b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183

Analysis

max time kernel
152s
max time network
184s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
02-12-2022 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe
Size

1.2MB
MD5

03bb57c0b709f25040a1b9251aadb7eb
SHA1

3927c036a94e084eb629c196492565cd4db53eba
SHA256

b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183
SHA512

6b7b3d3c41825a46e931f209afe126b35c982ddc840caeca7597c32736bf4fc4dacbe447f6982654b0e922ce3db63422d0d44d0eee728cdf92a17ec737d5c170
SSDEEP

3072:qXJCFRSt63wPwWYhVTjJ5cHymR7w0YmS8O:LdnWYD95z4w0Dt

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
1900	winlogon.exe
1156	winlogon.exe
1844	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fnrb32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nsched32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spysweeper.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\defwatch.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbmenu.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schedapp.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symtray.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpdos32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpers40eng.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcscanpdsetup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spider.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sbserv.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firewall.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\persfw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monwow.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcdsetup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wimmun32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldscan.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wingate.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpcc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfinet.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lucomserver.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgavrtcl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atupdater.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\n32scanw.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalarm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Diskmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aupdate.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ifw2000.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccwin98.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vptray.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wmiav.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pcc2002s902.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sbserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navapw32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netarmor.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwservice.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2servic.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwinnt.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\etrustcipe.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\minilog.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monsysnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpdos32.exe	winlogon.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2044-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/2044-73-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1156-87-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1844-88-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1844-92-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1844-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1844-97-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/1844-98-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2044	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe
2044	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 2044	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	29
PID 1900 set thread context of 1156	1900	winlogon.exe	31
PID 1156 set thread context of 1844	1156	winlogon.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://7ckv792fxz8e87o.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://21898qh7r9vs775.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://7ixm57td6ex08c4.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000096a4c94f695e61b6f5c34d6ef2bf72a1326316245c8f7cf4f120a653b0d2905a000000000e80000000020000200000003d011110efb96d992ca472ec82b5475d96f66fca09632a26de2974d0a706f80f200000006de8e74afb72b8751395b9219920136cecad25fe5abab2f55e772bace8c1932840000000c4fb29ff0e27d002868a5ac93f8df1ee69b21daf01964ae5d76da2bbb037b85811aafa78f0c615f277f492c6080f66b473ef227482403e4a49212fd72e08af07	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://9005yz079i8euc3.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://l6w4krv6ym37my1.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377008372"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://32uy75s82yis0yr.