dd5abd033864ac31910056f39b74ee1d7affd2ae1406399f8652465ed2429342

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be7511bebd1d6ecaacb9e71637050bd4_JaffaCakes118.exe
Size

661KB
MD5

be7511bebd1d6ecaacb9e71637050bd4
SHA1

90178b89ada15bb6438a5bee70797d88da85f9b4
SHA256

dd5abd033864ac31910056f39b74ee1d7affd2ae1406399f8652465ed2429342
SHA512

118cbd4be152325880882eebd7e47263f36af74bd3536abbc15f7a24e472fc880c03eebab50bf4e17abdcfa516b97b5552b779e55245b029d6ad196300a92aff
SSDEEP

3072:CNnqDxIGX/9nDiG7t6yCAti1zxGJidD5iYAHg4Cs7lJgxwL0out:CNnxKL0oS

Score

10^/10

defense_evasion discovery evasion persistence spyware stealer trojan upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 14 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-54868393"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-9106552"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-50387924"	winlogon.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\E696D64614\winlogon.exe = "C:\\Users\\Admin\\E696D64614\\winlogon.exe:*:Enabled:@xpsp2res.dll,-95579694"	winlogon.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "3"	winlogon.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	winlogon.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antigen.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WerFault.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hidec.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msblast.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npssvc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pingscan.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbwinntw.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardhlp.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netcfg.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoupdate.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navwnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ahnsd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanhnt.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ostronet.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HJTInstall.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UI0Detect.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\evpn.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lsetup.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nisum.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\route.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explored.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tftpd.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winhlpp32.exe	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apimonitor.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avptc32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwupd32.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHttpSrv.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pspf.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc42.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcc32.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pview.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEDFix.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SbieSvc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atguard.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\efpeadm.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trojantrap3.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winmgm32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SandboxieBITS.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mrflux.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msinfo32.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tgbob.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbcmserv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscanavshadow.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsav95.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mgui.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\serv95.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardgui.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\edi.exe\Debugger = "\"C:\\Users\\Admin\\E696D64614\\winlogon.exe\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsma32.exe	winlogon.exe

Executes dropped EXE 2 IoCs

pid	Process
2092	winlogon.exe
2784	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1736	be7511bebd1d6ecaacb9e71637050bd4_JaffaCakes118.exe
1736	be7511bebd1d6ecaacb9e71637050bd4_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Windows security modification 2 TTPs 15 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "0"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\DisableMonitoring = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\cval = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpyWareDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\InternetSettingsDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecAntiVirus\DisableMonitoring = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Monitoring\SymantecFirewall\DisableMonitoring = "1"	winlogon.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\0525D4443534A405 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\0525D4443534A405 = "C:\\Users\\Admin\\E696D64614\\winlogon.exe"	winlogon.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Indicator Removal: Clear Persistence 1 TTPs 42 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOHTMED.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WXP.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DW20.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEUNATT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXTEXPORT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSFEEDSSYNC.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONELEV.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETLANG.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DllNXOptions	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCEL.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OUTLOOK.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ACCICONS.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EXCELCNV.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSHTA.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OIS.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONENOTEM.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\POWERPNT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GRAPH.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IE4UINIT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPREVIEW.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GROOVE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IELOWUTIL.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\INFOPATH.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WORDCONV .EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CNFNOT32.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DWTRIG20.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANPST.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SELFCERT.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOXMLED.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANOST.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OSE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WINWORD.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CLVIEW.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSOSYNC.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSACCESS.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSPUB.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSQRY32.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSTORDB.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GOOGLEUPDATE.EXE	winlogon.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\IEXPLORE.EXE	winlogon.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2092 set thread context of 2784	2092	winlogon.exe	32

