7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931

Analysis

max time kernel
178s
max time network
193s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Size

127KB
MD5

e8059f3c680e7424c0e67d8c971cb4dd
SHA1

ca917619ccf8346478989a12da5a8753bb452e3d
SHA256

7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931
SHA512

6279f2e9328da59b00cd5f2a9db3f9ee8bc8f27978916b9f05c145cce153f4669ffd6db82a8eceddc619e5471673e5b88276d7ff1c84535504d8b605d2149bb7
SSDEEP

1536:hnqdu3rbBGy3G8V0iuoKYMUYU6U5jUdPQc+n35KZg8/nouy8Iu:hqYMPsLMYjUtQl78vout

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

services.exe winlogon.exe lsass.exe smss.exe csrss.exe 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe

Modifies system executable filetype association 2 TTPs 10 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exescwg.execsrss.exelsass.exe services.exe scnv.exesmss.exe csrss.exe 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

scwg.exesmss.exe csrss.exe 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe services.exe winlogon.exe 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exescnv.exelsass.exe csrss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	scwg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	scnv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

winlogon.exe csrss.exescnv.exe7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe services.exe csrss.exe 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exescwg.exelsass.exe smss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	scnv.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	scwg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

smss.exe csrss.exe 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe services.exe winlogon.exe lsass.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe

Disables RegEdit via registry modification 6 IoCs

evasion

Processes:

7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe services.exe winlogon.exe lsass.exe smss.exe csrss.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

Processes:

7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe scwg.execsrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exescnv.exesmss.exe smss.exe csrss.exelsass.execsrss.exe lsass.exe csrss.exesmss.execsrss.exe smss.exe smss.exelsass.exesmss.exe lsass.exe services.exelsass.exelsass.exe services.exe services.exeservices.exe csrss.execsrss.exe winlogon.exewinlogon.exe smss.exesmss.exe lsass.execsrss.exelsass.exe csrss.exe lsass.exelsass.exe services.exewinlogon.exeParaysutki_VM_Communityservices.exesmss.exeservices.exewinlogon.exeParaysutki_VM_Communityservices.exe winlogon.exe lsass.exewinlogon.exe winlogon.exeservices.exe services.exe smss.exe lsass.exe winlogon.exewinlogon.exe winlogon.exe Paraysutki_VM_Communityservices.exeParaysutki_VM_Community

pid	process
2440	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
4152	scwg.exe
3944	csrss.exe
3128	csrss.exe
2220	csrss.exe
1596	csrss.exe
5000	smss.exe
5008	smss.exe
2016	scnv.exe
1376	smss.exe
1532	smss.exe
2060	csrss.exe
3648	lsass.exe
4240	csrss.exe
3992	lsass.exe
4404	csrss.exe
1200	smss.exe
2392	csrss.exe
4464	smss.exe
2188	smss.exe
4932	lsass.exe
3172	smss.exe
1924	lsass.exe
2028	services.exe
3456	lsass.exe
3148	lsass.exe
4076	services.exe
4064	services.exe
4456	services.exe
816	csrss.exe
4144	csrss.exe
1748	winlogon.exe
1152	winlogon.exe
3760	smss.exe
2720	smss.exe
4048	lsass.exe
4668	csrss.exe
2168	lsass.exe
4720	csrss.exe
2556	lsass.exe
2568	lsass.exe
2588	services.exe
3096	winlogon.exe
5012	Paraysutki_VM_Community
1256	services.exe
1712	smss.exe
3996	services.exe
3576	winlogon.exe
996	Paraysutki_VM_Community
2220	services.exe
4044	winlogon.exe
4696	lsass.exe
3392	winlogon.exe
3860	winlogon.exe
4616	services.exe
3532	services.exe
4552	smss.exe
3876	lsass.exe
480	winlogon.exe
1180	winlogon.exe
4448	winlogon.exe
4928	Paraysutki_VM_Community
2740	services.exe
4364	Paraysutki_VM_Community

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

lsass.exe smss.exe 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe services.exe csrss.exe winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SETUP.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansavgd.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rundll32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rundll32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Setup.exe\Debugger = "cmd.exe /c del"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "rundll32.exe"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe\Debugger = "cmd.exe /c del"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "rundll32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msiexec.exe\Debugger = "rundll32.exe"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Install.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ansav.exe\Debugger = "cmd.exe /c del"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Instal.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "cmd.exe /c del"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tasklist.exe\Debugger = "rundll32.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PCMAV-CLN.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	winlogon.exe

