838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a

Analysis

max time kernel
113s
max time network
101s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Size

205KB
MD5

8d3dfde63e45e5ea688c4a5b587caa8f
SHA1

772b6144b46e585ab54aa1c4267d2fe55ae5c1b3
SHA256

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a
SHA512

a329cfc8089056e591627e98bde8f2bcf735ba4762c9d4a71205cd732574e0f3686650deef265d7b1955b2f82d6ca4d9772c4701890fa884fc83ae3351e2b852
SSDEEP

3072:/qhMPssRhlARSOsdwD/98out3SDADeak7dJHB/AKG:/qhMPssRARoiSoS3SsQLH5AK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

services.exe lsass.exe winlogon.exe smss.exe csrss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exeservices.exe lsass.exe smss.exe csrss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe csrss.execsrss.exedswa.exewinlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	dswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

winlogon.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe csrss.execsrss.exe838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exesmss.exe csrss.exe dswa.exeservices.exe lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	dswa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

smss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exedswa.exeservices.exe lsass.exe winlogon.exe csrss.exe csrss.execsrss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	dswa.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe services.exe lsass.exe winlogon.exe smss.exe csrss.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

smss.exe csrss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe services.exe lsass.exe winlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

Processes:

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe csrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exelsass.exesmss.exe lsass.exesmss.exe lsass.exe lsass.exe dswa.exeservices.exedsnv.execsrss.exeservices.execsrss.exe services.exe csrss.exehscw.execsrss.exe smss.execsrss.exesmss.exe csrss.exe smss.exesmss.exe smss.exelsass.exelsass.exe smss.exe lsass.exeservices.exelsass.exe services.exe lsass.exewinlogon.exelsass.exe winlogon.exe services.exeservices.exeservices.exe services.exe csrss.execsrss.exe smss.exewinlogon.exewinlogon.exe winlogon.exewinlogon.exe smss.exe ~Paraysutki_VM_Community~~Paraysutki_VM_Community~lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~winlogon.exe~Paraysutki_VM_Community~

pid	process
632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
1864	csrss.exe
564	csrss.exe
1008	csrss.exe
284	csrss.exe
1376	smss.exe
1612	smss.exe
556	lsass.exe
1812	smss.exe
548	lsass.exe
1740	smss.exe
1172	lsass.exe
1696	lsass.exe
1712	dswa.exe
1052	services.exe
1640	dsnv.exe
1732	csrss.exe
624	services.exe
2012	csrss.exe
1592	services.exe
1824	csrss.exe
1880	hscw.exe
1972	csrss.exe
1476	smss.exe
1564	csrss.exe
1100	smss.exe
1952	csrss.exe
2028	smss.exe
1388	smss.exe
1904	smss.exe
948	lsass.exe
1436	lsass.exe
1608	smss.exe
1496	lsass.exe
1516	services.exe
240	lsass.exe
1548	services.exe
1452	lsass.exe
2032	winlogon.exe
1152	lsass.exe
1956	winlogon.exe
1864	services.exe
1704	services.exe
1000	services.exe
276	services.exe
1968	csrss.exe
1332	csrss.exe
284	smss.exe
1948	winlogon.exe
1372	winlogon.exe
1564	winlogon.exe
892	winlogon.exe
1600	smss.exe
1492	~Paraysutki_VM_Community~
1656	~Paraysutki_VM_Community~
1224	lsass.exe
924	lsass.exe
1876	services.exe
1808	services.exe
240	winlogon.exe
1748	winlogon.exe
432	~Paraysutki_VM_Community~
1864	winlogon.exe
1672	~Paraysutki_VM_Community~

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe winlogon.exe services.exe csrss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe smss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-RTP.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe	smss.exe