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af00000000020000000000106600000001000020000000f7c5a81bbf8bd55fae6ce9ab14274c0bd6a5a64728f7a37a682e4063c1e1040f000000000e800000000200002000000084906307741192cc1dc2d6f93eed8b955f9b6356f1e88d6d1816ae560411be5b90000000b1d0d8460688190e9be0c79c31962101141792372441db08bcd57d90ed6734f35604f1937fa783febc98c51632cfde194cb0d8f685c1eeb2924f17ea054d4e66b56adaed72636d8ad2dde83ce8b990fd723cae7f827cb4b6e1cdaae2701af623017b36359937f89a2b416114411f01ec1e450a805a85d46a7dc456901968bca0bc2349fd5c8c452cba0e3a6662a9141b400000006dcf97ec2e7d7c9580d389b50c9530aad7af2fdb7befd14b2988f7b8b8ed1f56785aa8dbcc63bd16148ddde4ec41e259645f478679a5e3a96439e21c28a16ec7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{824A93D1-7498-11ED-882A-F263091D6DCE} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90c5ee5fa508d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://16n00qi68v17pi5.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://0v616w8jdg84nug.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://93enlc958sb8z7g.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://x3791m440x1se02.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1844	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1844	winlogon.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2004	iexplore.exe
2004	iexplore.exe
2004	iexplore.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
2044	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe
1156	winlogon.exe
1844	winlogon.exe
2004	iexplore.exe
2004	iexplore.exe
768	IEXPLORE.EXE
768	IEXPLORE.EXE
2004	iexplore.exe
2004	iexplore.exe
1768	IEXPLORE.EXE
1768	IEXPLORE.EXE
2004	iexplore.exe
2004	iexplore.exe
2164	IEXPLORE.EXE
2164	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 1780	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	28
PID 1212 wrote to memory of 1780	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	28
PID 1212 wrote to memory of 1780	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	28
PID 1212 wrote to memory of 1780	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	28
PID 1212 wrote to memory of 2044	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	29
PID 1212 wrote to memory of 2044	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	29
PID 1212 wrote to memory of 2044	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	29
PID 1212 wrote to memory of 2044	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	29
PID 1212 wrote to memory of 2044	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	29
PID 1212 wrote to memory of 2044	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	29
PID 1212 wrote to memory of 2044	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	29
PID 1212 wrote to memory of 2044	1212	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	29
PID 2044 wrote to memory of 1900	2044	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	30
PID 2044 wrote to memory of 1900	2044	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	30
PID 2044 wrote to memory of 1900	2044	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	30
PID 2044 wrote to memory of 1900	2044	b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe	30
PID 1900 wrote to memory of 268	1900	winlogon.exe	32
PID 1900 wrote to memory of 268	1900	winlogon.exe	32
PID 1900 wrote to memory of 268	1900	winlogon.exe	32
PID 1900 wrote to memory of 268	1900	winlogon.exe	32
PID 1900 wrote to memory of 1156	1900	winlogon.exe	31
PID 1900 wrote to memory of 1156	1900	winlogon.exe	31
PID 1900 wrote to memory of 1156	1900	winlogon.exe	31
PID 1900 wrote to memory of 1156	1900	winlogon.exe	31
PID 1900 wrote to memory of 1156	1900	winlogon.exe	31
PID 1900 wrote to memory of 1156	1900	winlogon.exe	31
PID 1900 wrote to memory of 1156	1900	winlogon.exe	31
PID 1900 wrote to memory of 1156	1900	winlogon.exe	31
PID 1156 wrote to memory of 1844	1156	winlogon.exe	35
PID 1156 wrote to memory of 1844	1156	winlogon.exe	35
PID 1156 wrote to memory of 1844	1156	winlogon.exe	35
PID 1156 wrote to memory of 1844	1156	winlogon.exe	35
PID 1156 wrote to memory of 1844	1156	winlogon.exe	35
PID 1156 wrote to memory of 1844	1156	winlogon.exe	35
PID 1156 wrote to memory of 1844	1156	winlogon.exe	35
PID 1156 wrote to memory of 1844	1156	winlogon.exe	35
PID 1156 wrote to memory of 1844	1156	winlogon.exe	35
PID 2004 wrote to memory of 768	2004	iexplore.exe	39
PID 2004 wrote to memory of 768	2004	iexplore.exe	39
PID 2004 wrote to memory of 768	2004	iexplore.exe	39
PID 2004 wrote to memory of 768	2004	iexplore.exe	39
PID 2004 wrote to memory of 1768	2004	iexplore.exe	44
PID 2004 wrote to memory of 1768	2004	iexplore.exe	44
PID 2004 wrote to memory of 1768	2004	iexplore.exe	44
PID 2004 wrote to memory of 1768	2004	iexplore.exe	44
PID 2004 wrote to memory of 2164	2004	iexplore.exe	46
PID 2004 wrote to memory of 2164	2004	iexplore.exe	46
PID 2004 wrote to memory of 2164	2004	iexplore.exe	46
PID 2004 wrote to memory of 2164	2004	iexplore.exe	46

