a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 20:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe
Size

1.2MB
MD5

ae6bfea66177b88d99fab0fa9ad45865
SHA1

3cc8fafca1828e8a14eb2fbf5bda5bbe2bf41b93
SHA256

a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759
SHA512

d9a78a7a0837ae301d75869e647a602cb5678403268e4ac602156704ec5444735df87ca612ee2e0d270ba73f568d578657f1e126181ec4b789b4d6f5c748830c
SSDEEP

3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
768	winlogon.exe
1716	winlogon.exe
1228	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kerio-wrp-421-en-win.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pop3trap.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sgssfw32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kis8.0.0.506latam.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spysweeper.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\connectionmonitor.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsupp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monwow.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\borg2.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\doors.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tftpd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscanpdsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmntsrv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumphive.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmlisten.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallSettings.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mxtask.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\unzip.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scanpm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htlog.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HiJackThis.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieSvc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Netscape.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\doors.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icsuppnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jed.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scan95.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkservice.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prckiller.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luall.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tauscan.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbust.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir-help.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fa-setup.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7win.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe	winlogon.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1420-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1420-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1420-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1420-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1420-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1420-71-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1716-87-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1228-88-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1228-92-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1228-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1228-97-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1716-98-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1228-111-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1420	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe
1420	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1600 set thread context of 1420	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	28
PID 768 set thread context of 1716	768	winlogon.exe	30
PID 1716 set thread context of 1228	1716	winlogon.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e34a4317a47d549a07575a3483048b100000000020000000000106600000001000020000000bb5d62aad64c69068266c64fbbcddf46a127aa877769e0d538680edc55c0270b000000000e800000000200002000000063716ce76a287f6d9c6878b77c7743b171b55e90b66f82ce1b1b7d600f6b345590000000e6704c496275cf2b53a518361213a80ed77956d53e18993caa7a43857ea2fa62632ebb0bfe0d48d1bae35f00ce234f0a249c111d25d40351f2702d3503c5f50f7dc83b26b7db83aacd7489223b0adaa80b191c09e1f93a59f44409e0d089395981c6324c37c69c12013066b93c70e6ee4cdc869019f651542f42fd09a209055beaf0541620dbfafe5ed778d53db219cc4000000041326ffaab3da86badcbc41aadba877eb548907058f270977beb7c00405cdce1a19e9213de169ab52b368b05b4b1193d882b05975f4a63fd0f8db7778ba31755	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://6v40et0t36h5t39.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://dgrdsbgvknv9a41.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40D86631-737F-11ED-B63A-76C12A601AFA} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5079a60d8c07d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://mj4ootmw1174ze3.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007e34a4317a47d549a07575a3483048b1000000000200000000001066000000010000200000008fe078399ae77bebb9d81a41256c963079824cfbc8227fc55d7a75bd12d87989000000000e8000000002000020000000178ec07bea491f91c72f39067e8f154852ac907c16f440d9b50219f81124fe88200000009816dc3af281cf8f8857e5e29770f388bd7a25dd655fc7197310346521473ac040000000caf3b1ef32ea1076cc35c6bc0f59fb5ad64395b3e6a68266c32328f01f99a918f468483b93e98367349e3e75f763e021cf29e1a7db9cd961ec9b654135287bc4	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://z450i8z2bj8vbm2.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://z294n0m33et90ej.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://iw07usnu2ad5v73.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://292tk905o4tgt1b.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://olj5mq9zsd24g3m.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376887566"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://dl712f1qix962cb.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://1min95qnncb44k0.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1228	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1228	winlogon.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
604	iexplore.exe
604	iexplore.exe
604	iexplore.exe
604	iexplore.exe
604	iexplore.exe
604	iexplore.exe
604	iexplore.exe

