a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb

Analysis

max time kernel
151s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Size

205KB
MD5

85cb2600f03138bf625a6476a93b17c6
SHA1

076940d269058b75718ff44ac0ff52d5a84e3dae
SHA256

a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb
SHA512

4300dd08959311c4cd1075088da8811144faf8111307f3c69b58ffade3135c34f7e2431facf198689d58ec037a362b25372cb8735e23ac579415020477e7cd09
SSDEEP

3072:OqhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:OqhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

lsass.exe smss.exe csrss.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe winlogon.exe services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

lsass.exe smss.exe csrss.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe csrss.exeaizw.exewinlogon.exe services.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe

Modifies visibility of file extensions in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

lsass.exe smss.exe csrss.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe csrss.exeaizw.exewinlogon.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	aizw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe csrss.exeaizw.exewinlogon.exe services.exe lsass.exe smss.exe csrss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	aizw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

lsass.exe smss.exe csrss.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe winlogon.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

csrss.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe winlogon.exe services.exe lsass.exe smss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

Processes:

a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe csrss.execsrss.exe csrss.execsrss.exe smss.exeaizw.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe smss.exesmss.exe lsass.exeservices.exewinlogon.exe~Paraysutki_VM_Community~~Paraysutki_VM_Community~lsass.exeservices.exeservices.exe winlogon.exe lsass.exe lsass.exe services.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~~Paraysutki_VM_Community~winlogon.exeservices.exewinlogon.exe services.exe

pid	process
3184	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
4760	csrss.exe
4728	csrss.exe
2216	csrss.exe
4448	csrss.exe
4984	smss.exe
4080	aizw.exe
516	smss.exe
3636	csrss.exe
1892	csrss.exe
3568	smss.exe
236	smss.exe
792	lsass.exe
4648	lsass.exe
640	csrss.exe
1964	csrss.exe
1852	smss.exe
364	smss.exe
3464	lsass.exe
4376	lsass.exe
4060	services.exe
344	services.exe
3760	csrss.exe
4112	csrss.exe
744	smss.exe
1516	smss.exe
2248	lsass.exe
5080	lsass.exe
1028	services.exe
3804	services.exe
5092	winlogon.exe
3652	winlogon.exe
1856	csrss.exe
1452	csrss.exe
4908	smss.exe
936	smss.exe
2584	lsass.exe
2692	lsass.exe
4140	services.exe
3736	services.exe
4700	winlogon.exe
3792	winlogon.exe
1972	smss.exe
3432	smss.exe
3904	lsass.exe
2164	services.exe
2956	winlogon.exe
4820	~Paraysutki_VM_Community~
3348	~Paraysutki_VM_Community~
1692	lsass.exe
4768	services.exe
4192	services.exe
2456	winlogon.exe
3892	lsass.exe
2676	lsass.exe
5072	services.exe
4232	winlogon.exe
3872	winlogon.exe
288	~Paraysutki_VM_Community~
3264	~Paraysutki_VM_Community~
1608	winlogon.exe
3620	services.exe
3632	winlogon.exe
1800	services.exe

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

services.exe smss.exe csrss.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe winlogon.exe lsass.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe

Loads dropped DLL 64 IoCs

Processes:

csrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe smss.exesmss.exe services.exelsass.exeservices.exe~Paraysutki_VM_Community~~Paraysutki_VM_Community~winlogon.exelsass.exeservices.exe winlogon.exe lsass.exe lsass.exe services.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~~Paraysutki_VM_Community~winlogon.exeservices.exewinlogon.exe services.exe ~Paraysutki_VM_Community~svchost.exe