Loads dropped DLL 64 IoCs

Processes:

pid	process
1928	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
1928	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
1864	csrss.exe
1864	csrss.exe
1864	csrss.exe
564	csrss.exe
564	csrss.exe
564	csrss.exe
1008	csrss.exe
1008	csrss.exe
284	csrss.exe
564	csrss.exe
564	csrss.exe
1376	smss.exe
632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
564	csrss.exe
564	csrss.exe
1376	smss.exe
1376	smss.exe
632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
1612	smss.exe
548	lsass.exe
556	lsass.exe
1812	smss.exe
1612	smss.exe
1740	smss.exe
556	lsass.exe
548	lsass.exe
556	lsass.exe
548	lsass.exe
1008	csrss.exe
1008	csrss.exe
1172	lsass.exe
1696	lsass.exe
564	csrss.exe
564	csrss.exe
1052	services.exe
1864	csrss.exe
1864	csrss.exe
1812	smss.exe
1812	smss.exe
632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
1732	csrss.exe
624	services.exe
1732	csrss.exe
2012	csrss.exe
624	services.exe
624	services.exe
1928	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
1928	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
1172	lsass.exe
1172	lsass.exe
1592	services.exe
1824	csrss.exe
1824	csrss.exe
1972	csrss.exe
1812	smss.exe
1812	smss.exe
1476	smss.exe

Adds Run key to start application 2 TTPs 38 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

csrss.exe services.exe winlogon.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe lsass.exe smss.exe dswa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	dswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BaRloNdDiLhep = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\services.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RealTimeProtector = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\winlogon.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	dswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ViSulaBaCis = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UpDaTer = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinDOwsUPdate = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~²\\smss.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

services.exe lsass.exe winlogon.exe smss.exe csrss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dswa.exe

description	ioc	process
File opened (read-only)	\??\O:	dswa.exe
File opened (read-only)	\??\Q:	dswa.exe
File opened (read-only)	\??\R:	dswa.exe
File opened (read-only)	\??\S:	dswa.exe
File opened (read-only)	\??\T:	dswa.exe
File opened (read-only)	\??\X:	dswa.exe
File opened (read-only)	\??\E:	dswa.exe
File opened (read-only)	\??\H:	dswa.exe
File opened (read-only)	\??\L:	dswa.exe
File opened (read-only)	\??\Y:	dswa.exe
File opened (read-only)	\??\F:	dswa.exe
File opened (read-only)	\??\I:	dswa.exe
File opened (read-only)	\??\P:	dswa.exe
File opened (read-only)	\??\V:	dswa.exe
File opened (read-only)	\??\W:	dswa.exe
File opened (read-only)	\??\G:	dswa.exe
File opened (read-only)	\??\K:	dswa.exe
File opened (read-only)	\??\M:	dswa.exe
File opened (read-only)	\??\N:	dswa.exe
File opened (read-only)	\??\U:	dswa.exe
File opened (read-only)	\??\Z:	dswa.exe
File opened (read-only)	\??\B:	dswa.exe
File opened (read-only)	\??\J:	dswa.exe

Drops file in System32 directory 64 IoCs

Processes:

services.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe smss.exe lsass.exe winlogon.exe csrss.exe csrss.exehscw.exesmss.exelsass.exewinlogon.exeservices.exewinlogon.exe~Paraysutki_VM_Community~smss.exeservices.exesmss.exe838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.execsrss.exedswa.exelsass.exesmss.exelsass.exelsass.exe

description	ioc	process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	hscw.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	~Paraysutki_VM_Community~
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	lsass.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	\??\c:\windows\SysWOW64\maxtrox.txt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	services.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	dswa.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll	smss.exe

Drops file in Program Files directory 34 IoCs

Processes:

dswa.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	dswa.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MpCmdRun.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Journal\PDIALOG.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpenc.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wab.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	dswa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\sidebar.exe	dswa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Defender\MSASCui.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\WMPDMC.exe	dswa.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	dswa.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	dswa.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

services.exe lsass.exe csrss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe winlogon.exe smss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-575491160-2295418218-1540667289-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe

