fe18

SHA1
a6318d1ab341a3a9bd8ad1267952eb0d413e4871

SHA256
19b2fb9c42c66d12648608bacb5bd815d5f85fe083de37dae66e9b081792e2ee

SHA512
5f7ab3ac3005d3a522080da8e4557996efa5536f6e9782ab1df4000d61b624511a5dc43e8947687ca203b8fac7cc402159daccd2b0970f5fe2e53bfb4c0c0047

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
c9e4bbe2f1fc1d730857bfe393ad0dc0

SHA1
1e4c2cf56e428531f9b9ce72ffaaad57aa6cc7a4

SHA256
63ebf8e36459af9c2cc5e962ecfc015b695723f97365b5010d2d01f0915a1b25

SHA512
fdf67448f194c2ddd50e741f81ce97372213e7c2cec19f200744eb046ebcb4eaea2f6be23cbf30e727b3fdfe4f210c98efc7f6c77caa61df32418c5d60ad048d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f26698fba6c47302f35e92670388170d

SHA1
bf90fbc97c59303d9bac403ca99af8f4be19ab30

SHA256
d0866f6acc0fc8705f8631d7abbd0ab9eba2be4768a6bec6fad8f35e03baa578

SHA512
455a9deb198a1566153f13091c094a6dcc4df306209a2d9bae12dbf8583dc76ad5830ec3746582e17324b79a7c68e6ef5c9fef8a4bde396595c7784a7be661d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
56478ddff700e61d36b553cc3c8f7eb7

SHA1
d9b8636ef229f796860ca8327682080718d012ed

SHA256
585419614696e0b9074f57012b96ac496bc95a57d0d8a6b7a700996b06c07a17

SHA512
d92f0a1e35c202259bef70f6ac7af938cac848bd256dfdcdfdf61d1d5062c08d9a3467c4758a357d1b2773ab1b64d797f451411c12bea32ab693cba3c19e70f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
193ab5c392f1730f3c187f3c40b74d21

SHA1
cd101d05a3b7a442f88bc7e78e15d32fe85c9441

SHA256
915ae91aa9ce33909505921aa9ba6119808227baec0933284a60598e97580cac

SHA512
f39f7c5ebd164eefe79856abdcfc32505ceb7e466a0ef78b23dda212fa3f73a27d54c925e6c25f4bd426dd915904c2dee0a2ac625d92a54f467d44e836e53400

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f401f97ba1b9d62828eb7f793cd38cd0

SHA1
60713d8a04d3b295f2d33d431a96756a5e1d03a8

SHA256
48462c20681962ba2abc37580531ad03a3d16af18bef7054c1fa851504d06528

SHA512
4b06231ad1acd27e54eee6896b66502f24ee9687f3aa92aaad1e7e9f8fdefa17ede682cc7b028f4d3c8941006f7cf6cdd9653e83f93249c261c829319a075ff8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
88760c13f4d6212b10db87aa8f261e93

SHA1
42fe12280d7ca4328f06d97ddfd5023d6b76df29

SHA256
0db7d622aef4909ee48605614fec092f431d8fde447582ad1601869e7b5f5563

SHA512
96a79bb0c342f5ba1b6815ab25f1a60ebe175bec381c1b9a7941763d6da3d88f9546ad6f6c3e9dca8c63e5741e5de644ab618cd83b33660ae8f1304a09672796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
801152937f58c88d8a4e3feb38033b3f

SHA1
80921ef69b14dae04c32f6de67ecd6081e370f9b

SHA256
242cb80ca1d0a9bf70746ab7c6364366200305e5f62581e1c53f1b2a646c357b

SHA512
77f4dac4f87dd8f85b157433fbcae400d94b0e7e3b9be8bf31b9b4b433c1f3cc1d38a65f8af12d4a2260bc0f1044b71012e7cd132a3ab1f5227c2515e901e43f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
5d424e261a00e35161e503aa51c319ca

SHA1
ed023bbd33cb07ae592fb54787da411381be7e59

SHA256
4d33642ca2ba04924df034237cc71ab879f47ca058d798df399336011ed323d5

SHA512
a3cba146f460d10943d8349253337d43906df50a42a367861c61bd178bd35891b4dd909d2054774570f35d378f88dab912c1e78dae1df1ef2dfbc76b5bf36c9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
2cfd89be113e6752e9ca344d47359569

SHA1
6d2da044a7e2df98b2b2f278c43986520fb00e9a

SHA256
8c4cd2d4ba40356c9c9b472966769141576220035d346d26dc41167824750f03

SHA512
d20186db3783e9cd06a1c280ecc045384d2a37efeecc364fd08d5696099dcdf386b47b022d21fbb585c2712533bf8db54fe5e6047083801249e5dea0f2f9e160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
2ec3d7617d7fe1f28373edc95a6752ae

