cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8

Analysis

max time kernel
184s
max time network
192s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe
Size

714KB
MD5

e0912b352fc80c40bdf45903c00cd0a4
SHA1

82e04df444b21c11e7378cfe6516d2b9e9f9c94d
SHA256

cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8
SHA512

6afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6
SSDEEP

3072:iyf8n+BnNpiXN5U+M/hQuaCA3VMxDJAQO7LN:i/+BnNpCqP/hQuavirOH

Score

10^/10

evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 14 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-70554750"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-53342401"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-57951861"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-28956246"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion
Disables taskbar notifications via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Executes dropped EXE 3 IoCs

pid	Process
720	winlogon.exe
1820	winlogon.exe
952	winlogon.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_findviru.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgw.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\generics.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvsvc32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pccntmon.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vcsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsave32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmor.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\periscope.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winhlpp32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winsfcm.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vet95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cwnb181.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drvins32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ecls.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navlu32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pop3trap.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rshell.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shellspyinstall.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drvins32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\perswf.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sysdoc32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSFEEDSSYNC.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navnt.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupdate.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webscanx.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HostsChk.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explored.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hacktracersetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcconsol.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieCtrl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WXP.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\icmon.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nc2000.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netspyhunter-1.2.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavcl.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portdetective.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gpedit.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naveng.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpf.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfw2en.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\panixk.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pf2.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcpsvs32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\portmon.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avrescue.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mfweng3.02d30.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/620-56-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/620-58-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/620-59-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/620-62-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/620-63-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/620-71-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/1820-87-0x0000000000400000-0x000000000041C000-memory.dmp	upx
behavioral1/memory/952-88-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/952-92-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/952-93-0x0000000000400000-0x0000000000443000-memory.dmp	upx
behavioral1/memory/952-97-0x0000000000400000-0x0000000000443000-memory.dmp	upx