Loads dropped DLL 64 IoCs

Processes:

csrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exesmss.exe smss.exe csrss.exelsass.execsrss.exe lsass.exe csrss.exesmss.execsrss.exe smss.exe smss.exelsass.exelsass.exe smss.exe lsass.exeservices.exelsass.exe services.exeservices.exe services.exe csrss.execsrss.exe winlogon.exewinlogon.exe smss.exesmss.exe lsass.execsrss.exelsass.exe csrss.exe lsass.exelsass.exe winlogon.exeservices.exeParaysutki_VM_Communityservices.exesmss.exeParaysutki_VM_Communitywinlogon.exeservices.exeservices.exe winlogon.exe lsass.exewinlogon.exe services.exe winlogon.exeservices.exe smss.exe lsass.exe winlogon.exewinlogon.exe winlogon.exe Paraysutki_VM_Communityservices.exeParaysutki_VM_CommunityParaysutki_VM_Communityservices.exe winlogon.exe

pid	process
3944	csrss.exe
3128	csrss.exe
2220	csrss.exe
1596	csrss.exe
5000	smss.exe
5008	smss.exe
1532	smss.exe
1376	smss.exe
2060	csrss.exe
3648	lsass.exe
4240	csrss.exe
3992	lsass.exe
4404	csrss.exe
1200	smss.exe
2392	csrss.exe
4464	smss.exe
2188	smss.exe
4932	lsass.exe
1924	lsass.exe
3172	smss.exe
3456	lsass.exe
2028	services.exe
3148	lsass.exe
4064	services.exe
4076	services.exe
4456	services.exe
816	csrss.exe
4144	csrss.exe
1748	winlogon.exe
1152	winlogon.exe
3760	smss.exe
2720	smss.exe
4048	lsass.exe
4668	csrss.exe
2168	lsass.exe
4720	csrss.exe
2556	lsass.exe
2568	lsass.exe
3096	winlogon.exe
2588	services.exe
5012	Paraysutki_VM_Community
1256	services.exe
1712	smss.exe
996	Paraysutki_VM_Community
3576	winlogon.exe
3996	services.exe
2220	services.exe
4044	winlogon.exe
4696	lsass.exe
3392	winlogon.exe
4616	services.exe
3860	winlogon.exe
3532	services.exe
4552	smss.exe
3876	lsass.exe
480	winlogon.exe
1180	winlogon.exe
4448	winlogon.exe
4928	Paraysutki_VM_Community
2740	services.exe
4364	Paraysutki_VM_Community
1932	Paraysutki_VM_Community
4940	services.exe
4144	winlogon.exe

Adds Run key to start application 2 TTPs 42 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe scnv.exesmss.exe services.exe winlogon.exe lsass.exe scwg.execsrss.exe csrss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	scnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	scwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\AVManager = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	scwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	scnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NviDiaGT = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\lsass.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\VisualStyle = "c:\\windows\\system32\\Desktop.sysm"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ConfigVir = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\services.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PaRaY_VM = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\winlogon.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\NarmonVirusAnti = "C:\\Windows\\System32\\~A~m~B~u~R~a~D~u~L~\\smss.exe"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

lsass.exe smss.exe csrss.exe 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe services.exe winlogon.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

scnv.exescwg.exe

description	ioc	process
File opened (read-only)	\??\I:	scnv.exe
File opened (read-only)	\??\L:	scnv.exe
File opened (read-only)	\??\B:	scnv.exe
File opened (read-only)	\??\T:	scnv.exe
File opened (read-only)	\??\M:	scwg.exe
File opened (read-only)	\??\T:	scwg.exe
File opened (read-only)	\??\P:	scwg.exe
File opened (read-only)	\??\G:	scnv.exe
File opened (read-only)	\??\H:	scnv.exe
File opened (read-only)	\??\N:	scnv.exe
File opened (read-only)	\??\P:	scnv.exe
File opened (read-only)	\??\S:	scnv.exe
File opened (read-only)	\??\K:	scwg.exe
File opened (read-only)	\??\O:	scwg.exe
File opened (read-only)	\??\V:	scnv.exe
File opened (read-only)	\??\N:	scwg.exe
File opened (read-only)	\??\J:	scnv.exe
File opened (read-only)	\??\E:	scwg.exe
File opened (read-only)	\??\H:	scwg.exe
File opened (read-only)	\??\J:	scwg.exe
File opened (read-only)	\??\L:	scwg.exe
File opened (read-only)	\??\U:	scwg.exe
File opened (read-only)	\??\W:	scwg.exe
File opened (read-only)	\??\E:	scnv.exe
File opened (read-only)	\??\O:	scnv.exe
File opened (read-only)	\??\B:	scwg.exe
File opened (read-only)	\??\I:	scwg.exe
File opened (read-only)	\??\X:	scnv.exe
File opened (read-only)	\??\Y:	scnv.exe
File opened (read-only)	\??\Q:	scnv.exe
File opened (read-only)	\??\W:	scnv.exe
File opened (read-only)	\??\R:	scnv.exe
File opened (read-only)	\??\G:	scwg.exe
File opened (read-only)	\??\Q:	scwg.exe
File opened (read-only)	\??\F:	scnv.exe
File opened (read-only)	\??\R:	scwg.exe
File opened (read-only)	\??\Y:	scwg.exe
File opened (read-only)	\??\V:	scwg.exe
File opened (read-only)	\??\X:	scwg.exe
File opened (read-only)	\??\Z:	scwg.exe
File opened (read-only)	\??\K:	scnv.exe
File opened (read-only)	\??\M:	scnv.exe
File opened (read-only)	\??\U:	scnv.exe
File opened (read-only)	\??\F:	scwg.exe
File opened (read-only)	\??\S:	scwg.exe
File opened (read-only)	\??\Z:	scnv.exe

