908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c

Analysis

max time kernel
150s
max time network
159s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe
Size

909KB
MD5

a04f4ac46851da13de70c3a26a8a4208
SHA1

573d5311e9a171108c6c20c94c0d78f5ff3b6463
SHA256

908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c
SHA512

439e6a828c33eddd764ad5ed50ee3b75f1f7d9f6b383271aaa9d4bfd7f4c15339d301eba54190db6a2ac3881eb713f9141823f4fc205fb1d598850153772b225
SSDEEP

1536:hO20qHkRRNpTNJo9KJt7i3ukMV111I8Yp45wzvShJFIn8lq93oFDeUXtk3ns:hMRjVo9uFiJu11upaEMq8Y3Utm

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
1972	winlogon.exe
1980	winlogon.exe
1028	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FirewallSettings.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prckiller.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HiJackThis.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vnpc3000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GenericRenosFix.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SmitfraudFix.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpexec.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmain.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgctrl.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dv95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrte.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumphive.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconsol.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccsetmgr.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecmd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2002s902.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navsched.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwservice.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autotrace.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiadmin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pfwadmin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icload95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardhlp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxw.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpro.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\localnet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nav32_loader.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppinupdt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tracert.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\amon9x.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldnetmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvarch16.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\syshelp.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taumon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbust.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mu0311ad.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmonitor.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pev.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95ct.exe	winlogon.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1448-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1448-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1448-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1448-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1448-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1448-72-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1980-87-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1028-88-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1028-92-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1028-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1028-97-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1980-98-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1028-99-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1448	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe
1448	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 832 set thread context of 1448	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	29
PID 1972 set thread context of 1980	1972	winlogon.exe	32
PID 1980 set thread context of 1028	1980	winlogon.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://61t0zj7bkctb80h.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://i4mtdmf8f8t7ecp.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://4k14imyj21v71k3.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA9C9871-7390-11ED-8AB9-FAB5137186BE} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039fb7538cf0ccf4bbfcae96f65e9346a00000000020000000000106600000001000020000000754408ea85b7e2d507d89fcee979497bfd30e67f439c35cf4a0d297976dc2c73000000000e8000000002000020000000bf78cd716de10b83f56fcfc51931994d7cda6af58110297f624ee79fc37cecee200000007e360ec25bb9e2b981500532778995bed6f24b9da4bfb29262780519f9c853be40000000564285a968de41621c655f74cdde9f0f06fc06fae4a8506e201d4adcaa4d39e173328701498ed2ca32419bb688a8b5952a974f4d381016193ab68c094115f19a	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://raozkd2i16c396o.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039fb7538cf0ccf4bbfcae96f65e9346a00000000020000000000106600000001000020000000dd726594e6dbb4f6b839f725fa25d1b618d176ac8c2114953ef539442e357c92000000000e80000000020000200000003a6ed8f854f410fb5f6efba328ad811d55759034c3b3b53c78b32beb8dd17ea7900000007c8db66746365bf066f77bd3bc88b448aaa3a4276b89a9f79b8aa49cd8ddf6d01f10d96620f8181a311b11432fc5bb8232f8d01a46ba4bbc996e68b20b8e09f0bc0a59abac24fa14a381942fdb8b94852e8d8cc904347483f373e8c8bbd4fd3813eb7abb6676342248b5c0c068e68a127eb1e0d3206296466c71a33d98dc79b8d89e4060fc4b936ece638a8df1d75ee74000000021d9cd7a0c82e014192d570bf57f69234ad896470ebc3151e2325e883f40a96428cd2ea20e685da268419b9c5a957c0e4d6793c777b79ae00c921aecdfe96319	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://9zyite7hgjg38g1.