SHA1
4fdebfa82e96a5b4d3a5fd5a91495c65b81b1d20

SHA256
bb987d1c593d1a161bab9a73feb4194d7e89ed6a3c0be1dbdf071e8d8b66cb6c

SHA512
9e3fcd8458038aaad636c2e9f4683614d40c1959bc4363eaafe82ead054795c9126776d80308d8e0d90a3f6194aa81d7b123a3ba928c66193a901c780f01bb35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
8fb218575f68d9fa3d228e89312b5419

SHA1
158684c94c3ac59a74331f15b34b042b0a9ecc69

SHA256
a129cec83550b7b53484284d782e0fedfdb685adb2db41054c41b2c0c3f4f004

SHA512
f62408824312ffe0a613db32e0cbaad6367c3c5b902e7ae26c8eb8d937be4ced534486544ec7d929a7a3bf3bf8d3db4d18dc5bf7bebc7825d7748ad86a19994a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\6S6UJPUP\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\1ZMHA8W8.txt

Filesize
539B

MD5
fdfefcab74e066d6628248d98df25da5

SHA1
f1d78b8b58e8a30f68bfad8dc26bdd5ca102f92c

SHA256
d64cd26e8f6091458ea3a569b5955601abe5e4d14cb8d65f93f2aeccaabaceaf

SHA512
e936f9ddae971e3c4233c2b1d130f93e0eb20707fdf1d6289fd7ec7dd69efccae286e1862545506b83f0d428139c42a33e100b258e29a1680a5b9c0fc9387eeb

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
110KB

MD5
1a2698e2eefabcf1e346e11aecf91c67

SHA1
bfc10e233ea998f01ebfaabb8ae88ed41465359f

SHA256
ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e

SHA512
a8a5a33f1ec187fd1839a54e6598436c4d5f8f22d96f9121906f0c3d31771ef72683ebb70f2ce0e5efa4732a10f154ca8aee6019d7f45f5f1dfad32bbbefe018

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
110KB

MD5
1a2698e2eefabcf1e346e11aecf91c67

SHA1
bfc10e233ea998f01ebfaabb8ae88ed41465359f

SHA256
ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e

SHA512
a8a5a33f1ec187fd1839a54e6598436c4d5f8f22d96f9121906f0c3d31771ef72683ebb70f2ce0e5efa4732a10f154ca8aee6019d7f45f5f1dfad32bbbefe018

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
110KB

MD5
1a2698e2eefabcf1e346e11aecf91c67

SHA1
bfc10e233ea998f01ebfaabb8ae88ed41465359f

SHA256
ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e

SHA512
a8a5a33f1ec187fd1839a54e6598436c4d5f8f22d96f9121906f0c3d31771ef72683ebb70f2ce0e5efa4732a10f154ca8aee6019d7f45f5f1dfad32bbbefe018

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
110KB

MD5
1a2698e2eefabcf1e346e11aecf91c67

SHA1
bfc10e233ea998f01ebfaabb8ae88ed41465359f

SHA256
ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e

SHA512
a8a5a33f1ec187fd1839a54e6598436c4d5f8f22d96f9121906f0c3d31771ef72683ebb70f2ce0e5efa4732a10f154ca8aee6019d7f45f5f1dfad32bbbefe018

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
110KB

MD5
1a2698e2eefabcf1e346e11aecf91c67

SHA1
bfc10e233ea998f01ebfaabb8ae88ed41465359f

SHA256
ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e

SHA512
a8a5a33f1ec187fd1839a54e6598436c4d5f8f22d96f9121906f0c3d31771ef72683ebb70f2ce0e5efa4732a10f154ca8aee6019d7f45f5f1dfad32bbbefe018

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
110KB

MD5
1a2698e2eefabcf1e346e11aecf91c67

SHA1
bfc10e233ea998f01ebfaabb8ae88ed41465359f

SHA256
ef2a89769a689ff3a4dc889d29832043f8cc24d858e3db58d999407c79ea6d0e

SHA512
a8a5a33f1ec187fd1839a54e6598436c4d5f8f22d96f9121906f0c3d31771ef72683ebb70f2ce0e5efa4732a10f154ca8aee6019d7f45f5f1dfad32bbbefe018

Download Submit
memory/320-100-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/320-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/320-95-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/320-94-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/320-90-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/948-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/948-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/948-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/948-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/948-83-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/948-67-0x0000000076171000-0x0000000076173000-memory.dmp

Filesize
8KB

Download
memory/948-66-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/948-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/948-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-89-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1004-88-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download