Suspicious use of SetWindowsHookEx 33 IoCs

pid	Process
1420	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe
1716	winlogon.exe
1228	winlogon.exe
604	iexplore.exe
604	iexplore.exe
1468	IEXPLORE.EXE
1468	IEXPLORE.EXE
604	iexplore.exe
604	iexplore.exe
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
604	iexplore.exe
604	iexplore.exe
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
604	iexplore.exe
604	iexplore.exe
2476	IEXPLORE.EXE
2476	IEXPLORE.EXE
604	iexplore.exe
604	iexplore.exe
1468	IEXPLORE.EXE
1468	IEXPLORE.EXE
604	iexplore.exe
604	iexplore.exe
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
604	iexplore.exe
604	iexplore.exe
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
1228	winlogon.exe
1228	winlogon.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 1396	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	27
PID 1600 wrote to memory of 1396	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	27
PID 1600 wrote to memory of 1396	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	27
PID 1600 wrote to memory of 1396	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	27
PID 1600 wrote to memory of 1420	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	28
PID 1600 wrote to memory of 1420	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	28
PID 1600 wrote to memory of 1420	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	28
PID 1600 wrote to memory of 1420	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	28
PID 1600 wrote to memory of 1420	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	28
PID 1600 wrote to memory of 1420	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	28
PID 1600 wrote to memory of 1420	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	28
PID 1600 wrote to memory of 1420	1600	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	28
PID 1420 wrote to memory of 768	1420	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	29
PID 1420 wrote to memory of 768	1420	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	29
PID 1420 wrote to memory of 768	1420	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	29
PID 1420 wrote to memory of 768	1420	a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe	29
PID 768 wrote to memory of 1728	768	winlogon.exe	31
PID 768 wrote to memory of 1728	768	winlogon.exe	31
PID 768 wrote to memory of 1728	768	winlogon.exe	31
PID 768 wrote to memory of 1728	768	winlogon.exe	31
PID 768 wrote to memory of 1716	768	winlogon.exe	30
PID 768 wrote to memory of 1716	768	winlogon.exe	30
PID 768 wrote to memory of 1716	768	winlogon.exe	30
PID 768 wrote to memory of 1716	768	winlogon.exe	30
PID 768 wrote to memory of 1716	768	winlogon.exe	30
PID 768 wrote to memory of 1716	768	winlogon.exe	30
PID 768 wrote to memory of 1716	768	winlogon.exe	30
PID 768 wrote to memory of 1716	768	winlogon.exe	30
PID 1716 wrote to memory of 1228	1716	winlogon.exe	34
PID 1716 wrote to memory of 1228	1716	winlogon.exe	34
PID 1716 wrote to memory of 1228	1716	winlogon.exe	34
PID 1716 wrote to memory of 1228	1716	winlogon.exe	34
PID 1716 wrote to memory of 1228	1716	winlogon.exe	34
PID 1716 wrote to memory of 1228	1716	winlogon.exe	34
PID 1716 wrote to memory of 1228	1716	winlogon.exe	34
PID 1716 wrote to memory of 1228	1716	winlogon.exe	34
PID 1716 wrote to memory of 1228	1716	winlogon.exe	34
PID 604 wrote to memory of 1468	604	iexplore.exe	38
PID 604 wrote to memory of 1468	604	iexplore.exe	38
PID 604 wrote to memory of 1468	604	iexplore.exe	38
PID 604 wrote to memory of 1468	604	iexplore.exe	38
PID 604 wrote to memory of 1012	604	iexplore.exe	41
PID 604 wrote to memory of 1012	604	iexplore.exe	41
PID 604 wrote to memory of 1012	604	iexplore.exe	41
PID 604 wrote to memory of 1012	604	iexplore.exe	41
PID 604 wrote to memory of 2228	604	iexplore.exe	43
PID 604 wrote to memory of 2228	604	iexplore.exe	43
PID 604 wrote to memory of 2228	604	iexplore.exe	43
PID 604 wrote to memory of 2228	604	iexplore.exe	43
PID 604 wrote to memory of 2476	604	iexplore.exe	45
PID 604 wrote to memory of 2476	604	iexplore.exe	45
PID 604 wrote to memory of 2476	604	iexplore.exe	45
PID 604 wrote to memory of 2476	604	iexplore.exe	45
PID 604 wrote to memory of 2936	604	iexplore.exe	48
PID 604 wrote to memory of 2936	604	iexplore.exe	48
PID 604 wrote to memory of 2936	604	iexplore.exe	48
PID 604 wrote to memory of 2936	604	iexplore.exe	48