Modifies registry class 64 IoCs

Processes:

csrss.execsrss.exe838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exedswa.exewinlogon.exe lsass.exe services.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe csrss.exe smss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	dswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	dswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	dswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	dswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	dswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	dswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	dswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	dswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	dswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	dswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	dswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	dswa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	dswa.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
1984	ping.exe
1404	ping.exe
2420	ping.exe
2412	ping.exe
1100	ping.exe
1256	ping.exe
1784	ping.exe
884	ping.exe
1304	ping.exe
2068	ping.exe
2060	ping.exe
2040	ping.exe
1604	ping.exe
1620	ping.exe
1284	ping.exe
1788	ping.exe
548	ping.exe
2428	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

smss.exelsass.exeservices.exe

pid	process
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
1376	smss.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
548	lsass.exe
624	services.exe
624	services.exe
624	services.exe
624	services.exe
624	services.exe
624	services.exe
624	services.exe
624	services.exe
624	services.exe
624	services.exe
624	services.exe
624	services.exe
624	services.exe
624	services.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

1344 rundll32.exe
1740 rundll32.exe

pid	process
1344	rundll32.exe
1740	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe csrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exelsass.exelsass.exesmss.exe smss.exe lsass.exe lsass.exe dswa.exeservices.exedsnv.execsrss.execsrss.exe services.exe csrss.exehscw.execsrss.exe smss.execsrss.exesmss.exe csrss.exe smss.exesmss.exe smss.exelsass.exelsass.exe smss.exe lsass.exeservices.exeservices.exe lsass.exe lsass.exewinlogon.exelsass.exe winlogon.exe services.exeservices.exeservices.exe csrss.exeservices.exe csrss.exe winlogon.exewinlogon.exewinlogon.exe smss.exewinlogon.exe smss.exe ~Paraysutki_VM_Community~~Paraysutki_VM_Community~lsass.exelsass.exe services.exeservices.exe winlogon.exewinlogon.exe ~Paraysutki_VM_Community~winlogon.exe~Paraysutki_VM_Community~

pid	process
1928	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
1864	csrss.exe
564	csrss.exe
1008	csrss.exe
284	csrss.exe
1376	smss.exe
1612	smss.exe
556	lsass.exe
548	lsass.exe
1812	smss.exe
1740	smss.exe
1172	lsass.exe
1696	lsass.exe
1712	dswa.exe
624	services.exe
1640	dsnv.exe
1732	csrss.exe
2012	csrss.exe
1592	services.exe
1824	csrss.exe
1880	hscw.exe
1972	csrss.exe
1476	smss.exe
1564	csrss.exe
1100	smss.exe
1952	csrss.exe
2028	smss.exe
1388	smss.exe
1904	smss.exe
948	lsass.exe
1436	lsass.exe
1608	smss.exe
1496	lsass.exe
1516	services.exe
1548	services.exe
240	lsass.exe
1452	lsass.exe
2032	winlogon.exe
1152	lsass.exe
1956	winlogon.exe
1864	services.exe
1704	services.exe
1000	services.exe
1968	csrss.exe
276	services.exe
1332	csrss.exe
1948	winlogon.exe
1564	winlogon.exe
1372	winlogon.exe
284	smss.exe
892	winlogon.exe
1600	smss.exe
1492	~Paraysutki_VM_Community~
1656	~Paraysutki_VM_Community~
1224	lsass.exe
924	lsass.exe
1876	services.exe
1808	services.exe
240	winlogon.exe
1748	winlogon.exe
432	~Paraysutki_VM_Community~
1864	winlogon.exe
1672	~Paraysutki_VM_Community~