pid	process
4760	csrss.exe
4728	csrss.exe
2216	csrss.exe
4448	csrss.exe
4984	smss.exe
516	smss.exe
3636	csrss.exe
1892	csrss.exe
3568	smss.exe
236	smss.exe
792	lsass.exe
4648	lsass.exe
640	csrss.exe
1964	csrss.exe
1852	smss.exe
364	smss.exe
3464	lsass.exe
4376	lsass.exe
4060	services.exe
344	services.exe
3760	csrss.exe
4112	csrss.exe
744	smss.exe
1516	smss.exe
2248	lsass.exe
5080	lsass.exe
1028	services.exe
3804	services.exe
5092	winlogon.exe
3652	winlogon.exe
1856	csrss.exe
1452	csrss.exe
4908	smss.exe
936	smss.exe
2584	lsass.exe
2692	lsass.exe
4140	services.exe
3736	services.exe
4700	winlogon.exe
3792	winlogon.exe
1972	smss.exe
3432	smss.exe
2164	services.exe
3904	lsass.exe
4768	services.exe
3348	~Paraysutki_VM_Community~
4820	~Paraysutki_VM_Community~
2956	winlogon.exe
1692	lsass.exe
4192	services.exe
2456	winlogon.exe
3892	lsass.exe
2676	lsass.exe
5072	services.exe
4232	winlogon.exe
3872	winlogon.exe
288	~Paraysutki_VM_Community~
3264	~Paraysutki_VM_Community~
1608	winlogon.exe
3620	services.exe
3632	winlogon.exe
1800	services.exe
3588	~Paraysutki_VM_Community~
4944	svchost.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winlogon.exe services.exe csrss.exe lsass.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe aizw.exesmss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	aizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

winlogon.exe services.exe lsass.exe smss.exe csrss.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aizw.exe

description	ioc	process
File opened (read-only)	\??\U:	aizw.exe
File opened (read-only)	\??\V:	aizw.exe
File opened (read-only)	\??\Y:	aizw.exe
File opened (read-only)	\??\E:	aizw.exe
File opened (read-only)	\??\I:	aizw.exe
File opened (read-only)	\??\K:	aizw.exe
File opened (read-only)	\??\O:	aizw.exe
File opened (read-only)	\??\T:	aizw.exe
File opened (read-only)	\??\S:	aizw.exe
File opened (read-only)	\??\Z:	aizw.exe
File opened (read-only)	\??\F:	aizw.exe
File opened (read-only)	\??\H:	aizw.exe
File opened (read-only)	\??\L:	aizw.exe
File opened (read-only)	\??\Q:	aizw.exe
File opened (read-only)	\??\R:	aizw.exe
File opened (read-only)	\??\M:	aizw.exe
File opened (read-only)	\??\X:	aizw.exe
File opened (read-only)	\??\W:	aizw.exe
File opened (read-only)	\??\B:	aizw.exe
File opened (read-only)	\??\G:	aizw.exe
File opened (read-only)	\??\J:	aizw.exe
File opened (read-only)	\??\N:	aizw.exe
File opened (read-only)	\??\P:	aizw.exe

Drops file in System32 directory 64 IoCs

Processes:

services.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe smss.exe services.execsrss.exe smss.exewinlogon.exe csrss.exewinlogon.exelsass.exe ~Paraysutki_VM_Community~winlogon.exelsass.execsrss.exewinlogon.exewinlogon.exesmss.exeaizw.exelsass.execsrss.exesmss.exeservices.exeservices.exeservices.exe~Paraysutki_VM_Community~lsass.exe

description	ioc	process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	aizw.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	csrss.exe
File created	\??\c:\windows\SysWOW64\Windows 3D.scr	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe

Drops file in Program Files directory 27 IoCs

Processes:

aizw.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	aizw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	aizw.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	aizw.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	aizw.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	aizw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

winlogon.exe services.exe csrss.exe lsass.exe smss.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe

Modifies registry class 48 IoCs

Processes:

csrss.exeaizw.exeservices.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe smss.exe csrss.exe winlogon.exe lsass.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	aizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	aizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	aizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	aizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	aizw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	aizw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	aizw.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
5016	ping.exe
1340	ping.exe
3484	ping.exe
4280	ping.exe
3880	ping.exe
4620	ping.exe
2976	ping.exe
2248	ping.exe
5112	ping.exe
4104	ping.exe
1792	ping.exe
2008	ping.exe
4320	ping.exe
3844	ping.exe
4912	ping.exe
2032	ping.exe
4612	ping.exe
4260	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exesmss.exelsass.exeservices.exewinlogon.exe

pid	process
4760	csrss.exe
4760	csrss.exe
4760	csrss.exe
4760	csrss.exe
4760	csrss.exe
4760	csrss.exe
4760	csrss.exe
4760	csrss.exe
4760	csrss.exe
4760	csrss.exe
4760	csrss.exe
4760	csrss.exe
4984	smss.exe
4984	smss.exe
4984	smss.exe
4984	smss.exe
4984	smss.exe
4984	smss.exe
4984	smss.exe
4984	smss.exe
4984	smss.exe
4984	smss.exe
4984	smss.exe
4984	smss.exe
792	lsass.exe
792	lsass.exe
792	lsass.exe
792	lsass.exe
792	lsass.exe
792	lsass.exe
792	lsass.exe
792	lsass.exe
792	lsass.exe
792	lsass.exe
792	lsass.exe
792	lsass.exe
4060	services.exe
4060	services.exe
4060	services.exe
4060	services.exe
4060	services.exe
4060	services.exe
4060	services.exe
4060	services.exe
4060	services.exe
4060	services.exe
4060	services.exe
4060	services.exe
5092	winlogon.exe
5092	winlogon.exe
5092	winlogon.exe
5092	winlogon.exe
5092	winlogon.exe
5092	winlogon.exe
5092	winlogon.exe
5092	winlogon.exe
5092	winlogon.exe
5092	winlogon.exe
5092	winlogon.exe
5092	winlogon.exe
5092	winlogon.exe
4760	csrss.exe
5092	winlogon.exe
4760	csrss.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

3036 rundll32.exe
4168 rundll32.exe
4184 rundll32.exe
1332 rundll32.exe
4472 rundll32.exe
1336 rundll32.exe

pid	process
3036	rundll32.exe
4168	rundll32.exe
4184	rundll32.exe
1332	rundll32.exe
4472	rundll32.exe
1336	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exea4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe csrss.execsrss.exe csrss.execsrss.exe smss.exeaizw.exesmss.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe csrss.execsrss.exe smss.exesmss.exe lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe smss.exesmss.exe services.exewinlogon.exelsass.exelsass.exeservices.exe~Paraysutki_VM_Community~~Paraysutki_VM_Community~services.exe lsass.exe winlogon.exe lsass.exe services.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~services.exewinlogon.exe~Paraysutki_VM_Community~winlogon.exe