Drops file in System32 directory 64 IoCs

Processes:

7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe csrss.exe scnv.exelsass.exe winlogon.exe winlogon.exescwg.exeservices.exe services.exesmss.exewinlogon.exesmss.exesmss.exeParaysutki_VM_CommunityParaysutki_VM_Communitycsrss.exesmss.exe services.exesmss.exeservices.exesmss.exewinlogon.execsrss.execsrss.exe

description	ioc	process
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	scnv.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File created	\??\c:\windows\SysWOW64\CommandPrompt.Sysm	scwg.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	lsass.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	winlogon.exe
File created	\??\c:\windows\SysWOW64\Desktop.sysm	scwg.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
File opened for modification	\??\c:\windows\SysWOW64\Windows 3D.scr	scwg.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	Paraysutki_VM_Community
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	csrss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	services.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	winlogon.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~	lsass.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe	smss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	scwg.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe	winlogon.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community	smss.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	services.exe
File opened for modification	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe	services.exe
File opened for modification	\??\c:\windows\SysWOW64\maxtrox.txt	csrss.exe
File created	C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe

Drops file in Program Files directory 27 IoCs

Processes:

scwg.exe

description	ioc	process
File opened for modification	\??\c:\Program Files\7-Zip\7z.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iediagcmd.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\minidump-analyzer.exe	scwg.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	scwg.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-container.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnetwk.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpshare.exe	scwg.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zFM.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ielowutil.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\iexplore.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmplayer.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpnscfg.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\pingsender.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\updater.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmlaunch.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Windows Mail\wabmig.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmprph.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Internet Explorer\ieinstal.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\setup_wm.exe	scwg.exe
File opened for modification	\??\c:\Program Files\Windows Media Player\wmpconfig.exe	scwg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

lsass.exe smss.exe csrss.exe services.exe winlogon.exe 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	services.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "++++ Hey, Hokage/babon (AnbuTeamSampit), Is this My places, Wanna start a War ++++"	smss.exe

Modifies registry class 64 IoCs

Processes:

scnv.exe7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exescwg.execsrss.exelsass.exe 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe csrss.exe services.exe smss.exe winlogon.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	scnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	scwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	scnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\ = "Microsoft System Direct"	scwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	scwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	scwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	scwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	scnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	scnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	scnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	scnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	scnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	scnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\NeverShowExt	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	scwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	scnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command	scnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	scwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\NeverShowExt	scwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	scwg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon\ = "c:\\windows\\SysWow64\\rasphone.exe"	scwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command\ = "%1"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	scnv.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\DefaultIcon	scnv.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\ = "System Mechanic"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Msd\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon\ = "c:\\windows\\SysWow64\\netsetup.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\DefaultIcon	scwg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sysm\Shell\Open\Command\ = "%1"	scwg.exe

Runs ping.exe 1 TTPs 18 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
4112	ping.exe
2624	ping.exe
4720	ping.exe
1708	ping.exe
4644	ping.exe
760	ping.exe
1844	ping.exe
5008	ping.exe
4884	ping.exe
5004	ping.exe
2556	ping.exe
4048	ping.exe
2628	ping.exe
1128	ping.exe
4428	ping.exe
1132	ping.exe
3848	ping.exe
404	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exesmss.exelsass.exe

pid	process
3944	csrss.exe
3944	csrss.exe
3944	csrss.exe
3944	csrss.exe
3944	csrss.exe
3944	csrss.exe
3944	csrss.exe
3944	csrss.exe
3944	csrss.exe
3944	csrss.exe
3944	csrss.exe
3944	csrss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
5008	smss.exe
3648	lsass.exe
3648	lsass.exe
3648	lsass.exe
3648	lsass.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

rundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

pid process

3508 rundll32.exe
4800 rundll32.exe
2776 rundll32.exe
2720 rundll32.exe
2232 rundll32.exe
4784 rundll32.exe

pid	process
3508	rundll32.exe
4800	rundll32.exe
2776	rundll32.exe
2720	rundll32.exe
2232	rundll32.exe
4784	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe scwg.execsrss.execsrss.exe csrss.execsrss.exe smss.exesmss.exescnv.exesmss.exe smss.exe lsass.execsrss.exelsass.exe csrss.exe csrss.exesmss.execsrss.exe smss.exe smss.exelsass.exelsass.exe smss.exe lsass.exeservices.exelsass.exe services.exeservices.exe services.exe csrss.exewinlogon.execsrss.exe winlogon.exe smss.exesmss.exe lsass.execsrss.exelsass.exe csrss.exe lsass.exelsass.exe winlogon.exeservices.exeservices.exeservices.exewinlogon.exesmss.exeParaysutki_VM_CommunityParaysutki_VM_Communityservices.exe winlogon.exe lsass.exewinlogon.exe services.exe services.exe winlogon.exelsass.exe smss.exe winlogon.exe winlogon.exewinlogon.exe Paraysutki_VM_Communityservices.exe

pid	process
3484	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
2440	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
4152	scwg.exe
3944	csrss.exe
3128	csrss.exe
2220	csrss.exe
1596	csrss.exe
5008	smss.exe
5000	smss.exe
2016	scnv.exe
1532	smss.exe
1376	smss.exe
3648	lsass.exe
2060	csrss.exe
3992	lsass.exe
4240	csrss.exe
4404	csrss.exe
1200	smss.exe
2392	csrss.exe
4464	smss.exe
2188	smss.exe
4932	lsass.exe
1924	lsass.exe
3172	smss.exe
3456	lsass.exe
2028	services.exe
3148	lsass.exe
4064	services.exe
4076	services.exe
4456	services.exe
816	csrss.exe
1748	winlogon.exe
4144	csrss.exe
1152	winlogon.exe
3760	smss.exe
2720	smss.exe
4048	lsass.exe
4668	csrss.exe
2168	lsass.exe
4720	csrss.exe
2556	lsass.exe
2568	lsass.exe
3096	winlogon.exe
2588	services.exe
1256	services.exe
3996	services.exe
3576	winlogon.exe
1712	smss.exe
5012	Paraysutki_VM_Community
996	Paraysutki_VM_Community
2220	services.exe
4044	winlogon.exe
4696	lsass.exe
3392	winlogon.exe
4616	services.exe
3532	services.exe
3860	winlogon.exe
3876	lsass.exe
4552	smss.exe
1180	winlogon.exe
480	winlogon.exe
4448	winlogon.exe
4928	Paraysutki_VM_Community
2740	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe csrss.execsrss.exe csrss.exesmss.exesmss.exesmss.exe csrss.exelsass.exelsass.exe csrss.exesmss.exesmss.exe