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1736-0-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/files/0x0008000000015d59-5.dat	upx
behavioral1/memory/1736-11-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2784-68-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-73-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-72-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-74-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2092-131-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral1/memory/2784-134-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-571-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-577-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-583-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-589-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-595-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-1033-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-1039-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-1045-0x0000000000400000-0x000000000043F000-memory.dmp	upx
behavioral1/memory/2784-1051-0x0000000000400000-0x000000000043F000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be7511bebd1d6ecaacb9e71637050bd4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Sound\Beep = "no"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\Sound	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures = "no"	winlogon.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Search Page = "http://55zg60sev6agdm5.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://ir94451l1ri4370.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439408914"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 809ded1ea945db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf0000000002000000000010660000000100002000000089de0b076fd7c986c3e410aa0b206e56bb76976146044bd30e61baca4978860a000000000e800000000200002000000057309c39732d5aac8f50a1ad3ba47a8e41161d782f9962cd3b96637fc51545c2900000003e36f81a2f0f202ea25ef100ee8d75e8b96719dc4d198c99b890a1535a8ed0489b10ea5ecbdc0be9cbd35eff6ed73488019b0a7857b22c441856431877e03fcc0cf758425b8c3f149b3e3acb977c7196d9a32c364ef6ada1d4df4732ab1c89dd5ec0f4b3933e356d9acbb706d7da4437bd610bbbd4cf57724b65a16872d720662bcb62778cdb8733ca08843236e36767400000007e65aca10ddca591a982e299b54eda1e1f7dc95506362e553f87207df21628374a520c539e8ad279cc3f2360900d6f8c5bebb758e4172ace3cd71b25af9c6cce	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://a92h138g84oq4qt.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{54ABBB51-B19C-11EF-8504-C668CEC02771} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a907cc1344750743988d8bab481dbfbf00000000020000000000106600000001000020000000f8fff3c5c09dcbf34f2d0408ea8f3d0805840a21f62c511e5f482c9a509f23e5000000000e8000000002000020000000e436fab2c0b10d6a314743cf34c038d4b590ffe06ab546fec3f7dbaf4feba3ce2000000070d27dedf7b6fdcb902dd2cff17d36b36489fbca0c5267bc12d53e93471c0e8a40000000f78d4d30db1ecfcd2ba123d6479633163779019a63573ce725f8d0057cecd8df2f6f926846c7d0a74fb2e1c442a13a1db28e8aedc118920c6d9375967790dc19	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://2nkp5dnpdikg805.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://74y4544b333s90p.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Search_URL = "http://409gs83l3we84co.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://tyeb7veo3i0434u.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Download\RunInvalidSignatures = "1"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "Yes"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Download	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://2dic8zk84t4e4ac.directorio-w.com"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://3v3py18nr6c9ku6.directorio-w.com"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://y8j530pbmq89582.directorio-w.com"	winlogon.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec\Application\ = "IExplore"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\ddeexec	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\ddeexec	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\ddeexec\Application	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\""	winlogon.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe
2784	winlogon.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	2784	winlogon.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1536	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1736	be7511bebd1d6ecaacb9e71637050bd4_JaffaCakes118.exe
2092	winlogon.exe
2784	winlogon.exe
1536	iexplore.exe
1536	iexplore.exe
3064	IEXPLORE.EXE
3064	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2092	1736	be7511bebd1d6ecaacb9e71637050bd4_JaffaCakes118.exe	30
PID 1736 wrote to memory of 2092	1736	be7511bebd1d6ecaacb9e71637050bd4_JaffaCakes118.exe	30
PID 1736 wrote to memory of 2092	1736	be7511bebd1d6ecaacb9e71637050bd4_JaffaCakes118.exe	30
PID 1736 wrote to memory of 2092	1736	be7511bebd1d6ecaacb9e71637050bd4_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2784	2092	winlogon.exe	32
PID 2092 wrote to memory of 2784	2092	winlogon.exe	32
PID 2092 wrote to memory of 2784	2092	winlogon.exe	32
PID 2092 wrote to memory of 2784	2092	winlogon.exe	32
PID 2092 wrote to memory of 2784	2092	winlogon.exe	32
PID 2092 wrote to memory of 2784	2092	winlogon.exe	32
PID 2092 wrote to memory of 2784	2092	winlogon.exe	32
PID 2092 wrote to memory of 2784	2092	winlogon.exe	32
PID 2092 wrote to memory of 2784	2092	winlogon.exe	32
PID 1536 wrote to memory of 3064	1536	iexplore.exe	34
PID 1536 wrote to memory of 3064	1536	iexplore.exe	34
PID 1536 wrote to memory of 3064	1536	iexplore.exe	34
PID 1536 wrote to memory of 3064	1536	iexplore.exe	34