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe csrss.execsrss.exe csrss.exesmss.exesmss.exelsass.exelsass.exe

description	pid	process	target process
PID 1928 wrote to memory of 632	1928	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
PID 1928 wrote to memory of 632	1928	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
PID 1928 wrote to memory of 632	1928	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
PID 1928 wrote to memory of 632	1928	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
PID 632 wrote to memory of 1864	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	csrss.exe
PID 632 wrote to memory of 1864	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	csrss.exe
PID 632 wrote to memory of 1864	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	csrss.exe
PID 632 wrote to memory of 1864	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	csrss.exe
PID 1864 wrote to memory of 564	1864	csrss.exe	csrss.exe
PID 1864 wrote to memory of 564	1864	csrss.exe	csrss.exe
PID 1864 wrote to memory of 564	1864	csrss.exe	csrss.exe
PID 1864 wrote to memory of 564	1864	csrss.exe	csrss.exe
PID 564 wrote to memory of 1008	564	csrss.exe	csrss.exe
PID 564 wrote to memory of 1008	564	csrss.exe	csrss.exe
PID 564 wrote to memory of 1008	564	csrss.exe	csrss.exe
PID 564 wrote to memory of 1008	564	csrss.exe	csrss.exe
PID 1008 wrote to memory of 284	1008	csrss.exe	csrss.exe
PID 1008 wrote to memory of 284	1008	csrss.exe	csrss.exe
PID 1008 wrote to memory of 284	1008	csrss.exe	csrss.exe
PID 1008 wrote to memory of 284	1008	csrss.exe	csrss.exe
PID 564 wrote to memory of 1376	564	csrss.exe	smss.exe
PID 564 wrote to memory of 1376	564	csrss.exe	smss.exe
PID 564 wrote to memory of 1376	564	csrss.exe	smss.exe
PID 564 wrote to memory of 1376	564	csrss.exe	smss.exe
PID 632 wrote to memory of 1612	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	smss.exe
PID 632 wrote to memory of 1612	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	smss.exe
PID 632 wrote to memory of 1612	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	smss.exe
PID 632 wrote to memory of 1612	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	smss.exe
PID 564 wrote to memory of 556	564	csrss.exe	lsass.exe
PID 564 wrote to memory of 556	564	csrss.exe	lsass.exe
PID 564 wrote to memory of 556	564	csrss.exe	lsass.exe
PID 564 wrote to memory of 556	564	csrss.exe	lsass.exe
PID 1376 wrote to memory of 1812	1376	smss.exe	smss.exe
PID 1376 wrote to memory of 1812	1376	smss.exe	smss.exe
PID 1376 wrote to memory of 1812	1376	smss.exe	smss.exe
PID 1376 wrote to memory of 1812	1376	smss.exe	smss.exe
PID 632 wrote to memory of 548	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	lsass.exe
PID 632 wrote to memory of 548	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	lsass.exe
PID 632 wrote to memory of 548	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	lsass.exe
PID 632 wrote to memory of 548	632	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe	lsass.exe
PID 1612 wrote to memory of 1740	1612	smss.exe	smss.exe
PID 1612 wrote to memory of 1740	1612	smss.exe	smss.exe
PID 1612 wrote to memory of 1740	1612	smss.exe	smss.exe
PID 1612 wrote to memory of 1740	1612	smss.exe	smss.exe
PID 556 wrote to memory of 1172	556	lsass.exe	lsass.exe
PID 556 wrote to memory of 1172	556	lsass.exe	lsass.exe
PID 556 wrote to memory of 1172	556	lsass.exe	lsass.exe
PID 556 wrote to memory of 1172	556	lsass.exe	lsass.exe
PID 548 wrote to memory of 1696	548	lsass.exe	lsass.exe
PID 548 wrote to memory of 1696	548	lsass.exe	lsass.exe
PID 548 wrote to memory of 1696	548	lsass.exe	lsass.exe
PID 548 wrote to memory of 1696	548	lsass.exe	lsass.exe
PID 1008 wrote to memory of 1712	1008	csrss.exe	dswa.exe
PID 1008 wrote to memory of 1712	1008	csrss.exe	dswa.exe
PID 1008 wrote to memory of 1712	1008	csrss.exe	dswa.exe
PID 1008 wrote to memory of 1712	1008	csrss.exe	dswa.exe
PID 564 wrote to memory of 1052	564	csrss.exe	services.exe
PID 564 wrote to memory of 1052	564	csrss.exe	services.exe
PID 564 wrote to memory of 1052	564	csrss.exe	services.exe
PID 564 wrote to memory of 1052	564	csrss.exe	services.exe
PID 1864 wrote to memory of 1640	1864	csrss.exe	dsnv.exe
PID 1864 wrote to memory of 1640	1864	csrss.exe	dsnv.exe
PID 1864 wrote to memory of 1640	1864	csrss.exe	dsnv.exe
PID 1864 wrote to memory of 1640	1864	csrss.exe	dsnv.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