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://y58vb06557223gs.directorio-w.com"	winlogon.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376895128"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://i6zjx268908q1k4.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://vny8e12kzv72bc5.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00645ebd9d07d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://4qgl8qxe159li02.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://4q885zjb37a2n3h.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1028	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1028	winlogon.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
432	iexplore.exe
432	iexplore.exe
432	iexplore.exe
432	iexplore.exe
432	iexplore.exe
432	iexplore.exe
432	iexplore.exe
432	iexplore.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
1448	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe
1980	winlogon.exe
1028	winlogon.exe
432	iexplore.exe
432	iexplore.exe
536	IEXPLORE.EXE
536	IEXPLORE.EXE
432	iexplore.exe
432	iexplore.exe
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
432	iexplore.exe
432	iexplore.exe
1564	IEXPLORE.EXE
1564	IEXPLORE.EXE
432	iexplore.exe
432	iexplore.exe
2344	IEXPLORE.EXE
2344	IEXPLORE.EXE
432	iexplore.exe
432	iexplore.exe
536	IEXPLORE.EXE
536	IEXPLORE.EXE
432	iexplore.exe
432	iexplore.exe
2828	IEXPLORE.EXE
2828	IEXPLORE.EXE
432	iexplore.exe
432	iexplore.exe
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
432	iexplore.exe
432	iexplore.exe
2300	IEXPLORE.EXE
2300	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 832 wrote to memory of 1692	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	28
PID 832 wrote to memory of 1692	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	28
PID 832 wrote to memory of 1692	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	28
PID 832 wrote to memory of 1692	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	28
PID 832 wrote to memory of 1448	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	29
PID 832 wrote to memory of 1448	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	29
PID 832 wrote to memory of 1448	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	29
PID 832 wrote to memory of 1448	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	29
PID 832 wrote to memory of 1448	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	29
PID 832 wrote to memory of 1448	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	29
PID 832 wrote to memory of 1448	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	29
PID 832 wrote to memory of 1448	832	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	29
PID 1448 wrote to memory of 1972	1448	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	30
PID 1448 wrote to memory of 1972	1448	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	30
PID 1448 wrote to memory of 1972	1448	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	30
PID 1448 wrote to memory of 1972	1448	908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe	30
PID 1972 wrote to memory of 1996	1972	winlogon.exe	31
PID 1972 wrote to memory of 1996	1972	winlogon.exe	31
PID 1972 wrote to memory of 1996	1972	winlogon.exe	31
PID 1972 wrote to memory of 1996	1972	winlogon.exe	31
PID 1972 wrote to memory of 1980	1972	winlogon.exe	32
PID 1972 wrote to memory of 1980	1972	winlogon.exe	32
PID 1972 wrote to memory of 1980	1972	winlogon.exe	32
PID 1972 wrote to memory of 1980	1972	winlogon.exe	32
PID 1972 wrote to memory of 1980	1972	winlogon.exe	32
PID 1972 wrote to memory of 1980	1972	winlogon.exe	32
PID 1972 wrote to memory of 1980	1972	winlogon.exe	32
PID 1972 wrote to memory of 1980	1972	winlogon.exe	32
PID 1980 wrote to memory of 1028	1980	winlogon.exe	35
PID 1980 wrote to memory of 1028	1980	winlogon.exe	35
PID 1980 wrote to memory of 1028	1980	winlogon.exe	35
PID 1980 wrote to memory of 1028	1980	winlogon.exe	35
PID 1980 wrote to memory of 1028	1980	winlogon.exe	35
PID 1980 wrote to memory of 1028	1980	winlogon.exe	35
PID 1980 wrote to memory of 1028	1980	winlogon.exe	35
PID 1980 wrote to memory of 1028	1980	winlogon.exe	35
PID 1980 wrote to memory of 1028	1980	winlogon.exe	35
PID 432 wrote to memory of 536	432	iexplore.exe	39
PID 432 wrote to memory of 536	432	iexplore.exe	39
PID 432 wrote to memory of 536	432	iexplore.exe	39
PID 432 wrote to memory of 536	432	iexplore.exe	39
PID 432 wrote to memory of 1704	432	iexplore.exe	43
PID 432 wrote to memory of 1704	432	iexplore.exe	43
PID 432 wrote to memory of 1704	432	iexplore.exe	43
PID 432 wrote to memory of 1704	432	iexplore.exe	43
PID 432 wrote to memory of 1564	432	iexplore.exe	46
PID 432 wrote to memory of 1564	432	iexplore.exe	46
PID 432 wrote to memory of 1564	432	iexplore.exe	46
PID 432 wrote to memory of 1564	432	iexplore.exe	46
PID 432 wrote to memory of 2344	432	iexplore.exe	48
PID 432 wrote to memory of 2344	432	iexplore.exe	48
PID 432 wrote to memory of 2344	432	iexplore.exe	48
PID 432 wrote to memory of 2344	432	iexplore.exe	48
PID 432 wrote to memory of 2828	432	iexplore.exe	52
PID 432 wrote to memory of 2828	432	iexplore.exe	52
PID 432 wrote to memory of 2828	432	iexplore.exe	52
PID 432 wrote to memory of 2828	432	iexplore.exe	52
PID 432 wrote to memory of 2300	432	iexplore.exe	57
PID 432 wrote to memory of 2300	432	iexplore.exe	57
PID 432 wrote to memory of 2300	432	iexplore.exe	57
PID 432 wrote to memory of 2300	432	iexplore.exe	57