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Anytime Upgrade.exe	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
620	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe
620	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B9373D14A02BC13F1345A3F7BC53B8BCC98D3B04DD0CD9CF = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\E50B29BAACAA360FCC344254F83743208BA6735D23877EED = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 944 set thread context of 620	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	29
PID 720 set thread context of 1820	720	winlogon.exe	32
PID 1820 set thread context of 952	1820	winlogon.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Sound	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Control Panel\Sound\Beep = "no"	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 57 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://e5835r87003wkuz.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af000000000200000000001066000000010000200000009551b86fef57acb6d47dd0cddf599c8a8fc5179536dd4f5ab37b9b20f7192638000000000e80000000020000200000004ed83f251d1044657c9f2c1f8beddb8440cb71163e248f7e99c36698ba3e2db8200000004ee792a2b46b4064817c0cf9600b72b0cc898b71c95bdd0b551d7271b6973d0240000000a8f735d68cb05fb75f475e8ddb13a634861dd79a4edaf1052be640e0ee0f3a369078783bd9053a07d35919ce2026a7a2647c657d202d85cf6d0ac8e5f1f0bddd	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://iil92oqlf021dm8.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://k1g8ri1795p4gad.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage\buscaid.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://bpeq46bh07fw441.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://o6qtli08ttfk34d.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000047fa795b3a3be444240fbe4e1b79655f950926bf1bdb29edb3355cfa537a1d7b000000000e8000000002000020000000954a5a397f39b95e8e50b52015b174d72a9117163cfdfe03b958423b5f34f95190000000fea379fb4ea5a76a92b4bfa6ff47ed8359dcd8da6d95546c5af83d78239f62d2816d30f47b82b6e1234e70f909664bf1eb000ebd09264b17ac823888349ed2e2584a573c00f99903874ad3474127e2aea8c4d310edd94387212af65872e6077a1a686dc3beb419824bc2f4b9e071fd98fa6ac74e5e5fd44600c06fca4a8ebc2597b6e12a20c0770ffdad8dac8e8a99214000000044595099e3f8933f4731433dfe55303ee33216d8d031f3fea90b0f5aa0f5f5a60bfafe834258cc7ef0e284f34f9abc446d1156132d41d23ff86192db6260b8e3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://71q20j6602741qt.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "no"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://burh145f7yht4uc.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://q75s3259j77k6q3.directorio-w.com"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E536F981-7578-11ED-90CA-EA20C184BE27} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807087c88509d901	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "377104746"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://f7yicut5z445q38.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://1847uef416n3v7x.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
952	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	952	winlogon.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
948	iexplore.exe
948	iexplore.exe
948	iexplore.exe
948	iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
620	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe
1820	winlogon.exe
952	winlogon.exe
948	iexplore.exe
948	iexplore.exe
1444	IEXPLORE.EXE
1444	IEXPLORE.EXE
948	iexplore.exe
948	iexplore.exe
860	IEXPLORE.EXE
860	IEXPLORE.EXE
948	iexplore.exe
948	iexplore.exe
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
948	iexplore.exe
948	iexplore.exe
2232	IEXPLORE.EXE
2232	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 524	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	28
PID 944 wrote to memory of 524	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	28
PID 944 wrote to memory of 524	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	28
PID 944 wrote to memory of 524	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	28
PID 944 wrote to memory of 620	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	29
PID 944 wrote to memory of 620	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	29
PID 944 wrote to memory of 620	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	29
PID 944 wrote to memory of 620	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	29
PID 944 wrote to memory of 620	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	29
PID 944 wrote to memory of 620	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	29
PID 944 wrote to memory of 620	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	29
PID 944 wrote to memory of 620	944	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	29
PID 620 wrote to memory of 720	620	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	30
PID 620 wrote to memory of 720	620	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	30
PID 620 wrote to memory of 720	620	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	30
PID 620 wrote to memory of 720	620	cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe	30
PID 720 wrote to memory of 856	720	winlogon.exe	31
PID 720 wrote to memory of 856	720	winlogon.exe	31
PID 720 wrote to memory of 856	720	winlogon.exe	31
PID 720 wrote to memory of 856	720	winlogon.exe	31
PID 720 wrote to memory of 1820	720	winlogon.exe	32
PID 720 wrote to memory of 1820	720	winlogon.exe	32
PID 720 wrote to memory of 1820	720	winlogon.exe	32
PID 720 wrote to memory of 1820	720	winlogon.exe	32
PID 720 wrote to memory of 1820	720	winlogon.exe	32
PID 720 wrote to memory of 1820	720	winlogon.exe	32
PID 720 wrote to memory of 1820	720	winlogon.exe	32
PID 720 wrote to memory of 1820	720	winlogon.exe	32
PID 1820 wrote to memory of 952	1820	winlogon.exe	35
PID 1820 wrote to memory of 952	1820	winlogon.exe	35
PID 1820 wrote to memory of 952	1820	winlogon.exe	35
PID 1820 wrote to memory of 952	1820	winlogon.exe	35
PID 1820 wrote to memory of 952	1820	winlogon.exe	35
PID 1820 wrote to memory of 952	1820	winlogon.exe	35
PID 1820 wrote to memory of 952	1820	winlogon.exe	35
PID 1820 wrote to memory of 952	1820	winlogon.exe	35
PID 1820 wrote to memory of 952	1820	winlogon.exe	35
PID 948 wrote to memory of 1444	948	iexplore.exe	39
PID 948 wrote to memory of 1444	948	iexplore.exe	39
PID 948 wrote to memory of 1444	948	iexplore.exe	39
PID 948 wrote to memory of 1444	948	iexplore.exe	39
PID 948 wrote to memory of 860	948	iexplore.exe	41
PID 948 wrote to memory of 860	948	iexplore.exe	41
PID 948 wrote to memory of 860	948	iexplore.exe	41
PID 948 wrote to memory of 860	948	iexplore.exe	41
PID 948 wrote to memory of 1968	948	iexplore.exe	42
PID 948 wrote to memory of 1968	948	iexplore.exe	42
PID 948 wrote to memory of 1968	948	iexplore.exe	42
PID 948 wrote to memory of 1968	948	iexplore.exe	42
PID 948 wrote to memory of 2232	948	iexplore.exe	43
PID 948 wrote to memory of 2232	948	iexplore.exe	43
PID 948 wrote to memory of 2232	948	iexplore.exe	43
PID 948 wrote to memory of 2232	948	iexplore.exe	43