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\be7511bebd1d6ecaacb9e71637050bd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\be7511bebd1d6ecaacb9e71637050bd4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Users\Admin\E696D64614\winlogon.exe
  "C:\Users\Admin\E696D64614\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Users\Admin\E696D64614\winlogon.exe
    Error 448
    3⤵
    - Modifies firewall policy service
    - Modifies security service
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Drops file in Drivers directory
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Indicator Removal: Clear Persistence
    - System Location Discovery: System Language Discovery
    - Modifies Control Panel
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2784

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

Clear Persistence

T1070.009

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
698c86e1c392dda1429c23b4516413f0

SHA1
da1a714091af2d27be9c3f55f7fdd1e8761941c9

SHA256
1a9dc6400ea4fe99b653c8929548df935d35d3506e6e16f2a074fcf46df3da6c

SHA512
4cf753798148c1b654fc02c55a2279072e9b99320779961488020b23938dcfdd790b446233025f4aeadedfa44fe2dfbdf8b5e20ef26316f6486764568e08548c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab28518a9672b2341770180343bfa7a2

SHA1
23a09275c3100cc4358784ad2eb3845a224d9bfd

SHA256
3d0ecccd111af88fb893de452f78dae72ebff5bbd627e76fe348d2a2aa40c642

SHA512
e5f9cb472cd6aa524f08fcaeb2278edd6326405cd70f57b5cb42740310fe486f9b940b710266cdb887a37715e2cfd5aded795d4ef4b43b44edbbf9b6c2f140dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b168150f216e15512566fe494e1e1a73

SHA1
27d8e1a44833162ad4e1740b3c1714b75437e285

SHA256
22e2f0477f4257f143beaabcc73affbadacbbb48a49b157a4a0f7d136117b162

SHA512
65fd2a8703ad15856d198d5e72b62d44f9c4607766facc1db51a46ef2cf43f2f9592e2a48dbb72c75cbaceab512c08de2e21975b2d908194d2d986e97f8efe81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d697e0d388b2d845fb5272c300650c00

SHA1
918d6fdf82f1480e2497e41e6f687c48f1dc7a0c

SHA256
7ef1fefb28620203ff4c0e7328efd3e16f91a58c7da79bccd25e27cc091831b4

SHA512
dd94188f472ff83120a9db9239ea8d498b412449e3e27f7e60b5789f98fcb9d29c4424d8dcadbbf1bf4d693eb37c36df3a57adadf46b15ce1e92cda82b06a1b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a37fe210a67fa02dacbdde96e8aeef0

SHA1
c156c414f9eedb31c9ccba89cc3b7f8b193e3d96

SHA256
10c0ece21fc8cf20e1c67e29ec89d01756ab7662ec64ab57186f50c26017822c

SHA512
fc2635f121bd39b3bb852aaafe699630981fdec1d81a0cbcbf55a63b435756a8dddfe084698b9dfe7e8c8eb2a201d6e14db453df2ecddf8255eb69f02b4f8206

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62dd73fe840719f01e3d342f06ce456b

SHA1
904d5176442385879dd800e7dbf803173c1624a7

SHA256
6ff53bd2d298a8b4476713429a10b406d09b78cc3394ac7354ff557ef2bd5f3b

SHA512
96c8ec285e26d5089ce6e16fe2b609477c6bce2a07c18c9e0ab5ff57b449e55caf7080e9668d462b39c4af200a66539a64c277180ebe797990999af5ad22253c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1630957f60935b72062971188c81bf3

