Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
02/12/2022, 18:31 UTC
Static task
static1
Behavioral task
behavioral1
Sample
d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe
Resource
win7-20221111-en
General
-
Target
d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe
-
Size
848KB
-
MD5
f9c7e26ef27c5ee51e323bf44fbb55da
-
SHA1
38893810448f1383dd44350c4c90d7fc72249680
-
SHA256
d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739
-
SHA512
763638f935321c29cb627a8c600c6586e6dafc5018ac369b850c3c7b2087baf1c6e1a4bc2b69cad15646e916da5cb2b4f0f0f884e92d07e985bc08ac2be86854
-
SSDEEP
1536:7Eo6GzI9cono/es2KyvLh423iZB7LbGnkBwUDXLY+cnCd4SztNXjU8UdatVgc1h:g8ciono/e95vLh4j2Umns4khjU0jZ
Malware Config
Signatures
-
Modifies firewall policy service 2 TTPs 18 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" winlogon.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401" winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List winlogon.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" winlogon.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3" winlogon.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" winlogon.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 1 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts winlogon.exe -
Executes dropped EXE 3 IoCs
pid Process 3056 winlogon.exe 1028 winlogon.exe 5076 winlogon.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfgwiz.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\f-prot95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ogrc.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sh.exe winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\NGEN.EXE winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidserver.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav530stbyb.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonealarm.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmias.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\anti-trojan.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avxmonitornt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95ct.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tmntsrv.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc42.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mghtml.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmonitor.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vfsetup.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monitor.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rescue32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\update.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\MSQRY32.EXE winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icssuppnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\route.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsscan40.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\padmin.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VACFix.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsys32.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avrescue.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsynmgr.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwin95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scvhosl.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbscan.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswinntse.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winroute.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\whoswatchingme.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bs120.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\moolive.exe winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ndd32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccclient.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir-help.exe winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsched.exe winlogon.exe -
resource yara_rule behavioral2/memory/1964-133-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/1964-135-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/1964-136-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/1964-139-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/1964-143-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/1028-152-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/1028-153-0x0000000000400000-0x0000000000419000-memory.dmp upx behavioral2/memory/5076-155-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/memory/5076-158-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/memory/5076-159-0x0000000000400000-0x000000000043D000-memory.dmp upx behavioral2/memory/5076-166-0x0000000000400000-0x000000000043D000-memory.dmp upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe winlogon.