pid	process
5044	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
3184	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
4760	csrss.exe
4728	csrss.exe
2216	csrss.exe
4448	csrss.exe
4984	smss.exe
4080	aizw.exe
516	smss.exe
3636	csrss.exe
1892	csrss.exe
3568	smss.exe
236	smss.exe
792	lsass.exe
4648	lsass.exe
640	csrss.exe
1964	csrss.exe
1852	smss.exe
364	smss.exe
3464	lsass.exe
4376	lsass.exe
4060	services.exe
344	services.exe
3760	csrss.exe
4112	csrss.exe
744	smss.exe
1516	smss.exe
2248	lsass.exe
5080	lsass.exe
1028	services.exe
3804	services.exe
5092	winlogon.exe
3652	winlogon.exe
1856	csrss.exe
1452	csrss.exe
4908	smss.exe
936	smss.exe
2584	lsass.exe
2692	lsass.exe
4140	services.exe
3736	services.exe
4700	winlogon.exe
3792	winlogon.exe
1972	smss.exe
3432	smss.exe
4768	services.exe
2956	winlogon.exe
3904	lsass.exe
1692	lsass.exe
2164	services.exe
3348	~Paraysutki_VM_Community~
4820	~Paraysutki_VM_Community~
4192	services.exe
3892	lsass.exe
2456	winlogon.exe
2676	lsass.exe
5072	services.exe
4232	winlogon.exe
3872	winlogon.exe
288	~Paraysutki_VM_Community~
3620	services.exe
1608	winlogon.exe
3264	~Paraysutki_VM_Community~
3632	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 5044 wrote to memory of 3184	5044	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
PID 5044 wrote to memory of 3184	5044	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
PID 5044 wrote to memory of 3184	5044	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
PID 3184 wrote to memory of 4760	3184	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	csrss.exe
PID 3184 wrote to memory of 4760	3184	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	csrss.exe
PID 3184 wrote to memory of 4760	3184	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe	csrss.exe
PID 4760 wrote to memory of 4728	4760	csrss.exe	csrss.exe
PID 4760 wrote to memory of 4728	4760	csrss.exe	csrss.exe
PID 4760 wrote to memory of 4728	4760	csrss.exe	csrss.exe
PID 4728 wrote to memory of 2216	4728	csrss.exe	csrss.exe
PID 4728 wrote to memory of 2216	4728	csrss.exe	csrss.exe
PID 4728 wrote to memory of 2216	4728	csrss.exe	csrss.exe
PID 2216 wrote to memory of 4448	2216	csrss.exe	csrss.exe
PID 2216 wrote to memory of 4448	2216	csrss.exe	csrss.exe
PID 2216 wrote to memory of 4448	2216	csrss.exe	csrss.exe
PID 4728 wrote to memory of 4984	4728	csrss.exe	smss.exe
PID 4728 wrote to memory of 4984	4728	csrss.exe	smss.exe
PID 4728 wrote to memory of 4984	4728	csrss.exe	smss.exe
PID 2216 wrote to memory of 4080	2216	csrss.exe	aizw.exe
PID 2216 wrote to memory of 4080	2216	csrss.exe	aizw.exe
PID 2216 wrote to memory of 4080	2216	csrss.exe	aizw.exe
PID 4984 wrote to memory of 516	4984	smss.exe	smss.exe
PID 4984 wrote to memory of 516	4984	smss.exe	smss.exe
PID 4984 wrote to memory of 516	4984	smss.exe	smss.exe
PID 516 wrote to memory of 3636	516	smss.exe	csrss.exe
PID 516 wrote to memory of 3636	516	smss.exe	csrss.exe
PID 516 wrote to memory of 3636	516	smss.exe	csrss.exe
PID 3636 wrote to memory of 1892	3636	csrss.exe	csrss.exe
PID 3636 wrote to memory of 1892	3636	csrss.exe	csrss.exe
PID 3636 wrote to memory of 1892	3636	csrss.exe	csrss.exe
PID 516 wrote to memory of 3568	516	smss.exe	smss.exe
PID 516 wrote to memory of 3568	516	smss.exe	smss.exe
PID 516 wrote to memory of 3568	516	smss.exe	smss.exe
PID 3568 wrote to memory of 236	3568	smss.exe	smss.exe
PID 3568 wrote to memory of 236	3568	smss.exe	smss.exe
PID 3568 wrote to memory of 236	3568	smss.exe	smss.exe
PID 516 wrote to memory of 792	516	smss.exe	lsass.exe
PID 516 wrote to memory of 792	516	smss.exe	lsass.exe
PID 516 wrote to memory of 792	516	smss.exe	lsass.exe
PID 792 wrote to memory of 4648	792	lsass.exe	lsass.exe
PID 792 wrote to memory of 4648	792	lsass.exe	lsass.exe
PID 792 wrote to memory of 4648	792	lsass.exe	lsass.exe
PID 4648 wrote to memory of 640	4648	lsass.exe	csrss.exe
PID 4648 wrote to memory of 640	4648	lsass.exe	csrss.exe
PID 4648 wrote to memory of 640	4648	lsass.exe	csrss.exe
PID 640 wrote to memory of 1964	640	csrss.exe	csrss.exe
PID 640 wrote to memory of 1964	640	csrss.exe	csrss.exe
PID 640 wrote to memory of 1964	640	csrss.exe	csrss.exe
PID 4648 wrote to memory of 1852	4648	lsass.exe	smss.exe
PID 4648 wrote to memory of 1852	4648	lsass.exe	smss.exe
PID 4648 wrote to memory of 1852	4648	lsass.exe	smss.exe
PID 1852 wrote to memory of 364	1852	smss.exe	smss.exe
PID 1852 wrote to memory of 364	1852	smss.exe	smss.exe
PID 1852 wrote to memory of 364	1852	smss.exe	smss.exe
PID 4648 wrote to memory of 3464	4648	lsass.exe	lsass.exe
PID 4648 wrote to memory of 3464	4648	lsass.exe	lsass.exe
PID 4648 wrote to memory of 3464	4648	lsass.exe	lsass.exe
PID 3464 wrote to memory of 4376	3464	lsass.exe	lsass.exe
PID 3464 wrote to memory of 4376	3464	lsass.exe	lsass.exe
PID 3464 wrote to memory of 4376	3464	lsass.exe	lsass.exe
PID 4648 wrote to memory of 4060	4648	lsass.exe	services.exe
PID 4648 wrote to memory of 4060	4648	lsass.exe	services.exe
PID 4648 wrote to memory of 4060	4648	lsass.exe	services.exe
PID 4060 wrote to memory of 344	4060	services.exe	services.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