description	pid	process	target process
PID 3484 wrote to memory of 2440	3484	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
PID 3484 wrote to memory of 2440	3484	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
PID 3484 wrote to memory of 2440	3484	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
PID 3484 wrote to memory of 4152	3484	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	scwg.exe
PID 3484 wrote to memory of 4152	3484	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	scwg.exe
PID 3484 wrote to memory of 4152	3484	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	scwg.exe
PID 2440 wrote to memory of 3944	2440	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	csrss.exe
PID 2440 wrote to memory of 3944	2440	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	csrss.exe
PID 2440 wrote to memory of 3944	2440	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	csrss.exe
PID 3944 wrote to memory of 3128	3944	csrss.exe	csrss.exe
PID 3944 wrote to memory of 3128	3944	csrss.exe	csrss.exe
PID 3944 wrote to memory of 3128	3944	csrss.exe	csrss.exe
PID 3128 wrote to memory of 2220	3128	csrss.exe	csrss.exe
PID 3128 wrote to memory of 2220	3128	csrss.exe	csrss.exe
PID 3128 wrote to memory of 2220	3128	csrss.exe	csrss.exe
PID 2220 wrote to memory of 1596	2220	csrss.exe	csrss.exe
PID 2220 wrote to memory of 1596	2220	csrss.exe	csrss.exe
PID 2220 wrote to memory of 1596	2220	csrss.exe	csrss.exe
PID 3128 wrote to memory of 5000	3128	csrss.exe	smss.exe
PID 3128 wrote to memory of 5000	3128	csrss.exe	smss.exe
PID 3128 wrote to memory of 5000	3128	csrss.exe	smss.exe
PID 2440 wrote to memory of 5008	2440	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	smss.exe
PID 2440 wrote to memory of 5008	2440	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	smss.exe
PID 2440 wrote to memory of 5008	2440	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe	smss.exe
PID 2220 wrote to memory of 2016	2220	csrss.exe	scnv.exe
PID 2220 wrote to memory of 2016	2220	csrss.exe	scnv.exe
PID 2220 wrote to memory of 2016	2220	csrss.exe	scnv.exe
PID 5000 wrote to memory of 1376	5000	smss.exe	smss.exe
PID 5000 wrote to memory of 1376	5000	smss.exe	smss.exe
PID 5000 wrote to memory of 1376	5000	smss.exe	smss.exe
PID 5008 wrote to memory of 1532	5008	smss.exe	smss.exe
PID 5008 wrote to memory of 1532	5008	smss.exe	smss.exe
PID 5008 wrote to memory of 1532	5008	smss.exe	smss.exe
PID 3128 wrote to memory of 3648	3128	csrss.exe	lsass.exe
PID 3128 wrote to memory of 3648	3128	csrss.exe	lsass.exe
PID 3128 wrote to memory of 3648	3128	csrss.exe	lsass.exe
PID 1532 wrote to memory of 2060	1532	smss.exe	csrss.exe
PID 1532 wrote to memory of 2060	1532	smss.exe	csrss.exe
PID 1532 wrote to memory of 2060	1532	smss.exe	csrss.exe
PID 2060 wrote to memory of 4240	2060	csrss.exe	csrss.exe
PID 2060 wrote to memory of 4240	2060	csrss.exe	csrss.exe
PID 2060 wrote to memory of 4240	2060	csrss.exe	csrss.exe
PID 3648 wrote to memory of 3992	3648	lsass.exe	lsass.exe
PID 3648 wrote to memory of 3992	3648	lsass.exe	lsass.exe
PID 3648 wrote to memory of 3992	3648	lsass.exe	lsass.exe
PID 3992 wrote to memory of 4404	3992	lsass.exe	csrss.exe
PID 3992 wrote to memory of 4404	3992	lsass.exe	csrss.exe
PID 3992 wrote to memory of 4404	3992	lsass.exe	csrss.exe
PID 1532 wrote to memory of 1200	1532	smss.exe	smss.exe
PID 1532 wrote to memory of 1200	1532	smss.exe	smss.exe
PID 1532 wrote to memory of 1200	1532	smss.exe	smss.exe
PID 4404 wrote to memory of 2392	4404	csrss.exe	csrss.exe
PID 4404 wrote to memory of 2392	4404	csrss.exe	csrss.exe
PID 4404 wrote to memory of 2392	4404	csrss.exe	csrss.exe
PID 1200 wrote to memory of 4464	1200	smss.exe	smss.exe
PID 1200 wrote to memory of 4464	1200	smss.exe	smss.exe
PID 1200 wrote to memory of 4464	1200	smss.exe	smss.exe
PID 3992 wrote to memory of 2188	3992	lsass.exe	smss.exe
PID 3992 wrote to memory of 2188	3992	lsass.exe	smss.exe
PID 3992 wrote to memory of 2188	3992	lsass.exe	smss.exe
PID 1532 wrote to memory of 4932	1532	smss.exe	lsass.exe
PID 1532 wrote to memory of 4932	1532	smss.exe	lsass.exe
PID 1532 wrote to memory of 4932	1532	smss.exe	lsass.exe
PID 2188 wrote to memory of 3172	2188	smss.exe	smss.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

smss.exe csrss.exe 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe services.exe lsass.exe winlogon.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	services.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

C:\Users\Admin\AppData\Local\Temp\7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
"C:\Users\Admin\AppData\Local\Temp\7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe"
1⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
C:\Users\Admin\AppData\Local\Temp\7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
2⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2440

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3128

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1596

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scnv.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\scnv.exe" csrss
6⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3992

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2392

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2188

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3172

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3456

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3148

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4064

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1748

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
8⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1152

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4668

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4720

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1712

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4552

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4696

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3876

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2740

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
10⤵
- Loads dropped DLL
PID:4940

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
9⤵
- Loads dropped DLL
- Drops file in System32 directory
PID:4144

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
10⤵
PID:4592

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
9⤵
PID:1212

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
9⤵
- Suspicious use of FindShellTrayWindow
PID:2720

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:2556

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:4048

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
9⤵
- Runs ping.exe
PID:2624