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe
"C:\Users\Admin\AppData\Local\Temp\908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:1692
- C:\Users\Admin\AppData\Local\Temp\908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:1996
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1028

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2024

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:432 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:432 CREDAT:603143 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1704
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:432 CREDAT:603149 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1564
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:432 CREDAT:209946 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2344
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:432 CREDAT:996387 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:432 CREDAT:1455123 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
5bb25cae0f32937b7b0abc6661a4737c

SHA1
bad78d22c7c50cf5ec9ec343809c6d90705962ef

SHA256
517596724bd34018f2b7c70fd960d6e3df4a670e07a311044a61dd21f316759b

SHA512
c9e5b2eee5c9535abb052d1436ccc6125c40293360c3f35cf9a2d3ce96ab0a5431ea545a97bcd461f2324195425d90fa0388282169b836e342bf2cef7dbb81f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
7c9e0bb25e8c28e8b10038806b0a7190

SHA1
9fa6097aeb8eacde8ba7c9ab80a7a7d2405ae2bc

SHA256
f4864000960be2f888ed7d2467f74130231fed6f56ad48ff15861f5769e95a58

SHA512
a47442cf298b6c42d126e7e0853a6768fcd46cb7c75dcab06fb07a913a2993fdc3031de8fe8b9408b28af472718da5e92fecedf037e18d72a325aece48fde450

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
9f76a7ec7f14ab969c7c0fb6598b6bfc

SHA1
721c3560f67baa18d66c6305afb900798ede8067

SHA256
a70094c484798e16b0dfcf8c0267018fb13f3f5356ed800dbdededd72ee067e4

SHA512
5c13bcded1d74bfbbcab574938c560b425c0a95d6b226a0e43518404bddb2040b45f87f52a649ff0045767d0f39e7f839cf030d11e972aec3a7ed7e4fd71c49b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
3275c832af6321b17787b97afb70448a

SHA1
58358143ea819766796df59cac1b9c634301f12d

SHA256
404d67d1b57d1eef04fec96af6c776cd6d922a6bd37cdf9266e568fc53345275

SHA512
19f9982b0579a9f6e408fc6da5588e7f77ebf49a5b25f5b75128c42621368a597ae3eed936b5c20574d092c49e68a990fce01419993ab2122e8ee7019d9fd072

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d4de0beea309c948f9dab7b4ae59efaf

SHA1
13431487350c9ca02926886dde60d547199ddadd

SHA256
6ede24f6acf6bafeac0d99dc669a1fbfc11d189bca70e9b26d2ee26bbe166bd5

SHA512
015d17c199e7e352eb29adeb54cfdd83705be28fbd455c42fe851e28e497a856c594675de8e90fae7b8c58720583666eb26a3d1fbc3799582d710ac87c10d642

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
d4de0beea309c948f9dab7b4ae59efaf

SHA1
13431487350c9ca02926886dde60d547199ddadd

SHA256
6ede24f6acf6bafeac0d99dc669a1fbfc11d189bca70e9b26d2ee26bbe166bd5

SHA512
015d17c199e7e352eb29adeb54cfdd83705be28fbd455c42fe851e28e497a856c594675de8e90fae7b8c58720583666eb26a3d1fbc3799582d710ac87c10d642

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
521a7fa76114d5abc661782d6098005e

SHA1
093682442013613ba1bb58155048c3909312b97f

SHA256
63d8f11923674cbb376483af5951d8498262fa7e41cbb7f706f907e81cfd5ac0

SHA512
2f94d21c3b267d121e8f5062701066df5f51a0f060d40766c2e0c4cff05c2867643881ac6e375afad643be39c6b878ed72f449e5e4ed66be3ef0356ebbe14d50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
70503fa7e951531e6239dcf665d98e19

SHA1
2d75ca8ad7695f6ca1b3bfc9b8c01800b36a7acc

SHA256
c04d2fb0e2d27bd308520d4cd3dac9a0651b9101578d4653a1fb93f594e4420b

SHA512
1585ec719264ac0bd0145146929b6b9392303c567b63fa9af6efcbd2b961a9325cc3464de23edb1afba3bf2185912b47d854dd77b388300ef124a575ba231eab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edda503e68539eb72addaf1258a8f590