winlogon.exe lsass.exe smss.exe csrss.exe a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe services.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe

C:\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
"C:\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5044

C:\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
C:\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3184

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4728

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4448

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\aizw.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\aizw.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4080

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:516

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1892

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:236

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4648

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:364

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
10⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:344

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4112

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:744

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2248

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5080

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1028

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3804

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5092

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
12⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:3652

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4908

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:936

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2584

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2692

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4140

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3736

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3792

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3348

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
13⤵
- Suspicious use of FindShellTrayWindow
PID:4184

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
13⤵
PID:8

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
13⤵
PID:1456

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
13⤵
PID:4364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
13⤵
PID:3116

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
13⤵
PID:2084

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
13⤵
PID:3640

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
13⤵
- Runs ping.exe
PID:1340

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
13⤵
- Runs ping.exe
PID:2976

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
13⤵
- Runs ping.exe
PID:4104

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4820

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
11⤵
- Suspicious use of FindShellTrayWindow
PID:4168

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
11⤵
- Runs ping.exe
PID:2248

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
11⤵
PID:4564

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
11⤵
PID:728

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
11⤵
PID:3436

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
11⤵
PID:3324

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
11⤵
PID:1400

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
11⤵
PID:4988

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:3844

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
11⤵
- Runs ping.exe
PID:4612

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2956

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:288

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
9⤵
- Suspicious use of FindShellTrayWindow
PID:3036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
9⤵
PID:1896

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
9⤵
PID:2524

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
9⤵
PID:2788

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
9⤵
PID:4428

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
9⤵
PID:1624

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
9⤵
PID:2600

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
9⤵
- Runs ping.exe
PID:5016

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:4912

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:2032

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2164

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5072

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4232

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3872

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3264

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:1332

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:2460

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:3484

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:4280

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:4260

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:3948

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:2152

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:3104

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:2552

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:4820

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3904

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3892

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4768

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4192

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:3588

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:4472

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:1156

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:3880

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:4620

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:2008

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:4436

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:288

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:1416

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:1828

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:3348

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3432

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2676

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3620

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
3⤵
PID:4944

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
4⤵
PID:4456

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
3⤵
PID:3760

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
- Suspicious use of FindShellTrayWindow
PID:1336