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:2232

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:3848

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:4644

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:5008

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2588

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3576

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3392

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4928

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:4800

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:4428

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:404

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:760

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5008

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
4⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1532

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2060

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4240

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4464

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4932

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1924

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:2028

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
6⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4076

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\csrss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:816

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4144

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\smss.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3760

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2720

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:3860

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1180

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:4364

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
7⤵
- Suspicious use of FindShellTrayWindow
PID:4784

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:4884

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:2628

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
7⤵
- Runs ping.exe
PID:4720

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3096

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4044

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:996

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
5⤵
- Suspicious use of FindShellTrayWindow
PID:3508

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1128

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1844

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
5⤵
- Runs ping.exe
PID:1708

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\lsass.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2556

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\services.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3996

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3532

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\winlogon.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:480

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4448

C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
C:\Windows\System32\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
3⤵
- Loads dropped DLL
PID:1932

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Windows\System32\shimgvw.dll, ImageView_Fullscreen
3⤵
- Suspicious use of FindShellTrayWindow
PID:2776

C:\Windows\SysWOW64\ping.exe
ping www.duniasex.com -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:5004

C:\Windows\SysWOW64\ping.exe
ping www.data0.net -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:1132

C:\Windows\SysWOW64\ping.exe
ping www.rasasayang.com.my -n 65500 -l 1340
3⤵
- Runs ping.exe
PID:4112

\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scwg.exe
"c:\Documents and Settings\Admin\Application Data\Microsoft\scwg.exe" 7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931
2⤵
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4152

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Users\Admin\AppData\Local\Temp\7bbd046adb4a13bf36140fff31f72c6f64fba21035f769869318e6707c9ce931.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\scnv.exe
Filesize
76KB

MD5
7dbd2b019e4fa9fd43f01d589db83cc5

SHA1
3af4da34024ce526088eef45e4b6ce5ea0da1de4

SHA256
7af3bacfbc9fac982cdf54626cb8e81263ca8c2cf181d6e1ddd2efec339d29e0

SHA512
683fad0bbab63a0c67eb5afbebd3b5a3c504f83a4951d5c18dde395393b663064aa2404e9ffd5f020f95b4f1ef3f44d99e47e937cc3fd3497506944954424704

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\scwg.exe
Filesize
76KB

MD5
163995b9609c6d6ef73a00cf382c10a3

SHA1
6de1fec4750ebd903e9d078a687ca4b7c99f7c97

SHA256
92efbdcc8f4357059cc83abeb1c7bb8a52923e7ac4a426037903b290176cd014

SHA512
31fc912a54b730044c150013c62c56a3beea915bd11c3a97a78a617e530f56f5a61a512346c95653616be6ee68ec39a4736ebef2994c75ad22a322c48e556af6

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\MSVBVM60.DLL
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\Paraysutki_VM_Community
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\csrss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\lsass.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\msvbvm60.dll
Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\services.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\smss.exe
Filesize
50KB

MD5
940d24de51296709ead002014ae37c40

SHA1
7cebaccaa9a213585f71d2a845ca7fd7d2c1cb7d

SHA256
d9afef82aafa6709ca6879cdd7915e76999bc5b150301b3ccd73d7a8ef14c3b6

SHA512
6646e85234e44185762d30705a2baf591241ae25459700f4699f3931f72d9138723aa52da6a479c72d8e9b0366892584f660b9b14f54d8672279cce7c44e7c64

Download Submit
C:\Windows\SysWOW64\~A~m~B~u~R~a~D~u~L~\winlogon.exe
Filesize
127KB

MD5
edef9434d1c31ea133af90947b2c48b1

SHA1
7e06619da46e0ed38675e64660aa96f156c264a6

SHA256
1b8e63ba2e6204228b3100db72e48518075175c0e9aedb368dd36f08367d93f0

SHA512
3f1c21d8d0b2e0b52ba06b9d294c9b5fa51c63a200a6142dd721f3c559d1da629c406dfcff26078a45eb716e26b32b465d30c34b35b1c152472dc1e5adedc7bd

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scnv.exe
Filesize
76KB

MD5
7dbd2b019e4fa9fd43f01d589db83cc5

SHA1
3af4da34024ce526088eef45e4b6ce5ea0da1de4

SHA256
7af3bacfbc9fac982cdf54626cb8e81263ca8c2cf181d6e1ddd2efec339d29e0

SHA512
683fad0bbab63a0c67eb5afbebd3b5a3c504f83a4951d5c18dde395393b663064aa2404e9ffd5f020f95b4f1ef3f44d99e47e937cc3fd3497506944954424704

Download Submit
\??\c:\Documents and Settings\Admin\Application Data\Microsoft\scwg.exe
Filesize
76KB