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe
"C:\Users\Admin\AppData\Local\Temp\cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944
- C:\Windows\SysWOW64\svchost.exe
  C:\Windows\system32\\svchost.exe
  2⤵
  PID:524
- C:\Users\Admin\AppData\Local\Temp\cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8.exe
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:620
- - C:\Users\Admin\E696D64614\winlogon.exe
    "C:\Users\Admin\E696D64614\winlogon.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\\svchost.exe
      4⤵
      PID:856
  - - C:\Users\Admin\E696D64614\winlogon.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1820
    - - C:\Users\Admin\E696D64614\winlogon.exe
        
        "C:\Users\Admin\E696D64614\winlogon.exe"
        5⤵
        Modifies firewall policy service
        Modifies security service
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Windows security bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Executes dropped EXE
        Sets file execution options in registry
        Drops startup file
        Windows security modification
        Adds Run key to start application
        Checks whether UAC is enabled
        Modifies Control Panel
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:952

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1152

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:275457 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1444
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:668686 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:860
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:930830 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1968
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:537626 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
8f0cea8e3d9160e901740f3bf325183e

SHA1
819fa0a35a71e111f290fec2ee3bcd4d5da0f634

SHA256
0638f0beb6b70f24360ae8191fa398c22dbac6d635be99a0226443f84f8b7b77

SHA512
e4394d276a8215b57dacb848bf8aa6a61111353c820204da68162f18d4e598d015836674a9fffc1d1858b38c22720c3a168e3b384d5ee81f838e47d089cd3aa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
472B

MD5
5006b8e985c5838b7fd2f2b558a65bc4

SHA1
183ff15e0faedf346305fd6fe1c70c9c7a1eef4a

SHA256
fcbfec9f5fd0e10d44778c1df64d8612281cd39881cdfd0aa8ca30d13655655a

SHA512
56526aaf34500a94404e83461b3580513be1f07b288485c7059fc1ec86b77cda50da613b7def2fe6a8e2d04bb3d522fdffb5f7e9293eab06e86cd2d6af24a1a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
1KB

MD5
624ec7959768fb34e94feee318b8dd0a

SHA1
417469bb00f00b7f7e9ef4bdfa4df7c1894df5cd

SHA256
53afc3fbd47ad4ebad0f488de3b2fcbadb9f293bdcd49abc3d6d59665c0fa06d

SHA512
de05ad95dd664e36d2277c973d904248d8741a13b41e33bb2a1174bbf7d16e91eb961a4ea51c722b16459cd902dfe619db103ea8815e2790462dde5359223b3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
1KB

MD5
750b6d5503f71d788477b92f46154b6a

SHA1
f06d67221f6014c471c1d6255a20f8d456141467

SHA256
aa86374e793614e4f866a2034dfb5c5a59f21a5b50e4d57517b2e36c552d106e

SHA512
a2d5b3f060971ef911edc9b40ea8f8c0ead2a0bc7cbb41e2a298a2d7dc7c478b72b46c721331db321b1dc111368476898d5080ffa9d574738dd93eee4047f746

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
f569e1d183b84e8078dc456192127536

SHA1
30c537463eed902925300dd07a87d820a713753f

SHA256
287bc80237497eb8681dbf136a56cc3870dd5bd12d48051525a280ae62aab413

SHA512
49553b65a8e3fc0bf98c1bc02bae5b22188618d8edf8e88e4e25932105796956ae8301c63c487e0afe368ea39a4a2af07935a808f5fb53287ef9287bc73e1012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
db4d65cf5748459ffd0f2ea045b5daa2

SHA1
6854d0ffc712b6ae3aa663d1b582a2a990932226

SHA256
917f1e360554f9b1ffbf670d8e9e053ec8e9225f39463608ebdde7a2880ea84c

SHA512
15bea2331b03aff50fe62fe13fcf989d00325244b501c92a2b8cb8422ed73bf8004a3ac6c9be9c9b6cba21c8c8edf17c8730c5b4d3700969692b351b34819a62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_46F574BDF8F8E3AC29733131E4667BA4

Filesize
402B

MD5
aa4ca89c11103f8499cdb5f7bc0e84ac

SHA1
2dee0fe52c988c1b1f651fe1492a617c3696a4fb

SHA256
60bf90427e02bcbb590e4817a5a3ddee4cc663e3ebb5f5756377d4bf4ca66edd

SHA512
cb6ac22cb824cf245e2717572ce518a2d662bd5cbc6b4f60194efb7a5790228cc32a6dc59714c21e5654565a37b76997d84848411ea720d679ab9f9a42c59d41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\84AFE219AEC53B0C9251F5E19EF019BD_2C9D5E6D83DF507CBE6C15521D5D3562