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe
"C:\Users\Admin\AppData\Local\Temp\a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:1396
- C:\Users\Admin\AppData\Local\Temp\a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:768
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1228
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:1728

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1648

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:604
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1468
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:209928 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1012
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:603149 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2228
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:1061901 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2476
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:604 CREDAT:1192986 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2936

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5bb25cae0f32937b7b0abc6661a4737c

SHA1
bad78d22c7c50cf5ec9ec343809c6d90705962ef

SHA256
517596724bd34018f2b7c70fd960d6e3df4a670e07a311044a61dd21f316759b

SHA512
c9e5b2eee5c9535abb052d1436ccc6125c40293360c3f35cf9a2d3ce96ab0a5431ea545a97bcd461f2324195425d90fa0388282169b836e342bf2cef7dbb81f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
7c9e0bb25e8c28e8b10038806b0a7190

SHA1
9fa6097aeb8eacde8ba7c9ab80a7a7d2405ae2bc

SHA256
f4864000960be2f888ed7d2467f74130231fed6f56ad48ff15861f5769e95a58

SHA512
a47442cf298b6c42d126e7e0853a6768fcd46cb7c75dcab06fb07a913a2993fdc3031de8fe8b9408b28af472718da5e92fecedf037e18d72a325aece48fde450

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
9f76a7ec7f14ab969c7c0fb6598b6bfc

SHA1
721c3560f67baa18d66c6305afb900798ede8067

SHA256
a70094c484798e16b0dfcf8c0267018fb13f3f5356ed800dbdededd72ee067e4

SHA512
5c13bcded1d74bfbbcab574938c560b425c0a95d6b226a0e43518404bddb2040b45f87f52a649ff0045767d0f39e7f839cf030d11e972aec3a7ed7e4fd71c49b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
3275c832af6321b17787b97afb70448a

SHA1
58358143ea819766796df59cac1b9c634301f12d

SHA256
404d67d1b57d1eef04fec96af6c776cd6d922a6bd37cdf9266e568fc53345275

SHA512
19f9982b0579a9f6e408fc6da5588e7f77ebf49a5b25f5b75128c42621368a597ae3eed936b5c20574d092c49e68a990fce01419993ab2122e8ee7019d9fd072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d62eb31a8e8075b3cf7e9761728edcd6

SHA1
bdb745c270e7d728a2eec7644a5a35923d48dcc2

SHA256
dcac31ed101553fc6d25e5983c8adf5c6d4f3db534bacba0b4feffb31bc2a671

SHA512
26e48ea785223ffd498f9f44d84f942672256c46c3a25229f5ede3b0583c1b882c652d6a48f9e3c971f2f2245016737e40a73ec109beadff5a11bbf5083f1887

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
92d74e6248f41f53e0ae24bd9e4085ae

SHA1
afd9e43d4900cfc6f2571effe0ff5ea6fafb5f59

SHA256
7a6a3190591278cf41333844d3d5f6552725725333a7c513f959dd31303092db

SHA512
e918ca5057ef8b2e66f98a7e8528aac13e0c5245749bba0add83a02865f6e3e33e3e35aa7abc15dd6d7d853ebeae2c72d4c2bfe90ca0c70197ab05d84ba01c59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
fe5b7598ff3b80b2ae85fee64e95e63e

SHA1
af23cbb92857f892e60e079370756e7050a9ef64

SHA256
c60382d68a91ca8738b8828e9b16eb218ee0b10cddfe50d36789278faa37b8a2

SHA512
0170e50448d2ca70f107d7a0df99406900f16976df374f760eb62104850eb8f90633b9dd768e88f46aa0ff5883c8377055bfb285a3cb69643e1968c0fe96680b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c05460291ee029d5be7917bcc6dc74c