lsass.exe winlogon.exe smss.exe 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe services.exe csrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe

C:\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
"C:\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928

C:\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
C:\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:632

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
3⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:564

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:284

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dswa.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\dswa.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1812

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1732

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2012

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1476

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1100

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:948

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1436

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1516

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1548

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1956

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:284

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1224

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:924

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:240

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
10⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
9⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:432

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
9⤵
PID:1036

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
9⤵
PID:1008

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
9⤵
- Runs ping.exe
PID:1984

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:884

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:1100

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
9⤵
PID:1452

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
9⤵
PID:392

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
9⤵
PID:988

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
9⤵
PID:2168

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
9⤵
PID:896

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
PID:832

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:2180

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:2076

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:2068

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:2060

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:1404

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:2212

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:2248

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:2316

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:2276

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:556

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1172

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1824

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1388

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
7⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1496

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:240

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1000

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
8⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:1344

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
7⤵
PID:948

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
7⤵
- Runs ping.exe
PID:1604

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:1620

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:1256

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
7⤵
PID:1980

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
7⤵
PID:832

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
7⤵
PID:1224

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
7⤵
PID:1164

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
7⤵
PID:2032

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1052

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Drops file in System32 directory
PID:1660

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
PID:892

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Drops file in System32 directory
PID:1376

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
PID:1224

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:2188

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:2052

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:1784

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:548

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:2040

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:2232

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:2644

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:2656

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:2668

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\dsnv.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\dsnv.exe" csrss
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1640

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:624

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1592

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\csrss.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1952

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\smss.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1904

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1608

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\lsass.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1452

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\services.exe
5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:276

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:892

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1492

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:1740

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
5⤵
PID:1736

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
5⤵
PID:892

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
5⤵
- Runs ping.exe
PID:1304

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1284

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1788

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
5⤵
PID:1792

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
5⤵
PID:1572

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
5⤵
PID:1540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
5⤵
PID:1516

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1864

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
4⤵
PID:1508

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
3⤵
PID:1980

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
PID:2124

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im Ansav.exe /im ansavgd.exe
3⤵
PID:2476

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im kspoold.exe /im kspool.exe
3⤵
PID:2496

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im tati.exe
3⤵
PID:2512

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im wscript.exe
3⤵
PID:2532

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im sys.exe
3⤵
PID:2564

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe taskkill /f /im PCMAV-CLN.exe /im PCMAV-RTP.exe
3⤵
PID:2436

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1210
3⤵
- Runs ping.exe
PID:2428

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:2420

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:2412

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\hscw.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\hscw.exe" 838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\MSVBVM60.DLL
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\services.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\winlogon.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\~Paraysutki_VM_Community~
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Local\Temp\838ad1d3c515829151b8267bfc6874e266aa278ecd1652a3851f95c3fa65894a.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\dswa.exe
Filesize
76KB

MD5
b3f84580cab7e512a254faa74df37976

SHA1
78600799a238fe69043308c393f8b1e6c0375312

SHA256
76ca28ab16951f6a5bbddfc5d7de5e7865ec283256696729b77a804ab13d55b4

SHA512
a42f2f260f84d7f83fd76d040f515147ce0b0629fe4b3eebb505a6d45ff14af9175ab1bfe004a4af80e2850d49b228224a72acf6ee4543922b9091c0302d7487