SHA1
9a148fa12d1be837f0c4d3b86a959640a86fa486

SHA256
bba8e8e5d1e14c662a945bacfd85b097a509840212ad4a7df69ccfd36cb20b58

SHA512
4b7196a6df56971c18ba273c3c2aeefc01307ea98a7b1bfd2d3d7f39b6692e83477bb4a77df4599febb3443844dcdf61283eee7695e77c550ab7cbb22c68dc37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1072607ad6f2076ae9a387be3b34fab

SHA1
e14b8a8b99329edb2c5f692c25dec93994768bf5

SHA256
b18df6aa7841cc88dfd9185ca6ac0bfa08800f9e95bc3a32d385552b2c2b21eb

SHA512
a017c69ba72b723992f96092d622fe3bbbd6e02e589c8ce715d14f43f9907a2100f1661ec4f4b37f7d2f31843b09cd786cfa0ffa7dc74b1190b6e91e6435221c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa070f1f49ca87c61329b6b220805bbe

SHA1
9d2160b86cdccb595e77905a47e0c00bddca9957

SHA256
8bc10bcd3c07f17ffc8f0cd5e2b5ce7753bd9315d6c0cafa3a9034ea2059d83d

SHA512
36a3cb739233eba74f3279c9d1c0f51600d9f16423ec00f9e6bf9a29521e8bc4af574f5b941f88568d648a44de77593f90e2232f35c58db8334dd0e88bc6a7fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4073c03f4e300d9a2d363fab48c81040

SHA1
d76c16413fa7198ae0d06fa2df026f7bf3d0c226

SHA256
afa4010585ad91d4e37c01b89852147dd651b29096964653ce7926a79820de32

SHA512
e01337856e2df2a0e6a42aae315d1b0d8688a58414d0da68d461daa4e3e567d5022b98d862745c7e63aa69018e0e956a10b0690e1527c63be08ee07e02d8bf0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d209216db8e3bc583441b1b53d572ce

SHA1
9ff3a710d3d61f08e4c8c7caf8c02bd2fb3c8024

SHA256
e463b309d2d8234fb14efba4dccc905b6107fbf48407030c6e15367ee05c5597

SHA512
240c4cfbe433f271020611e5630fb344d61058986426e545f37017d5461a8160e4a059b15cc058a3c1afc047da25a14291c2191d692342dbf6734697eb7d29c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0e6565b89d081077e09523f174f3e2f

SHA1
22fb4df1aac7147cc274d9645adf3cb525cbc7f0

SHA256
4d08d39249294e5f2c49ac8a7a06be5985b2e079f24f2c861f65ca9d0caeaed3

SHA512
430ba394bcd8ac565bef5c2941624340ca54726fa2bd4e21a39879b0b98f3ceece1e506dcad700621892934119dab400f5538c6542ae60381ebc9986efae2457

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0df3a622268a89b8d68e9972c336c19

SHA1
f2964f0ef59b4e152f2b7b77afc14ae6c632247a

SHA256
c693ce325f40cff92ddc3e706db06248220b7a961bc2ee158daa2caf9c3deb37

SHA512
ed3ecfd7a0669476dcf4990f603878de619deecb6fea1a8cf246007f8a57166782c40e135cb4a2c702dad4ae4c4e9654b3b45f9cd38301ba06baf4cd6afb4c84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7cb0798386efeb672ba0298e79e0b46

SHA1
65ddafea5e04a5c642c4920510ace525a7361935

SHA256
0c22309a51017c3b60056c500cf0d02ec95f5de0f8d7a9c2208a6e71716d7d0f

SHA512
a3693362c07aec17a59f20e90083e80c55cfbc45b8932207e67e9bb655f8706564f7c1aa94db1c515cd756f3835bc00b604f3cddbf413b4c8106b3f402801fa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be962c65ce3159d04fb34165f7f1b717