SHA1
b3edf389274ecd8929ec5562ba56be507d0286de

SHA256
67d4f1bc203604e85feee0a668deca5829a86ecf0bfa14c96b1ea4e177a0586d

SHA512
57dd2ffa84be318f03b95f1f749b7e074eb27e203899d5a2af1e87af33b926c1975c401761d11bdb496d30c1f2effb5af953fd146a0c0c35a1940764e1bbf3f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
24eca4b5e15440e6e100e5070f7b8dbd

SHA1
ac93f2b005020b8c7ffa7e1e71293cd062d9b6cd

SHA256
868be5415228294e8052a99c67103585d80a82f7d4099ce12cd7bd23e25835e1

SHA512
72ed009f8a551f8cdc66920d13c560979c4d9c0b61d6a4518b0a4e850b8819e96bce33e237ec1d263bdde3de0bfd67d5dbbc9ea656c03f1a6b973ccf795550ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
299a535e4202701e00e96ab4ba8de670

SHA1
fe5568a256caed216c6b4d2de0b192ec481326d4

SHA256
e390adb8c543d54e795ee937f3a6b56a9fca6ec6f5ff32ea7b0969fe9c773c5a

SHA512
07fbd30a1ce62674bd29862dc446ec20571b8aefce2ce4f91f58ef1ae044977bf280944ee3fb0ebe53ed0d4895ad5bb6abb2a711a5e6cb164ed53f8e0529edb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a43e852f8c5692324b33f1846a88b75

SHA1
9a0feac018a6b8f981cbd24fd0b4f43fb89b8ed5

SHA256
aedc8670a5c31377e9de6a180548418bf2ecdd2caa2a84a7623ea3a75a478334

SHA512
01eeed38b3d082d79d0de2e65b9b37464497aead0c339a01c0c294a2191c7285b5af4c32f7d088d002036d407fdf2b95f9f25264b4d831b2550e0a7849c95bab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a821a0c23f00c43058c2a28ee38ac76

SHA1
08225ff404895d288173b95643d137845c08e502

SHA256
93ab43f2c62c166f69309edeb149d568caade3a8a9f4c4e7c4ddfb032842d6e0

SHA512
b74bacc5c3ef264597b7dfdc574f82c455cdeed79047ced4ee495e1b740db2498ca521fcbccab8d85b86a2de89b0cb2b5afca766f4c529f9396d8acfa9d4e253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cd0ce940710d781ec9dd2f1dbb22287

SHA1
e2e2df79b95e05b4744ac6a43e0f5f983e1f609b

SHA256
fcebc4ae056f34335e22c92f56190fd21dd3a33a0e2a32fd527dc801b45c30cb

SHA512
53c845c8fc7da0cb0a4a0fe0443328732a96e1eb9921e60a44f2117955424ab680ea122c5b8fc54090856978962696e6e53f849bd3251dca8a1e556c7034c6a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9002520ee206e7b1da36ed94cfd1c8ef

SHA1
c9404262cc755f0fa3c26883ac2e9bea5ab775a6

SHA256
c63975d96450df4664e9ca4c942e687a184b1779e369d06d861cfd592a3ff812

SHA512
151088540258e27f2aa1bffac6a0f4cdd20c42dc14897573eae2cf68fd4bd9820c8123ca7f477c0530727713800425444ba127634b1877e1b53c43081c00c56a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
0fdf134ba65746bc594ccfd4aec029fe

SHA1
6db8be214662fc37edda2e68c5f46a8af7a02b7f

SHA256
2b2f27d7870f4fc23f7d862e95409784999d6e1a8ad6bbf050ad47a1ed1b3efc

SHA512
e41f18d26ce143f97501787b3a8d05ddb652e94a46a65b14b5bfae3abdd76cba1b6ccceef26c6a515b87dc7b235227ace18ec753e3ff6beed4afec1e47ff2109

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
c2ab75bbf7a7c5eaeae3e2dc1c54a852