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\cval = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2284 set thread context of 1964 2284 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 83 PID 3056 set thread context of 1028 3056 winlogon.exe 87 PID 1028 set thread context of 5076 1028 winlogon.exe 101 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies Control Panel 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Sound winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\Sound\Beep = "no" winlogon.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "no" winlogon.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "http://2yjhe3k2878t69n.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://14v695o4620e085.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://86z943n3gtz0fov.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://w4i5fud61eu5769.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Local Page = "http://k9093jety19tog3.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://cmyeh7i28mj50c9.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://t1995e26v0164e8.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://83836bvs11n0aso.directorio-w.com" winlogon.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Download winlogon.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://o666a2941c80hyf.directorio-w.com" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://n209tk5rmm6400k.directorio-w.com" winlogon.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\"" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore" winlogon.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 5076 winlogon.exe 5076 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeBackupPrivilege 5076 winlogon.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1964 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 1028 winlogon.exe 5076 winlogon.exe -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2284 wrote to memory of 1964 2284 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 83 PID 2284 wrote to memory of 1964 2284 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 83 PID 2284 wrote to memory of 1964 2284 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 83 PID 2284 wrote to memory of 1964 2284 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 83 PID 2284 wrote to memory of 1964 2284 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 83 PID 2284 wrote to memory of 1964 2284 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 83 PID 2284 wrote to memory of 1964 2284 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 83 PID 2284 wrote to memory of 1964 2284 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 83 PID 1964 wrote to memory of 3056 1964 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 86 PID 1964 wrote to memory of 3056 1964 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 86 PID 1964 wrote to memory of 3056 1964 d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe 86 PID 3056 wrote to memory of 1028 3056 winlogon.exe 87 PID 3056 wrote to memory of 1028 3056 winlogon.exe 87 PID 3056 wrote to memory of 1028 3056 winlogon.exe 87 PID 3056 wrote to memory of 1028 3056 winlogon.exe 87 PID 3056 wrote to memory of 1028 3056 winlogon.exe 87 PID 3056 wrote to memory of 1028 3056 winlogon.exe 87 PID 3056 wrote to memory of 1028 3056 winlogon.exe 87 PID 3056 wrote to memory of 1028 3056 winlogon.exe 87 PID 1028 wrote to memory of 5076 1028 winlogon.exe 101 PID 1028 wrote to memory of 5076 1028 winlogon.exe 101 PID 1028 wrote to memory of 5076 1028 winlogon.exe 101 PID 1028 wrote to memory of 5076 1028 winlogon.exe 101 PID 1028 wrote to memory of 5076 1028 winlogon.exe 101 PID 1028 wrote to memory of 5076 1028 winlogon.exe 101 PID 1028 wrote to memory of 5076 1028 winlogon.exe 101 PID 1028 wrote to memory of 5076 1028 winlogon.exe 101 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0" winlogon.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe"C:\Users\Admin\AppData\Local\Temp\d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Users\Admin\AppData\Local\Temp\d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739.exe
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Users\Admin\E696D64614\winlogon.exe
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Users\Admin\E696D64614\winlogon.exe"C:\Users\Admin\E696D64614\winlogon.exe"5⤵
- Modifies firewall policy service
- Modifies security service
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Executes dropped EXE
- Sets file execution options in registry
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5076