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:1792

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
3⤵
PID:1188

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
3⤵
- Runs ping.exe
PID:4320

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:5112

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
3⤵
PID:4560

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
3⤵
PID:3200

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
3⤵
PID:1800

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
3⤵
PID:3344

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
3⤵
PID:1016

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
- Loads dropped DLL
PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4f37bbdd9fee624a669cb65bdaa2cf7d2cf2abb0e8128cbcaad872786cc9afb.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\aizw.exe

Filesize
76KB

MD5
edd695d65a87fe8bc96ca01edad41a32

SHA1
3cb7b5fbe2ede4453abb35c6b34381c1daad7619

SHA256
170dc14e33c6b829a639275e9d7e79bf9f0c33e28fcc686e990db4d014e6d697

SHA512
be231e869cbc2bc755d82242751653c050506c7f10963b4f9db1e821f4402eb74aaf6a62751e9ca537d4a4e190610afb297927b9c9e75de97431dda976eec9be

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe

Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~

Filesize
205KB

MD5
83b27cafdae9004a2a29af93e3adc91b

SHA1
cf67cc83b68d9b3f7e6daf1a136bcfb4f14ad192

SHA256
d85378cabbe8b871cd6eb894e7569d890e5eb644d877ef2b9c5d829108b0e421

SHA512
e98d0e9c6e60c2f518efb76e66a435e472aacfd1470d43a4f5cb26dd7a41b03c3172486335f44cc88dad5a69f2c5d4ac93a83d9a2e0f81f9261ccdacc53b063b

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\aizw.exe

Filesize
76KB

MD5
edd695d65a87fe8bc96ca01edad41a32

SHA1
3cb7b5fbe2ede4453abb35c6b34381c1daad7619

SHA256
170dc14e33c6b829a639275e9d7e79bf9f0c33e28fcc686e990db4d014e6d697

SHA512
be231e869cbc2bc755d82242751653c050506c7f10963b4f9db1e821f4402eb74aaf6a62751e9ca537d4a4e190610afb297927b9c9e75de97431dda976eec9be

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr

Filesize
76KB

MD5
017bccd48bc76e6dd8436b6f39d5d017

SHA1
df7dd4e4fb167a6223bd2a032859e26503c12c3c

SHA256
d404da93544a15f6249cacfdd14dee817cfd793b470f0344b3bc189594f954e7

SHA512
3cbef497e0f8da58669b75579a3741fcf38763ec8c84f75fa8542ac8ce67665a225c4885328dde50b6803362470a5b910d84d6c738bc13a3eb3954a38a0f7698

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt

Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/236-216-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/236-213-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/236-209-0x0000000000000000-mapping.dmp

Download
memory/288-403-0x0000000000000000-mapping.dmp

Download
memory/344-440-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/344-296-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/344-272-0x0000000000000000-mapping.dmp

Download
memory/364-253-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/364-248-0x0000000000000000-mapping.dmp

Download
memory/516-211-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/516-443-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/516-183-0x0000000000000000-mapping.dmp

Download
memory/640-229-0x0000000000000000-mapping.dmp

Download
memory/744-282-0x0000000000000000-mapping.dmp

Download
memory/792-217-0x0000000000000000-mapping.dmp

Download
memory/936-323-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/936-320-0x0000000000000000-mapping.dmp

Download
memory/1028-297-0x0000000000000000-mapping.dmp

Download
memory/1452-313-0x0000000000000000-mapping.dmp

Download
memory/1452-316-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1516-288-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1516-285-0x0000000000000000-mapping.dmp

Download
memory/1608-408-0x0000000000000000-mapping.dmp

Download
memory/1692-359-0x0000000000000000-mapping.dmp

Download
memory/1800-432-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1800-428-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1852-242-0x0000000000000000-mapping.dmp