SHA1
8ab04dc509ce87c9841e115972e537a1de24cdb6

SHA256
f24504b5d264ef53bdd5b4491e08924ee9d2878b8d8446eaaa78d3dc24b30686

SHA512
db09de3e0253b391a58a5310a0131f3881c60556cda44e3675c1a7f2512b82316f9c031cf19661d98c12c73c8f00e3c3c76088fe153ed234c1ba7808d122048d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
567d3203f5bffd8dd369220555d7efb9

SHA1
d496bf4f16814846989a76c63cb10754d11e0c7a

SHA256
22f80b81de3c986ea982c4e384bff8c61eddd47bdc07a993a9d4ffe92fa7f03c

SHA512
20b996e5efbfb6644c05162570d164e153503969cc981a8630d7f9cde2bff5a6a3d2b6fee637f62712563f44498ebe218a3b74671c2274be9db134ff2158d0b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\JHQXUXEV\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\7OM5HJ3K.txt

Filesize
533B

MD5
30265bede5188e9f69af098a377a9004

SHA1
9ce2d5d6772d748ac5ad060e137ced61c3357f3e

SHA256
7929bb756c872672b05471045a9ee06bb4c481e4a1d06c48d757f75bb5e166b6

SHA512
1b0048ea68f6d13822a803b593843f4e4b5d8fbe18318bc49e09cc2dccdd183e305fc51048d24de2b8c7c3354aa474762540987e64d172e3f82b7f9039fc82ea

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
ae6bfea66177b88d99fab0fa9ad45865

SHA1
3cc8fafca1828e8a14eb2fbf5bda5bbe2bf41b93

SHA256
a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759

SHA512
d9a78a7a0837ae301d75869e647a602cb5678403268e4ac602156704ec5444735df87ca612ee2e0d270ba73f568d578657f1e126181ec4b789b4d6f5c748830c

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
ae6bfea66177b88d99fab0fa9ad45865

SHA1
3cc8fafca1828e8a14eb2fbf5bda5bbe2bf41b93

SHA256
a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759

SHA512
d9a78a7a0837ae301d75869e647a602cb5678403268e4ac602156704ec5444735df87ca612ee2e0d270ba73f568d578657f1e126181ec4b789b4d6f5c748830c

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
ae6bfea66177b88d99fab0fa9ad45865

SHA1
3cc8fafca1828e8a14eb2fbf5bda5bbe2bf41b93

SHA256
a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759

SHA512
d9a78a7a0837ae301d75869e647a602cb5678403268e4ac602156704ec5444735df87ca612ee2e0d270ba73f568d578657f1e126181ec4b789b4d6f5c748830c

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
ae6bfea66177b88d99fab0fa9ad45865

SHA1
3cc8fafca1828e8a14eb2fbf5bda5bbe2bf41b93

SHA256
a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759

SHA512
d9a78a7a0837ae301d75869e647a602cb5678403268e4ac602156704ec5444735df87ca612ee2e0d270ba73f568d578657f1e126181ec4b789b4d6f5c748830c

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
ae6bfea66177b88d99fab0fa9ad45865

SHA1
3cc8fafca1828e8a14eb2fbf5bda5bbe2bf41b93

SHA256
a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759

SHA512
d9a78a7a0837ae301d75869e647a602cb5678403268e4ac602156704ec5444735df87ca612ee2e0d270ba73f568d578657f1e126181ec4b789b4d6f5c748830c

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
ae6bfea66177b88d99fab0fa9ad45865

SHA1
3cc8fafca1828e8a14eb2fbf5bda5bbe2bf41b93

SHA256
a376cd82d56bad1379ce8183b8be51193d651b55acdbb81c4f9e0a21f1c8c759

SHA512
d9a78a7a0837ae301d75869e647a602cb5678403268e4ac602156704ec5444735df87ca612ee2e0d270ba73f568d578657f1e126181ec4b789b4d6f5c748830c

Download Submit
memory/1228-111-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1228-122-0x0000000003EF0000-0x00000000049AA000-memory.dmp

Filesize
10.7MB

Download
memory/1228-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1420-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-66-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1420-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1420-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1716-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1716-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download