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\dswa.exe
Filesize
76KB

MD5
b3f84580cab7e512a254faa74df37976

SHA1
78600799a238fe69043308c393f8b1e6c0375312

SHA256
76ca28ab16951f6a5bbddfc5d7de5e7865ec283256696729b77a804ab13d55b4

SHA512
a42f2f260f84d7f83fd76d040f515147ce0b0629fe4b3eebb505a6d45ff14af9175ab1bfe004a4af80e2850d49b228224a72acf6ee4543922b9091c0302d7487

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\csrss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\lsass.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\msvbvm60.dll
Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
205KB

MD5
4c1b45476f687fc5434a396d32710d7e

SHA1
b1dab361d0f0b54549882deac0687d8dafb6f865

SHA256
8d98d3307fc7f32c528bfd6168350cc5f18459cb70170cc840556ffc5b3c74be

SHA512
8d5c4d522599e9d15399e4e98b15beda19bf4668726107157ba95993dd011adc1e7c72265608474dbecb8d187b8d548d9b3f64d0c73cc07567ad9a7a6e5258f7

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~²\smss.exe
Filesize
129KB

MD5
e2c33f1d5b2c10d0fff92ec379577f06

SHA1
db52e7c71eb6e99ad6fa38305a7c62337246cc9e

SHA256
6fe9ec72f717f7e26398412b782a725030c796a253d3d17c883a6dbaf1bc4e01

SHA512
6a813184d730de5a8d2295222c4a47a7295e28886c5a982ab9d94a7ceed7f41683038ce9981fa1a789a8371095807fe4b36ae3f3502588624fed94664aa6b1c8

Download Submit
memory/240-254-0x0000000000000000-mapping.dmp

Download
memory/240-273-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/240-350-0x0000000000000000-mapping.dmp

Download
memory/276-300-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/276-286-0x0000000000000000-mapping.dmp

Download
memory/284-97-0x0000000000000000-mapping.dmp

Download
memory/284-298-0x0000000000000000-mapping.dmp

Download
memory/284-319-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/284-108-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/284-104-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/432-357-0x0000000000000000-mapping.dmp

Download
memory/548-131-0x0000000000000000-mapping.dmp

Download
memory/556-174-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/556-121-0x0000000000000000-mapping.dmp

Download
memory/556-175-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/564-428-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/564-77-0x0000000000000000-mapping.dmp

Download
memory/564-103-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/624-182-0x0000000000000000-mapping.dmp

Download
memory/632-71-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/632-424-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/632-58-0x0000000000000000-mapping.dmp

Download
memory/892-318-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/892-321-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/892-402-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/892-391-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/892-312-0x0000000000000000-mapping.dmp

Download
memory/924-335-0x0000000000000000-mapping.dmp

Download
memory/948-234-0x0000000000000000-mapping.dmp

Download
memory/1000-285-0x0000000000000000-mapping.dmp

Download
memory/1000-299-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1008-89-0x0000000000000000-mapping.dmp

Download
memory/1052-178-0x0000000000000000-mapping.dmp

Download
memory/1100-230-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1100-217-0x0000000000000000-mapping.dmp

Download
memory/1152-268-0x0000000000000000-mapping.dmp

Download
memory/1152-276-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1172-389-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1172-176-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1172-159-0x0000000000000000-mapping.dmp

Download
memory/1172-370-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1224-329-0x0000000000000000-mapping.dmp

Download
memory/1332-293-0x0000000000000000-mapping.dmp

Download
memory/1332-297-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1344-342-0x0000000000000000-mapping.dmp

Download
memory/1372-317-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1372-322-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1372-306-0x0000000000000000-mapping.dmp

Download
memory/1376-209-0x0000000000300000-0x0000000000306000-memory.dmp

Filesize
24KB

Download
memory/1376-107-0x0000000000000000-mapping.dmp

Download
memory/1376-127-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/1388-235-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1388-241-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1388-228-0x0000000000000000-mapping.dmp