MD5
163995b9609c6d6ef73a00cf382c10a3

SHA1
6de1fec4750ebd903e9d078a687ca4b7c99f7c97

SHA256
92efbdcc8f4357059cc83abeb1c7bb8a52923e7ac4a426037903b290176cd014

SHA512
31fc912a54b730044c150013c62c56a3beea915bd11c3a97a78a617e530f56f5a61a512346c95653616be6ee68ec39a4736ebef2994c75ad22a322c48e556af6

Download Submit
\??\c:\windows\SysWOW64\CommandPrompt.Sysm
Filesize
76KB

MD5
a3e1053f0a77f0c52e2a1350fcae5749

SHA1
2b5e61ac2aa96ef4f2500e28aff327973d6f3c37

SHA256
28137993a8b69933493fc96744f553c71a2575d65d92a30541db98c716753d66

SHA512
eb1f3cfbd7fe8f6671096a7fd6b3f3224cfdef374c4f06766ead22a290de2385da4bf46342f8ddc8981ddab956ccb6a38b87e60347291dcd1a0844d54fcfeffb

Download Submit
\??\c:\windows\SysWOW64\Desktop.sysm
Filesize
76KB

MD5
a3e1053f0a77f0c52e2a1350fcae5749

SHA1
2b5e61ac2aa96ef4f2500e28aff327973d6f3c37

SHA256
28137993a8b69933493fc96744f553c71a2575d65d92a30541db98c716753d66

SHA512
eb1f3cfbd7fe8f6671096a7fd6b3f3224cfdef374c4f06766ead22a290de2385da4bf46342f8ddc8981ddab956ccb6a38b87e60347291dcd1a0844d54fcfeffb

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr
Filesize
76KB

MD5
513f33994010d14e9127bad521f234c9

SHA1
6343bff7557709e2d9d5dace65b6328d3bcc201e

SHA256
023b1d7e3039d3d6d08e3a87691bf5a3d5842ea25ad520326cca9f1320d20b66

SHA512
c9c4ce47587cec5915471ae97c1463169205d5cd0e659d7af428faf1bcd5a37e499318ac345b600a347c6f015c8a9f0c055f092a03d3e036ecaa9e5c8963d80e

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr
Filesize
76KB

MD5
7dbd2b019e4fa9fd43f01d589db83cc5

SHA1
3af4da34024ce526088eef45e4b6ce5ea0da1de4

SHA256
7af3bacfbc9fac982cdf54626cb8e81263ca8c2cf181d6e1ddd2efec339d29e0

SHA512
683fad0bbab63a0c67eb5afbebd3b5a3c504f83a4951d5c18dde395393b663064aa2404e9ffd5f020f95b4f1ef3f44d99e47e937cc3fd3497506944954424704

Download Submit
\??\c:\windows\SysWOW64\Windows 3D.scr
Filesize
76KB

MD5
a3e1053f0a77f0c52e2a1350fcae5749

SHA1
2b5e61ac2aa96ef4f2500e28aff327973d6f3c37

SHA256
28137993a8b69933493fc96744f553c71a2575d65d92a30541db98c716753d66

SHA512
eb1f3cfbd7fe8f6671096a7fd6b3f3224cfdef374c4f06766ead22a290de2385da4bf46342f8ddc8981ddab956ccb6a38b87e60347291dcd1a0844d54fcfeffb

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
\??\c:\windows\SysWOW64\maxtrox.txt
Filesize
8B

MD5
24865ca220aa1936cbac0a57685217c5

SHA1
37f687cafe79e91eae6cbdffbf2f7ad3975f5e83

SHA256
841e95fa333ed89085bfbab19bb658d96ed0c837d25721411233fa55c860c743

SHA512
c8d3f514c72f48fed5de9582c4252cf5466a9d32866d8df3631ba9274ed734bb95139e4909e8116a10947fc1afa1dbeb33809da6ec050e6e4eb83d5241aeb062

Download Submit
memory/480-400-0x0000000000000000-mapping.dmp

Download
memory/816-300-0x0000000000000000-mapping.dmp

Download
memory/996-354-0x0000000000000000-mapping.dmp

Download
memory/1152-348-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1152-452-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1152-312-0x0000000000000000-mapping.dmp

Download
memory/1152-323-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1180-402-0x0000000000000000-mapping.dmp

Download
memory/1180-416-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1180-431-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1200-243-0x0000000000000000-mapping.dmp

Download
memory/1256-350-0x0000000000000000-mapping.dmp

Download
memory/1376-214-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1376-201-0x0000000000000000-mapping.dmp

Download
memory/1532-224-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1532-453-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1532-202-0x0000000000000000-mapping.dmp