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe
"C:\Users\Admin\AppData\Local\Temp\b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:1780
- C:\Users\Admin\AppData\Local\Temp\b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1156
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1844
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:268

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1852

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:768
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:537609 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1768
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:472083 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
92befa03a7c35124ad47591735df0972

SHA1
bfb88699cbc008974398da97f189b5b6325d8520

SHA256
ba7e165d3126a33d77e5822f10675d2e029a399e43331e32968bb171107b2e2c

SHA512
83e0cbdfbbd9f1178eaa5e5b9310ac5c5da9d59a015440de47138dce99e6f155f22b5eaf6d842338eff65a2d39eed1f9e6042792f222d24c02814a65d5839ad2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
2e388f1ab4ec88104f57cf23944ee684

SHA1
39178c45ed645709cc388d5790b1b58a3272a62f

SHA256
e33b88f6f77d90b65a8fed943a45623e51f1efbdae401a1652f24be68408dba0

SHA512
22af60fc3194a92d63f24d32ad053927e046c75426f14d30312d878351aa7f4fcfc1236c3d60a08f0b8474643203e1f799d96e3ca1b19b7d8c7e65638a7859a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
b49b64214b0f91b91f05051dc94f9144

SHA1
9c89cf6861aafa9729e834cb06ba31a6f6835218

SHA256
e41f4bb6f2ee820c9fd13582d5b9adbbe13292b2761ec96f479ff53306cb6c79

SHA512
b6375d88dd0f5c17de1f10be481c9d328a213fd68f7ec40c19078c1348097d742f192a01f6bb83dfdcc187920a4c00437b65c27c59c9907096cdea5a7a969436

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
5787d6a09af8da935e4bbd9ee596eb6e

SHA1
db311367598196c051090249a1ec9cb07a83b9ed

SHA256
caf038249863a78ef055d713c994914abcfa413a552c0fd8587ccdc324666337

SHA512
ded5e4be8f43ff807dc94777cbda0a66263488d882fbfc3ecb0f5cada41b236764dde0c201f50bb178b82a852b2501175aa1e823ade65e77aebf2a55ff640e08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
f98866cbc90a00d6c646899ac8ff61ef

SHA1
23a4e7da2cdf474c869c64e17975df7e75261e0d

SHA256
dab427c4a54c4bd9e0f317e63d1bf94ea313f9fb955fd7edc0bb7f4ef14ae8d7

SHA512
764fc61c6f94d92e9d682aae00da1477cbc82f610ca8246bc21ea9c668113b786e3acef6b668e2d92037b2cb43c68756ccb8b3c6c9a3be7ad452a6ce843bf520

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
a188093d44515b6c81086919dc3325df

SHA1
27d3b3e53843aa95c621f0f41b743775431b7d52

SHA256
f7da81d89437c6a4779984318560f57d781c349242d59fc27c17fd312a7dc91d

SHA512
0db6444c2bee7fd8327b1433813cb62c7519578025b75733c93e47d378d475196d709607f5495f6b46da77c59f81e80eac1a6b617db57d1e8d93e6ac003d1de8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
41375a4e505ab1651b839a664c4cb831

SHA1
cbb8ae31f7b649597b4a0b157f3a1e4c65ee2d33

SHA256
4e26f269c003a00db7564416d08744487da2a181c8139cdab888c50f0145a726

SHA512
88f07ef9504ec58dcd30cef4173065ccc7c4e7a4ad9ff26dde00fa68d8124f6b8dafabcc245bfde03cf9d17364691af009d98efef3c2065561bffe2ce27c4f70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f37b6c6b7ad840e45882c12eafda1264

SHA1
bd8dc6bf396e8abd87c5db6cf7e73e4ebbeb3c37

SHA256
4f1e5e103b1d4c674396942ddcbb2f25cfbfecbe6d403f91d43e76c00249a4c6

SHA512
9d14934fe8f54ae720b366e4494a9ad33ef15878b592d47dceebda72fba10f1f45cc8ac8810bc94a493f1b3777e4d741729416e662b7fad1ec83a7b768664f43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
04208abc94e6bbd6b1d44ff6df87c476

SHA1
31b9b1343b1eeda7364e4182792db1fc23b22bf8

SHA256
f8965d04ac0ceb77829ce1f07f449dd5e23aefcb2b4deccdc49efc7a40931100

SHA512
0d25dbbbb34a44dacb94b179ef4c399883826d8aaa75bf0217f7cfee1ffdbd36fc8caa60e16c8a5f6a8b0ac3401e51beb650a70de31c1fdc523c4c70ca3415e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
64ba18d31064729c6ad7de40782e3626