Download
memory/1436-242-0x0000000000000000-mapping.dmp

Download
memory/1436-247-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1452-277-0x00000000001E0000-0x000000000020A000-memory.dmp

Filesize
168KB

Download
memory/1452-261-0x0000000000000000-mapping.dmp

Download
memory/1476-206-0x0000000000000000-mapping.dmp

Download
memory/1492-324-0x0000000000000000-mapping.dmp

Download
memory/1496-248-0x0000000000000000-mapping.dmp

Download
memory/1496-272-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1508-374-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1516-250-0x0000000000000000-mapping.dmp

Download
memory/1548-260-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1548-256-0x0000000000000000-mapping.dmp

Download
memory/1564-305-0x0000000000000000-mapping.dmp

Download
memory/1564-212-0x0000000000000000-mapping.dmp

Download
memory/1592-328-0x0000000076B51000-0x0000000076B53000-memory.dmp

Filesize
8KB

Download
memory/1592-202-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1592-387-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1592-193-0x0000000000000000-mapping.dmp

Download
memory/1600-330-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1600-313-0x0000000000000000-mapping.dmp

Download
memory/1608-240-0x0000000000000000-mapping.dmp

Download
memory/1608-251-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1612-172-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1612-113-0x0000000000000000-mapping.dmp

Download
memory/1640-180-0x0000000000000000-mapping.dmp

Download
memory/1656-327-0x0000000000000000-mapping.dmp

Download
memory/1660-390-0x0000000000420000-0x000000000044A000-memory.dmp

Filesize
168KB

Download
memory/1696-177-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1696-161-0x0000000000000000-mapping.dmp

Download
memory/1696-211-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1704-282-0x0000000000000000-mapping.dmp

Download
memory/1712-165-0x0000000000000000-mapping.dmp

Download
memory/1732-200-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/1732-181-0x0000000000000000-mapping.dmp

Download
memory/1740-184-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1740-173-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1740-338-0x0000000000000000-mapping.dmp

Download
memory/1740-145-0x0000000000000000-mapping.dmp

Download
memory/1748-356-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1748-353-0x0000000000000000-mapping.dmp

Download
memory/1808-346-0x0000000000000000-mapping.dmp

Download
memory/1808-349-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-128-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-125-0x0000000000000000-mapping.dmp

Download
memory/1812-236-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1812-417-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1824-195-0x0000000000000000-mapping.dmp

Download
memory/1864-369-0x0000000000230000-0x000000000025A000-memory.dmp

Filesize
168KB

Download
memory/1864-118-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/1864-102-0x0000000000250000-0x000000000027A000-memory.dmp

Filesize
168KB

Download
memory/1864-275-0x0000000000000000-mapping.dmp

Download
memory/1864-64-0x0000000000000000-mapping.dmp

Download
memory/1876-340-0x0000000000000000-mapping.dmp

Download
memory/1880-194-0x0000000000000000-mapping.dmp

Download
memory/1904-229-0x0000000000000000-mapping.dmp

Download
memory/1928-69-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/1928-66-0x0000000000320000-0x000000000034A000-memory.dmp

Filesize
168KB

Download
memory/1948-301-0x0000000000000000-mapping.dmp

Download
memory/1952-220-0x0000000000000000-mapping.dmp

Download
memory/1952-226-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1956-270-0x0000000000000000-mapping.dmp

Download
memory/1956-314-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1956-414-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1968-287-0x0000000000000000-mapping.dmp

Download
memory/1972-204-0x0000000000000000-mapping.dmp

Download
memory/1972-214-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-210-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2012-190-0x0000000000000000-mapping.dmp

Download
memory/2012-201-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2028-223-0x0000000000000000-mapping.dmp

Download
memory/2032-265-0x0000000000000000-mapping.dmp

Download
memory/2032-278-0x0000000000270000-0x000000000029A000-memory.dmp

Filesize
168KB

Download