Filesize
466B

MD5
7ae058986f1ead70ed682924d35590cf

SHA1
c4490d1015fd307fd5bece3f354e4db7ce03af20

SHA256
a83c485276b1f992bfa7273360a3d00daaf0c4dca0b6aa9d7ecd38054f18f893

SHA512
b31376c6f8b870ed3226029498d1311befb2f662ce839e1163269dbdd22d6ffb047fd1ef21fbb83f5bddd6986c6f3589f12e3d78d8bebdfb8f576bdff932c0dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
187acf68a79f5007e31b6fd349b191ba

SHA1
92965153dc1410ebb4bc4cbe63ec2b857df4bfc0

SHA256
755e94d699ebbc31e8c833b38c22623eacf73c987249770b8404ac8f39832b21

SHA512
9aca5bb12bc606e682b670fd88e4a7393f4e823dd4cc8f6abcfffb82647cd2f1037c710aff3cd2fe190d43eb8fa0245dc61ac33078f1f72e84f373ce47e2b055

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7beed772769f4b2301de30bab25c437f

SHA1
10cbe320a519c2c865b6a552841af00a48dd3d50

SHA256
6f97b0b8196cf93001b2c79bf4d9e9672ced20fd3cea2ecf867318a45340ae23

SHA512
becbb2094e560e781983a3bcef61164c83221e43c862899f6dbe1c765145c1c2728794944298f3890bf671d2ffbfa59f9cfafb36eaa69c5924a91575a8a8e0ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4d7b8ac5b6748a8b9c8e7c067d85d9b

SHA1
6c70ec24f77034b77dfc536f7a44274d127b5cb0

SHA256
4fc2ce9ff018ea6c2f1c9b3b878a3f824f42866b24ee0afad2cabe5cf126fb13

SHA512
4ffd1c3599bdc7a5e32a09642f15e81fa4497ddee3628e4dfb2bd5063d3cec088f8542f5ce0b59245c7571e5da6c8e8cc998b6f79ad9ede85764e1d93a3c4a01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f48dfbcb2f65fb68982866a780c6b55

SHA1
cd0d30182911155bcd117201af25834e1a0a8313

SHA256
40fe6da2c312b54429dd48453759de1bb957cc3270032030ab3b33e2cc5b49e9

SHA512
cdffc8418129c9c632f55d63fdf98583721111230cca5418565b14420a4eb80784979befa4a60b0068182092ae10b22af4f0c6e49fcea6f681114dcf080917c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75f5506471899f1130f2351b82e739c1

SHA1
e6d2b9d6e40cdb2cad6aa2363af686bdfe528973

SHA256
fc77f53f7f0d38171743db6d1c4f798fdb641fa0606684dea11dbd48a8b29303

SHA512
52ae65eb90fcfaf5b887af99178a8189bbcb3938fa04729a3d5eb389791fa6880097ceff44bd190d8db25b147359430fa6198f742073f3b9cfa7c858eb6bcb39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8dfb3a6ba3e461bf574a35a5a0648f5

SHA1
a153b96fd87c1a9c2b2bc911150a3d998c5d66f1

SHA256
f3a6eb65fa66ba4d6c1d2582493d324a7b333542092a3f431bfb58adbadbc280

SHA512
2a2727a6c91c2f40b1958b52f01b3a07269dd4269a6c37f9f03873eb51854f82a025150551a19390767ada8f3576ea53ea0c5583245247deaa5b4e78887eed93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
824f9e1846b6e316b3a1d7a0a895331b

SHA1
a6fcb9f153b26a912a966a01278a16e47c8e690e

SHA256
da5487376420408dd5be700bc947d5d40ddddc6a48276dbf733f4e337a1db4f0

SHA512
62283468e73e6cad3e049a8f839fda1af89f91afed710791927971a060d96662f24d0e6dbabee03f8812cd4cc8c988ddff1205eb8c7b950472fb0255772e3581

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78c6fc450988e76b31fcbe24348e8e4c