SHA1
4a17c88db4f0448784c677fca07e01d9290f7526

SHA256
fd816a2cb98b3f2715334fc31859c3fea650f74530f0625aa3ae9f912498130f

SHA512
b86203584b8560359563e27a3ec93b08c79d9a6ba0688c1a532920044f4a105077c619f13dcc375268b0414c81dc52bff1d818a24a00f017d2515768f88a2361

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
ac3d99dd501d5b4b02bebfedf279c189

SHA1
a625b7bd8ba744922ae114b46023109749af4ec4

SHA256
e99f14c1abed040850b9a1d9d9ad25818859f985d8a1f4094b8ea933bcdbf28c

SHA512
1b424fd5b30ef4d698d450a403c9bf4fb6f64b3d55e67cf5f1c120061f20ba603a59deb1d4f271eee3a945b406e805e9e5066bda9371f3ad2f8258d6c24828bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
f701f7a50609f85c0eff96f9681600fb

SHA1
cff9acd585045ab5102aa95d2632e2a014ae8662

SHA256
ee4ddad57ddaf944946c3261258e87aa8383294ec20352334db3ca3b53e4ea34

SHA512
508ac13b61444849476c7e7dcd8f9e76eb667fbb3cf0de8f19bc60720c13aefe04eedfcfd73527e0e0068482ee898844a0eccca914e9b8fe6a3ca43a2f00eea3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
01a0d6e1992e3709aee225908ec0a61e

SHA1
8cf91e942cb38c0587beb9a60f21260c2ed935d2

SHA256
c2ee268f1cdad9a7fab5fe619cbabbb05145774a5e142034d72eb3cb1471be68

SHA512
667030eecd99b71433412bf4b17e16f6748eb7956bf7328a27694721569ffbcb7bfed4632dfb38a237c0c400c6967319292ef1eb8cdd5b48778efa92380dacb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
b846cbfec7b8ca2d21b8419399e744fc

SHA1
a0ccd9f4103f705a0abfe5e0a29a9b15da6d4894

SHA256
7d5c5685cdbd372a5d70f32aed59b87f7d2c4b646bb17d4883a27ece860f9f25

SHA512
0910166785f11bd5e795f99582c2f63de8da13e659d4667a755199e0cfb47e22436427827a2872702b93c6a60893e24a856c858475125876d40d2d4a79784111

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
64cfbf895f05d2761733f111951499ba

SHA1
d20364768e3f765fea91c73990bb48354c89c7d2

SHA256
55eb2de1c10fddaf02218b9b558de585af69d3138cd9cea17486b74b5e328219

SHA512
b0b9acbc64699d1f4f38553665f11a5f2197c19d25da803f84debf0c3c827a7f9dfcdc058ba2a3e171050e46e132b4994b66b81a81ba328f38d4340eb1de51c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
9b838fab836ac0b3052641ae79637c6f

SHA1
65fc7d880824f9b4e18c1a51ba637c73fabcceca

SHA256
23edb73d98f97e19908bc78a42b87e8ddc5ad0e007b585b9f77f5720ef831ff3

SHA512
2a6d4b4fad6c2f72171b4d39770f5f85e9c9d5ce3595c7c842f277f71f09cfcb59ca3db5011f4ff99fb38e441f082b4e81d49874d88dfb21d2c74c0fce8ad1b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
234ccae925466534f8c31b2a3bd6a383

SHA1
0fb3affcc38c16a13d02663b36cad1ca7444b3d2

SHA256
576ebddf119d08591c974482c4e413debc8c13f27ded9326d5de1f3958624c9d

SHA512
c88dadac5d86ed8f865f51097975e61192774050c3b3597a2933ebc93a45947b98cb7d2c867917b8d1fc42c02da0d4b1a3179848fc935cc7b62a13cfafa38280

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
f0f57b457f15d1b3e913ff3432de9078

SHA1
1fe75f0c5fe812d62b3c32856ddbb94a43e22971

SHA256
f629ee7bf302a412c91adde31bd886452dac47d5a151f39d0da16e79becfb34a

SHA512
ef8f5da4f92010848fd61269f200273079a845645ad86fc5f7e8e9c022543c3afc1a28d94200827c61f2bb364250b1497ea03fe1d4e01631a90c6b7445790aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\A3D682R8\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BZO7JXX5.txt