-
-
-
-
Network
-
Remote address:8.8.8.8:53Requestwhos.amung.usIN AResponsewhos.amung.usIN A104.22.74.171whos.amung.usIN A104.22.75.171whos.amung.usIN A172.67.8.141
-
Remote address:8.8.8.8:53Request164.2.77.40.in-addr.arpaIN PTRResponse
-
Remote address:104.22.75.171:80RequestGET /swidget/26n2qf7pnk0x HTTP/1.1
Host: whos.amung.us
ResponseHTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: no-cache, no-store, must-revalidate
location: http://widgets.amung.us/small/00/3.png
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 774c67f5cac00eac-AMS
-
Remote address:8.8.8.8:53Requestwidgets.amung.usIN AResponsewidgets.amung.usIN A104.22.74.171widgets.amung.usIN A104.22.75.171widgets.amung.usIN A172.67.8.141
-
Remote address:104.22.74.171:80RequestGET /small/00/3.png HTTP/1.1
Host: widgets.amung.us
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 311
Connection: keep-alive
last-modified: Sun, 13 Jun 2010 09:48:29 GMT
etag: "4c14a96d-137"
expires: Sun, 27 Nov 2022 23:18:10 GMT
cache-control: max-age=2678400
access-control-allow-origin: *
CF-Cache-Status: HIT
Age: 734679
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 774c67f90e90b737-AMS
-
Remote address:8.8.8.8:53Requestc.statcounter.comIN AResponsec.statcounter.comIN A104.20.219.77c.statcounter.comIN A104.20.218.77
-
Remote address:8.8.8.8:53Requestd.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpaIN PTRResponse
-
Remote address:104.20.218.77:80RequestGET /7040548/0/9a85091e/1/ HTTP/1.1
Host: c.statcounter.com
ResponseHTTP/1.1 301 Moved Permanently
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Mon, 05 Dec 2022 12:23:11 GMT
Location: https://c.statcounter.com/7040548/0/9a85091e/1/
Server: cloudflare
CF-RAY: 774c6885395c7278-HAM
-
Remote address:8.8.8.8:53Requestjly0i2iy01uss86ctn3jrfhbn9coq6.ipcheker.comIN AResponsejly0i2iy01uss86ctn3jrfhbn9coq6.ipcheker.comIN A35.205.61.67
-
Remote address:104.22.74.171:80RequestGET /swidget/243dr2pd8x85 HTTP/1.1
Host: whos.amung.us
ResponseHTTP/1.1 307 Temporary Redirect
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cache-control: no-cache, no-store, must-revalidate
location: http://widgets.amung.us/small/00/3.png
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 774c69d8feb9b7eb-AMS
-
Remote address:35.205.61.67:80RequestGET / HTTP/1.1
User-Agent: �����������Ī��������¥��������֡��ư���ä�ο���ʪ
Host: jly0i2iy01uss86ctn3jrfhbn9coq6.ipcheker.com
ResponseHTTP/1.1 302 Moved Temporarily
Date: Mon, 05 Dec 2022 11:24:12 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=67bc311c284e59f30e1dc63d6e7b8217|154.61.71.13|1670239452|1670239452|0|1|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
Location: 1
-
Remote address:104.22.74.171:80RequestGET /small/00/3.png HTTP/1.1
Host: widgets.amung.us
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 311
Connection: keep-alive
last-modified: Sun, 13 Jun 2010 09:48:29 GMT
etag: "4c14a96d-137"
expires: Sat, 26 Nov 2022 12:55:49 GMT
cache-control: max-age=2678400
access-control-allow-origin: *
CF-Cache-Status: HIT
Age: 858497
Accept-Ranges: bytes
Server: cloudflare
CF-RAY: 774c69da08f2b891-AMS
-
Remote address:104.20.219.77:80RequestGET /7040553/0/edbb565e/1/ HTTP/1.1
Host: c.statcounter.com
ResponseHTTP/1.1 301 Moved Permanently
Transfer-Encoding: chunked
Connection: keep-alive
Cache-Control: max-age=3600
Expires: Mon, 05 Dec 2022 12:24:06 GMT
Location: https://c.statcounter.com/7040553/0/edbb565e/1/
Server: cloudflare
CF-RAY: 774c69da7b8dcacd-HAM
-
Remote address:104.20.219.77:443RequestGET /7040553/0/edbb565e/1/ HTTP/1.1
Host: c.statcounter.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 49
Connection: keep-alive
p3p: policyref="http://www.statcounter.com/w3c/p3p.xml", CP="ADMa OUR COM NAV NID DSP NOI COR"
expires: Mon, 26 Jul 1997 05:00:00 GMT
set-cookie: is_unique=sc7040553.1670239446.0; SameSite=None; Secure; Expires=Saturday, 04-Dec-2027 06:24:06 -05; Path=/; Domain=.statcounter.com
CF-Cache-Status: DYNAMIC
Server: cloudflare
CF-RAY: 774c69dbd8a37264-HAM
-
Remote address:35.205.61.67:80RequestGET /1 HTTP/1.1
User-Agent: �����������Ī��������¥��������֡��ư���ä�ο���ʪ
Host: jly0i2iy01uss86ctn3jrfhbn9coq6.ipcheker.com
Connection: Keep-Alive
Cookie: btst=67bc311c284e59f30e1dc63d6e7b8217|154.61.71.13|1670239452|1670239452|0|1|0
ResponseHTTP/1.1 302 Moved Temporarily
Date: Mon, 05 Dec 2022 11:24:12 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=67bc311c284e59f30e1dc63d6e7b8217|154.61.71.13|1670239452|1670239452|0|2|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
Location: 1
-
Remote address:35.205.61.67:80RequestGET /1 HTTP/1.1
User-Agent: �����������Ī��������¥��������֡��ư���ä�ο���ʪ
Host: jly0i2iy01uss86ctn3jrfhbn9coq6.ipcheker.com