SHA1
8b4ed73b9eccc81dfaefd51d6da110cbe7a16354

SHA256
c629d557cc6ff25b69b84df59e2d34915c71c968483de94abb9fa4f06fe36198

SHA512
01df1e6e674529c329b8c0562c623a01cad85241353375405e430b6e42602a64a2fa5493f4f217e40e5db503dd7720bc9f26ce7309af7d7d6c86a9bec59597d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2cea568caa150d53868785f1422dae8

SHA1
7dc300b60df13787221bf7a88af7be7d64d2a4cb

SHA256
4011883c41785cbbd369c9722daeffecf04a9c1f900f86c3de410bac2b24987f

SHA512
a8f4e6d2f48c44b5ca12bfb522879dca5ad03f3f47f565c9bfc4d1ca194234b1311a9579ec96f0f4ea4edc9ee72058903204e9f7bda8034ffd143e6cdd98aaba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f27ca7fb7f5a0a1e194dc2c5f95d58a

SHA1
405f6cc8bba4dd59817aa60b2e0d0d3233147ac0

SHA256
fc15bdafeb9296e67d99795668e721e268d34a095e4441bb4906f083af6366a4

SHA512
0b44a8d63bef0386a85da2f61709547e564c03b7cf5a8db7d94fb856c292db058ce72a2a69663ce8446b7adcbf468ba0cf7de2397e6fcc1852f8637b466ac020

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f851f218548ac1bd5755aa0346dc8398

SHA1
ffdeaa3475966b80db3dbb2042665f655e63634a

SHA256
a604dbf22ad41b51fab3ad5c9d7b34bb4f7b4c5d95c76397f534e2ecbc9e3e9f

SHA512
d3855f98a0cd61f96a96c13abf21e0193b117b8ceba459920620f961284273286cb999b1c7f8dcfe7f405784d4d18fae85a46ac7bf80c73ef136cfc20b141845

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45d19868768060ebe9b4da0eca3fa1e6

SHA1
24ba6faf946ad9faa6e23558baee8ddbb106da3e

SHA256
74f63e40dd0c3986800f8746fb0ace5182c07e603730700c6a289e6e195d119f

SHA512
56de7aa3ea91e2514bcfff8e43ec5c8dbcca83b8d51f2853020a6282f51dfa0f6848e6178257e5b913353b06aac5ed497aa98f7ae8e0d824c7ac2272ddb44261

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11daa437e3c09de8b6753349571cfc16

SHA1
7c3ecf33050a32d00b8f41abd4db47a5031049bc

SHA256
a479c8b657cccda8dfcf7f7a394c94a92c6f022b8c6f3ab0e8facba427b2bb88

SHA512
b9570e609ef843efb6c2cb7498a644049e666a8409bfc87c99693ac25816d769f4f5f0a8c29e228261495eafa5443e24afd388ac8cc258a61b214f20228adffd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c63ac5acd021ff4e0ac278f76e12bdcb

SHA1
562175958373c3a51b34c090729d3c35ac38c07c

SHA256
53713add6e0a148aba4b976d59c5e4437c1dcd149023fc6c5ae469256df8f929

SHA512
3531f44babb9455d3269c26028c4cf39cff9a48b3d20109f122cbd486dfb2fbdf5073723d6a9c628c013e80c17b3b2d9673cba95aced87b321f146b896ffa94f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
a23e26f0af6633370dfb840158e8e52c

SHA1
c30c224463ea8d9bcb2d7fd70fe7190c559e1196

SHA256
0300f05bad6c9ab5203449512b02b5faab27d3c12d425efaa4aecdab6b9bcc92

SHA512
bce55c88022530169f0e5e06882c3439dd9a5e9421e44de9ebf3dc1b9a9cf91ccdd0e51e29ee443be45519201817a467a39c714cc2ae3d1778409f81c67539a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
4ce36bd79592d82f76a4196c64ba4047

SHA1
ce957f8b047bfb294bba3410a0fa4d5f0ae2dc0a

SHA256
bef5804751bbfc03076fe74a22a03cb1df92532875892d805709c35a6ccdcf50

SHA512
c641e7f3209e35f4e6e22d8651d118093e01082be0e72963e28254bf4718d14f97e727645e0f989e3dd56e2b25828af2605a25932e83810f1881376b3f38ee77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
4ce36bd79592d82f76a4196c64ba4047