SHA1
928a18b5fafabac35875d4d17c343a28e31f411e

SHA256
ecb1b276244ded6ad674a9f6adda2647b11cb9623b50aee02ba21ef239223e13

SHA512
35bb0c039967eac27784b25647fb2ae626ae206fd3093d1c19d584e220ff80828ccb35942cd127b38dcea841e6557c30dd0de779ff89002d499ee1080a4e3043

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9393af5289257869b829fc99c92ca2a4

SHA1
da0082651bf5410b0a385ef1161c76719f644004

SHA256
b4ffcc18984626fd8354c1df12011079beafd105a835fbeaf34e1efc726a5549

SHA512
02e1260b1348e048cd4eb8f3a1f9747a67ceee5b6faef6d5fe7e2dad11d5019430bbc064bfe383c40f96288e4f15dda7ab95a1212ffa06521aef6e4f7a069984

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
055276c248364527f161d6be38000dbe

SHA1
5b6b507a1bb73d2f6cf903e8738abec1cd9e2692

SHA256
5f9aed395e7483ae8f6b86feac6f7bae834e532b2b76af87638bdd44d66585f3

SHA512
c6ba60f7a72c170621a122e91f64c6a45bf50eb137fd1b9d6896cfca45cb06178cea5c2f29124f8cd3b18dc542231c05aa7ea1e08a53341332ce3da11ef2c9d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bab6b4aa62c95aae9346c8fe88d4b41e

SHA1
769888b866f1ae6dea6aa575e20e6607bd5cd902

SHA256
36c0f37dd65c67bf484349a979ecf40e3ed230babbc97bae5a303d1aa515c795

SHA512
fbc98b9b423964cb4458d1134215dbd44736208857ce758e32e2133f9b0190f9d92c60d7b5582dec9ad234a6bd3223837032ac4e0a98414699d53dfc5a8df2d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
984d729f42dda01a0294a7a1f34e9df6

SHA1
1b31a8cddb4816f71d0db67f9fcc81a26dcddd80

SHA256
c008fe34a3b9c70bd72408b76073096cc8a4dcdf14fceb0a2eda14c2100a0ff1

SHA512
3c96a7daaa152e775f01af1bc1b7a76062c3a472a96da4b8147df18300751bcf153a9da49779fdec63bc5bb185a82782f19b4517d9f396c94d0b7ceb9ad0452e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f18586ad33e8a89edba3e1796f595855

SHA1
84810a4fb3d784bec2a25097808c610a05bfca28

SHA256
5e95b909f722e476fca723022ff40953f6c4be8aa7ca7691213eeef9cc422f5b

SHA512
65b665263d8e14c17fefb70d32d36b1554e1648471d4c7a061f741966ed218734ed2fcb700ac31f2e2c0cc2be54df55baa775b9e17e7e9a944aec473e290db14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6G4X5UFP\NewErrorPageTemplate[1]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\7BQ20K5D\httpErrorPagesScripts[2]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9GP4P3HF\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\L6J4GCMD\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabADFD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE1F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\E696D64614\winlogon.exe

Filesize
661KB

MD5
be7511bebd1d6ecaacb9e71637050bd4

SHA1
90178b89ada15bb6438a5bee70797d88da85f9b4

SHA256
dd5abd033864ac31910056f39b74ee1d7affd2ae1406399f8652465ed2429342

SHA512
118cbd4be152325880882eebd7e47263f36af74bd3536abbc15f7a24e472fc880c03eebab50bf4e17abdcfa516b97b5552b779e55245b029d6ad196300a92aff

Download Submit
memory/1736-11-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1736-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2092-131-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/2784-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-595-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-589-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-583-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-577-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-571-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-74-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-72-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-73-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-68-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-1033-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-1039-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-1045-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2784-1051-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download