Connection: Keep-Alive
Cookie: btst=67bc311c284e59f30e1dc63d6e7b8217|154.61.71.13|1670239452|1670239452|0|2|0
ResponseHTTP/1.1 302 Moved Temporarily
Date: Mon, 05 Dec 2022 11:24:13 GMT
Content-Type: text/html
Connection: close
Set-Cookie: btst=67bc311c284e59f30e1dc63d6e7b8217|154.61.71.13|1670239453|1670239452|0|3|0; path=/; Expires=Thu, 15 Apr 2027 00:00:00 GMT
Location: 1
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
260 B 5
-
322 B 7
-
322 B 7
-
260 B 5
-
260 B 5
-
243 B 479 B 4 3
HTTP Request
GET http://whos.amung.us/swidget/26n2qf7pnk0xHTTP Response
307 -
322 B 7
-
264 B 848 B 4 3
HTTP Request
GET http://widgets.amung.us/small/00/3.pngHTTP Response
200 -
260 B 5
-
248 B 438 B 4 3
HTTP Request
GET http://c.statcounter.com/7040548/0/9a85091e/1/HTTP Response
301 -
368 B 132 B 4 3
-
260 B 5
-
685 B 5.5kB 10 9
-
190 B 92 B 4 2
-
243 B 479 B 4 3
HTTP Request
GET http://whos.amung.us/swidget/243dr2pd8x85HTTP Response
307 -
690 B 486 B 9 5
HTTP Request
GET http://jly0i2iy01uss86ctn3jrfhbn9coq6.ipcheker.com/HTTP Response
302 -
264 B 848 B 4 3
HTTP Request
GET http://widgets.amung.us/small/00/3.pngHTTP Response
200 -
248 B 438 B 4 3
HTTP Request
GET http://c.statcounter.com/7040553/0/edbb565e/1/HTTP Response
301 -
888 B 6.3kB 11 9
HTTP Request
GET https://c.statcounter.com/7040553/0/edbb565e/1/HTTP Response
200 -
524 B 486 B 6 5
HTTP Request
GET http://jly0i2iy01uss86ctn3jrfhbn9coq6.ipcheker.com/1HTTP Response
302 -
674 B 446 B 4 4
HTTP Request
GET http://jly0i2iy01uss86ctn3jrfhbn9coq6.ipcheker.com/1HTTP Response
302
-
59 B 107 B 1 1
DNS Request
whos.amung.us
DNS Response
104.22.74.171104.22.75.171172.67.8.141
-
70 B 144 B 1 1
DNS Request
164.2.77.40.in-addr.arpa
-
62 B 110 B 1 1
DNS Request
widgets.amung.us
DNS Response
104.22.74.171104.22.75.171172.67.8.141
-
63 B 95 B 1 1
DNS Request
c.statcounter.com
DNS Response
104.20.219.77104.20.218.77
-
118 B 204 B 1 1
DNS Request
d.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.3.0.0.0.5.0.8.0.0.3.0.1.3.0.6.2.ip6.arpa
-
89 B 105 B 1 1
DNS Request
jly0i2iy01uss86ctn3jrfhbn9coq6.ipcheker.com
DNS Response
35.205.61.67
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize2KB
MD597acf0930ce9f2f69d40ed8e1178cec6
SHA16380a2d97e4b4ccc3b4598cc2d431702e54ed69c
SHA256b38f02de41dbb7db433a5f440dff85432150ff71d53b7ef8792d96da80962343
SHA512f49c8a4fa51127e7d8b71cd0257bbedc8855ea708ec0e313e5071b656aedb815b55e51619df24ed967c4df0e685a4940cc1f123aa4ee0198a3d1ada1b42480e1
-
Filesize
472B
MD5f1dacaaa678dfa6d22420a8b46047d44
SHA18b80f47f01cc0714a47ff3d734b6bce89756ec26
SHA2566533e522fdc5ac5af0079b6c4599cee64810a54671c9e4c49f8a79597b57926e
SHA51234682d276393fe8c92c96fd8d0e61fd05aced08f6a10278da01fb1294177a8021021ad9c409e56381976f80ba99922c6aacde19084df2fcfff29fbd28108a1f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
Filesize488B
MD5546c997f0108e1b31bc226984116d980
SHA19bfc6dbe24652dc34011ccf8f1846ff567278b33
SHA25699f303b169ba7418cdac43e29fa938b17b2082ed2c96c680f5eb299cd41edda0
SHA5122e2e5e28542492f3a659b79dcbb571ac73599451796ab46266685a46c441eb7189e9ca59a695b886206dd7902fec1ae440c2bbb4fade63f26be4e90a44355661
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2119239CBE0D3DBEF6F19E0B10265873
Filesize476B
MD54d668ed15bc3269e8d167e7c189578a5
SHA14051d0b57b6d0c18fc6bd2ed8f2d69120a1b8e06
SHA256e2c8476791a382b5849ef02f2942a7ed2873c12b6e7d8de227131cc7b4a10c6b
SHA512a61acf165922b4f36d48b4a6ebe11340d4010de71fd1e006e42ece498cf8b24949115985eacc3065866b0620c7eff062b98a28b263e4903729c9261758e3d764
-
Filesize
848KB
MD5f9c7e26ef27c5ee51e323bf44fbb55da
SHA138893810448f1383dd44350c4c90d7fc72249680
SHA256d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739
SHA512763638f935321c29cb627a8c600c6586e6dafc5018ac369b850c3c7b2087baf1c6e1a4bc2b69cad15646e916da5cb2b4f0f0f884e92d07e985bc08ac2be86854
-
Filesize
848KB
MD5f9c7e26ef27c5ee51e323bf44fbb55da
SHA138893810448f1383dd44350c4c90d7fc72249680
SHA256d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739
SHA512763638f935321c29cb627a8c600c6586e6dafc5018ac369b850c3c7b2087baf1c6e1a4bc2b69cad15646e916da5cb2b4f0f0f884e92d07e985bc08ac2be86854
-
Filesize
848KB
MD5f9c7e26ef27c5ee51e323bf44fbb55da
SHA138893810448f1383dd44350c4c90d7fc72249680
SHA256d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739
SHA512763638f935321c29cb627a8c600c6586e6dafc5018ac369b850c3c7b2087baf1c6e1a4bc2b69cad15646e916da5cb2b4f0f0f884e92d07e985bc08ac2be86854
-
Filesize
848KB
MD5f9c7e26ef27c5ee51e323bf44fbb55da
SHA138893810448f1383dd44350c4c90d7fc72249680
SHA256d91d6c74d354857642493e7110a027a442ad3af7a258174d76851dd1474e3739
SHA512763638f935321c29cb627a8c600c6586e6dafc5018ac369b850c3c7b2087baf1c6e1a4bc2b69cad15646e916da5cb2b4f0f0f884e92d07e985bc08ac2be86854