Download
memory/1596-179-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1596-173-0x0000000000000000-mapping.dmp

Download
memory/1596-180-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1712-351-0x0000000000000000-mapping.dmp

Download
memory/1748-307-0x0000000000000000-mapping.dmp

Download
memory/1924-275-0x0000000000000000-mapping.dmp

Download
memory/1924-280-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2016-191-0x0000000000000000-mapping.dmp

Download
memory/2028-282-0x0000000000000000-mapping.dmp

Download
memory/2060-216-0x0000000000000000-mapping.dmp

Download
memory/2168-372-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2168-331-0x0000000000000000-mapping.dmp

Download
memory/2168-337-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2188-265-0x0000000000000000-mapping.dmp

Download
memory/2220-368-0x0000000000000000-mapping.dmp

Download
memory/2220-422-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2220-167-0x0000000000000000-mapping.dmp

Download
memory/2220-433-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2232-423-0x0000000000000000-mapping.dmp

Download
memory/2392-266-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2392-249-0x0000000000000000-mapping.dmp

Download
memory/2392-261-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2440-140-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2440-134-0x0000000000000000-mapping.dmp

Download
memory/2440-451-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2440-138-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2556-339-0x0000000000000000-mapping.dmp

Download
memory/2568-383-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2568-342-0x0000000000000000-mapping.dmp

Download
memory/2568-345-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2588-346-0x0000000000000000-mapping.dmp

Download
memory/2720-322-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2720-319-0x0000000000000000-mapping.dmp

Download
memory/2740-424-0x0000000000000000-mapping.dmp

Download
memory/3096-347-0x0000000000000000-mapping.dmp

Download
memory/3128-178-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3128-454-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3128-156-0x0000000000000000-mapping.dmp

Download
memory/3148-294-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3148-286-0x0000000000000000-mapping.dmp

Download
memory/3148-291-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3172-281-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3172-274-0x0000000000000000-mapping.dmp

Download
memory/3392-411-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-428-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3392-380-0x0000000000000000-mapping.dmp

Download
memory/3456-283-0x0000000000000000-mapping.dmp

Download
memory/3532-430-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3532-413-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3532-387-0x0000000000000000-mapping.dmp

Download
memory/3576-353-0x0000000000000000-mapping.dmp

Download
memory/3648-215-0x0000000000000000-mapping.dmp

Download
memory/3760-314-0x0000000000000000-mapping.dmp

Download
memory/3860-384-0x0000000000000000-mapping.dmp

Download
memory/3876-415-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3876-389-0x0000000000000000-mapping.dmp

Download
memory/3876-425-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3944-148-0x0000000000000000-mapping.dmp

Download
memory/3992-263-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3992-229-0x0000000000000000-mapping.dmp

Download
memory/3992-450-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3996-352-0x0000000000000000-mapping.dmp

Download
memory/4044-367-0x0000000000000000-mapping.dmp

Download
memory/4044-427-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4044-421-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4044-375-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4048-324-0x0000000000000000-mapping.dmp

Download
memory/4064-292-0x0000000000000000-mapping.dmp

Download
memory/4076-325-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4076-455-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4076-293-0x0000000000000000-mapping.dmp

Download
memory/4144-313-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4144-306-0x0000000000000000-mapping.dmp

Download
memory/4152-141-0x0000000000000000-mapping.dmp

Download
memory/4240-228-0x0000000000000000-mapping.dmp

Download
memory/4240-242-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4404-239-0x0000000000000000-mapping.dmp

Download
memory/4448-408-0x0000000000000000-mapping.dmp

Download
memory/4448-426-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4448-417-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4456-299-0x0000000000000000-mapping.dmp

Download
memory/4456-304-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4464-267-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4464-256-0x0000000000000000-mapping.dmp

Download
memory/4464-264-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4552-432-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4552-414-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4552-390-0x0000000000000000-mapping.dmp

Download
memory/4592-447-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4616-429-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4616-412-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4616-385-0x0000000000000000-mapping.dmp

Download
memory/4668-326-0x0000000000000000-mapping.dmp

Download
memory/4696-376-0x0000000000000000-mapping.dmp

Download
memory/4720-338-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4720-371-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4720-332-0x0000000000000000-mapping.dmp

Download
memory/4928-418-0x0000000000000000-mapping.dmp

Download
memory/4932-270-0x0000000000000000-mapping.dmp

Download
memory/4940-442-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5000-181-0x0000000000000000-mapping.dmp

Download
memory/5008-182-0x0000000000000000-mapping.dmp

Download
memory/5012-349-0x0000000000000000-mapping.dmp

Download