Download
memory/1856-310-0x0000000000000000-mapping.dmp

Download
memory/1892-197-0x0000000000000000-mapping.dmp

Download
memory/1892-203-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1964-241-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1964-236-0x0000000000000000-mapping.dmp

Download
memory/1972-347-0x0000000000000000-mapping.dmp

Download
memory/2164-355-0x0000000000000000-mapping.dmp

Download
memory/2216-159-0x0000000000000000-mapping.dmp

Download
memory/2248-289-0x0000000000000000-mapping.dmp

Download
memory/2456-416-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2456-392-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2456-373-0x0000000000000000-mapping.dmp

Download
memory/2584-324-0x0000000000000000-mapping.dmp

Download
memory/2676-376-0x0000000000000000-mapping.dmp

Download
memory/2676-396-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2676-412-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-330-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2692-327-0x0000000000000000-mapping.dmp

Download
memory/2956-356-0x0000000000000000-mapping.dmp

Download
memory/3184-445-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3184-346-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3184-139-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3184-134-0x0000000000000000-mapping.dmp

Download
memory/3264-406-0x0000000000000000-mapping.dmp

Download
memory/3348-358-0x0000000000000000-mapping.dmp

Download
memory/3432-353-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3432-350-0x0000000000000000-mapping.dmp

Download
memory/3432-380-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3464-254-0x0000000000000000-mapping.dmp

Download
memory/3568-202-0x0000000000000000-mapping.dmp

Download
memory/3620-407-0x0000000000000000-mapping.dmp

Download
memory/3632-427-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3632-430-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3636-191-0x0000000000000000-mapping.dmp

Download
memory/3652-339-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3652-307-0x0000000000000000-mapping.dmp

Download
memory/3652-442-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3736-337-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3736-334-0x0000000000000000-mapping.dmp

Download
memory/3760-275-0x0000000000000000-mapping.dmp

Download
memory/3792-345-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3792-342-0x0000000000000000-mapping.dmp

Download
memory/3804-300-0x0000000000000000-mapping.dmp

Download
memory/3804-303-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3872-399-0x0000000000000000-mapping.dmp

Download
memory/3872-402-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3872-411-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3892-418-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3892-375-0x0000000000000000-mapping.dmp

Download
memory/3892-394-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3904-354-0x0000000000000000-mapping.dmp

Download
memory/4060-266-0x0000000000000000-mapping.dmp

Download
memory/4080-177-0x0000000000000000-mapping.dmp

Download
memory/4112-278-0x0000000000000000-mapping.dmp

Download
memory/4112-281-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4140-331-0x0000000000000000-mapping.dmp

Download
memory/4168-410-0x0000000000000000-mapping.dmp

Download
memory/4184-409-0x0000000000000000-mapping.dmp

Download
memory/4192-393-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4192-415-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4192-370-0x0000000000000000-mapping.dmp

Download
memory/4232-389-0x0000000000000000-mapping.dmp

Download
memory/4376-265-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4376-260-0x0000000000000000-mapping.dmp

Download
memory/4448-166-0x0000000000000000-mapping.dmp

Download
memory/4448-171-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4456-437-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4648-235-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4648-441-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4648-223-0x0000000000000000-mapping.dmp

Download
memory/4700-338-0x0000000000000000-mapping.dmp

Download
memory/4728-444-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4728-163-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4728-148-0x0000000000000000-mapping.dmp

Download
memory/4760-140-0x0000000000000000-mapping.dmp

Download
memory/4768-360-0x0000000000000000-mapping.dmp

Download
memory/4820-357-0x0000000000000000-mapping.dmp

Download
memory/4908-317-0x0000000000000000-mapping.dmp

Download
memory/4984-172-0x0000000000000000-mapping.dmp

Download
memory/5072-417-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5072-398-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5072-377-0x0000000000000000-mapping.dmp

Download
memory/5080-292-0x0000000000000000-mapping.dmp

Download
memory/5080-295-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5092-304-0x0000000000000000-mapping.dmp

Download