Filesize
111B

MD5
bee5ee8267034cd070ef30ee3a5d67c2

SHA1
36e1f26ebe2863952514e3d607d0d290e7622f55

SHA256
70960274a0a15054054d46a39b6c2850d70e2810c7e35c03008205edf49b49ef

SHA512
0388421e39daa46e86f10a8ef60a74b7154e226d6b630b0660c6e9e5097adb14b8f23694b0f0b213eb7fd7cb7e460682caea71a5b8d93dbf28485ee4afe765ef

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PTLPW52E.txt

Filesize
608B

MD5
c1c3ddc134a3d30f2e391e973413bb76

SHA1
cf96431fb501cb04925275476585cdea0852f4ec

SHA256
a72463111316f952026dc83735017cff25355297b6c6dac4d205307f3cc976eb

SHA512
f363202504c50390fa43dd503a665ece11c6b4e0a2eaef64254eea68b6640b507edaaa73f4740afe1fc2f8bdd24e8d0dd6f54eea33cf18a4e4eb853e445037ee

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
03bb57c0b709f25040a1b9251aadb7eb

SHA1
3927c036a94e084eb629c196492565cd4db53eba

SHA256
b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183

SHA512
6b7b3d3c41825a46e931f209afe126b35c982ddc840caeca7597c32736bf4fc4dacbe447f6982654b0e922ce3db63422d0d44d0eee728cdf92a17ec737d5c170

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
03bb57c0b709f25040a1b9251aadb7eb

SHA1
3927c036a94e084eb629c196492565cd4db53eba

SHA256
b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183

SHA512
6b7b3d3c41825a46e931f209afe126b35c982ddc840caeca7597c32736bf4fc4dacbe447f6982654b0e922ce3db63422d0d44d0eee728cdf92a17ec737d5c170

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
03bb57c0b709f25040a1b9251aadb7eb

SHA1
3927c036a94e084eb629c196492565cd4db53eba

SHA256
b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183

SHA512
6b7b3d3c41825a46e931f209afe126b35c982ddc840caeca7597c32736bf4fc4dacbe447f6982654b0e922ce3db63422d0d44d0eee728cdf92a17ec737d5c170

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
03bb57c0b709f25040a1b9251aadb7eb

SHA1
3927c036a94e084eb629c196492565cd4db53eba

SHA256
b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183

SHA512
6b7b3d3c41825a46e931f209afe126b35c982ddc840caeca7597c32736bf4fc4dacbe447f6982654b0e922ce3db63422d0d44d0eee728cdf92a17ec737d5c170

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
03bb57c0b709f25040a1b9251aadb7eb

SHA1
3927c036a94e084eb629c196492565cd4db53eba

SHA256
b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183

SHA512
6b7b3d3c41825a46e931f209afe126b35c982ddc840caeca7597c32736bf4fc4dacbe447f6982654b0e922ce3db63422d0d44d0eee728cdf92a17ec737d5c170

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
1.2MB

MD5
03bb57c0b709f25040a1b9251aadb7eb

SHA1
3927c036a94e084eb629c196492565cd4db53eba

SHA256
b218041ae37bb4f37715722d97a5d7b7b6fa7de3bcffb0b2ccbdeb5b93bbf183

SHA512
6b7b3d3c41825a46e931f209afe126b35c982ddc840caeca7597c32736bf4fc4dacbe447f6982654b0e922ce3db63422d0d44d0eee728cdf92a17ec737d5c170

Download Submit
memory/268-71-0x0000000000000000-mapping.dmp

Download
memory/1156-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1156-79-0x000000000041AB30-mapping.dmp

Download
memory/1780-54-0x0000000000000000-mapping.dmp

Download
memory/1844-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1844-98-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1844-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1844-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1844-89-0x00000000004416D0-mapping.dmp

Download
memory/1844-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1900-69-0x0000000000000000-mapping.dmp

Download
memory/2044-73-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-66-0x00000000761E1000-0x00000000761E3000-memory.dmp

Filesize
8KB

Download
memory/2044-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-60-0x000000000041AB30-mapping.dmp

Download
memory/2044-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2044-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download