SHA1
ce957f8b047bfb294bba3410a0fa4d5f0ae2dc0a

SHA256
bef5804751bbfc03076fe74a22a03cb1df92532875892d805709c35a6ccdcf50

SHA512
c641e7f3209e35f4e6e22d8651d118093e01082be0e72963e28254bf4718d14f97e727645e0f989e3dd56e2b25828af2605a25932e83810f1881376b3f38ee77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a54abf066bbc232ac8fc0e580859dc3c

SHA1
eec20951b3a303f32878b766d7d0457f09a49053

SHA256
153c291746b9f6be65a7119f65579da91a86bb5fcf6228059a8906c3b1db8144

SHA512
fd6cc5c8dce8f971210891b72e5d78771b7529e3e67aec58106d0aaf5941c4987957f685445e1ae611f6d779524a8ca38d58fc36ea6f25b28840f33bc130189b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\UMGVXHIN\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6KY177RC.txt

Filesize
527B

MD5
8ccbf5f4c19d2c2de0f91001ba6f170d

SHA1
5a6e0e033c49e8cf927ef951a626e2aa1ec57826

SHA256
6f7acf84461501787c8b83316bcc9e7a824447ecb5c68de335169ede58e78d1a

SHA512
f066faad3652c3c4cf929252abcd88ccedde9d4e1ac1f51ff40da31a8fe8843c747f39396772318dad7a67a873b7f2334cbba97369474dee36c8d36b5ac758e2

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
909KB

MD5
a04f4ac46851da13de70c3a26a8a4208

SHA1
573d5311e9a171108c6c20c94c0d78f5ff3b6463

SHA256
908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c

SHA512
439e6a828c33eddd764ad5ed50ee3b75f1f7d9f6b383271aaa9d4bfd7f4c15339d301eba54190db6a2ac3881eb713f9141823f4fc205fb1d598850153772b225

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
909KB

MD5
a04f4ac46851da13de70c3a26a8a4208

SHA1
573d5311e9a171108c6c20c94c0d78f5ff3b6463

SHA256
908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c

SHA512
439e6a828c33eddd764ad5ed50ee3b75f1f7d9f6b383271aaa9d4bfd7f4c15339d301eba54190db6a2ac3881eb713f9141823f4fc205fb1d598850153772b225

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
909KB

MD5
a04f4ac46851da13de70c3a26a8a4208

SHA1
573d5311e9a171108c6c20c94c0d78f5ff3b6463

SHA256
908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c

SHA512
439e6a828c33eddd764ad5ed50ee3b75f1f7d9f6b383271aaa9d4bfd7f4c15339d301eba54190db6a2ac3881eb713f9141823f4fc205fb1d598850153772b225

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
909KB

MD5
a04f4ac46851da13de70c3a26a8a4208

SHA1
573d5311e9a171108c6c20c94c0d78f5ff3b6463

SHA256
908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c

SHA512
439e6a828c33eddd764ad5ed50ee3b75f1f7d9f6b383271aaa9d4bfd7f4c15339d301eba54190db6a2ac3881eb713f9141823f4fc205fb1d598850153772b225

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
909KB

MD5
a04f4ac46851da13de70c3a26a8a4208

SHA1
573d5311e9a171108c6c20c94c0d78f5ff3b6463

SHA256
908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c

SHA512
439e6a828c33eddd764ad5ed50ee3b75f1f7d9f6b383271aaa9d4bfd7f4c15339d301eba54190db6a2ac3881eb713f9141823f4fc205fb1d598850153772b225

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
909KB

MD5
a04f4ac46851da13de70c3a26a8a4208

SHA1
573d5311e9a171108c6c20c94c0d78f5ff3b6463

SHA256
908646a74d739c102054a74cb978919357dcef76e42a6eee77ee4d04f3f16a2c

SHA512
439e6a828c33eddd764ad5ed50ee3b75f1f7d9f6b383271aaa9d4bfd7f4c15339d301eba54190db6a2ac3881eb713f9141823f4fc205fb1d598850153772b225

Download Submit
memory/1028-99-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1028-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1028-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1028-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1028-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1448-72-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1448-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1448-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1448-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1448-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1448-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1448-66-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1448-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1980-98-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1980-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download