SHA1
ad3f24fa2fc9f446ee287dcbee23b85826999924

SHA256
de13336e44e771dc4bd6022181b9072862f64b9c9a08beebeec8a2fb1b64d2bf

SHA512
63ae2459b7e2beff427d314b5c24a13fadebab209406c28ae78413c8135ec64aa437f458209c4901bd722580eec72a502b6e06f33ec9b9ef3ce9c125ffb4cf05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e26bdc7a4cafdff342fb7aefd342813f

SHA1
7380083ab9e073da86031c33d6b4038ebd9ac52b

SHA256
50751bbd189bf7445236feba19cdfeed2c53612637ed904c352f8d4192b8c161

SHA512
0cff8a02fe692785d10a1581e4cbd4cc2ba984460c5b9362522f6fd889e858fb7ced1ec5a6f0be6124d9bd797bf1dd6cc82d55d1ef0790d53d548de78703bc01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC2602F5489CFE3E69F81C6328A4C17C_849A9AE095E451B9FFDF6A58F3A98E26

Filesize
470B

MD5
fdb45a64d1d69693f189807ac1ef2101

SHA1
cacfc4e458d511efa5280779cc0f21d60927854e

SHA256
9033a3f1c81d00b73c06a019db633128e05327ebd5d6713f137d951aa937a50d

SHA512
297e0b76433c2563f2ac8efa4c0c4eb1b1ec30d4141e6e9c52425028968ca11e1eef081bc17be99b5e6a1e7f6e3499420d6af0eb5038c8f28ce9f61edb3cf4ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
eb917eacaa9b1e1ca9be36ec451cdf47

SHA1
de7ae60b0d617aca82d59ffbd2c1420a4e6439cf

SHA256
18bf89780f04ec2ee30792327053236acd9b328366302347ef0daea87ef8b82b

SHA512
6f4041b2f98f70704cc1878ba548ba9c52fa3fffbebf86a0f80dab207f89c9cfa000c887b3c4f83f661bef4b299b9e8f141d9514634982b7e2bb18b5252c6ecd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\D29F3W2T\www6.buscaid[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\LN51GWGI.txt

Filesize
600B

MD5
b782497cc5eb3a00883dc1219a33f788

SHA1
08adfa11ac224c958906768a944191ddde6253b0

SHA256
0b864b32fab11837f27e63a1eda5b217f7fbe893fe9b9d8cbb08f88647f903c5

SHA512
ee3cc8ae4db8074f5d452ef8999d6af0fe5df462e8d4aa062eba4d3ed7c111a22935a05a45f6fe762288b6b1970a3fa4ec8c18e1eed65b4d604b7a0f4301cfc1

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
714KB

MD5
e0912b352fc80c40bdf45903c00cd0a4

SHA1
82e04df444b21c11e7378cfe6516d2b9e9f9c94d

SHA256
cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8

SHA512
6afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
714KB

MD5
e0912b352fc80c40bdf45903c00cd0a4

SHA1
82e04df444b21c11e7378cfe6516d2b9e9f9c94d

SHA256
cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8

SHA512
6afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
714KB

MD5
e0912b352fc80c40bdf45903c00cd0a4

SHA1
82e04df444b21c11e7378cfe6516d2b9e9f9c94d

SHA256
cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8

SHA512
6afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6

Download Submit
C:\Users\Admin\E696D64614\winlogon.exe

Filesize
714KB

MD5
e0912b352fc80c40bdf45903c00cd0a4

SHA1
82e04df444b21c11e7378cfe6516d2b9e9f9c94d

SHA256
cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8

SHA512
6afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
714KB

MD5
e0912b352fc80c40bdf45903c00cd0a4

SHA1
82e04df444b21c11e7378cfe6516d2b9e9f9c94d

SHA256
cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8

SHA512
6afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
714KB

MD5
e0912b352fc80c40bdf45903c00cd0a4

SHA1
82e04df444b21c11e7378cfe6516d2b9e9f9c94d

SHA256
cd1e8f0773d893a1453245fa80b1a390f317aafa5feb61c290ac393950cc69b8

SHA512
6afbe05778e22b86544a8b628854ebb2507cc276f2a361ba155a390fab3d4e43f7dd14a74b0606610d0336a41cef4d2d7ba66c31fbd23d8559146fc32c3b56f6

Download Submit
memory/620-66-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/620-63-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/620-62-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/620-59-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/620-58-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/620-55-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/620-71-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/620-56-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/952-97-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/952-93-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/952-92-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/952-88-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1820-87-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download